Google is warning of a cyber espionage campaign linked to a China-nexus threat actor, UNC6508, that kept close tabs on valuable US and Canadian research environments for over a year.
The campaign abused REDCap, a widely adopted platform for collecting and managing research data. Attackers, now disrupted, intercepted REDCap’s upgrade process to inject persistence malware.
According to Google’s Threat Intelligence Group (GTIG), the campaign was particularly interested in academic institutions, medical research centers, healthcare providers, military health networks, and defense-focused research programs.
Google said UNC6508 historically infected the legacy REDCap versions, and the observed campaign was just building on that initial compromise to push code for persistence.
“GTIG was not able to confirm how UNC6508 initially gained access to the REDCap server,” GTIG researchers said in a blog post. “By design, REDCap allows administrators to continue running legacy software side-by-side with the current version. UNC6508 was observed probing for these vulnerable legacy versions on several target organizations’ REDCap systems.”
The state-sponsored group was after a wide range of sensitive research and defense-related information, spanning national security, AI, cyber operations, and medical research.
Research platform became the front door
Other than persistence, the campaign supported credential discovery, internal reconnaissance, and post-compromise operations.
UNC6508 used a payload tracked as INFINITERED, which is a modular malware designed to trojanize legitimate REDCap system files. The malware has three dedicated components: a dropper and upgrade Interception, a credential harvester, and a backdoor with command and control (c2).
The upgrade interception module reads the legacy REDCap versions still accessible on some current REDCap deployments, already infected with malicious logic through an unknown initial access, and extracts the malicious logic from that version. It then injects this code into the upgrade system file.
Parallelly, the other two modules inject credential harvester code into the authentication system file, and backdoor code into the custom hooks configuration file, respectively.
“Upon establishing a foothold on the REDCap server, UNC6508 performed internal reconnaissance and credential discovery to obtain database and service account credentials,” GTIG researchers said in a blog post. “The threat actor also deployed a web shell named “help.php”, which maintained persistence and functioned as an uploader in the REDCap application.”
The backdoor supports a range of remote commands that allow operators to manage files, execute shell commands, gather system information, and maintain control over compromised REDCap servers, providing UNC6508 with a rich post-compromise toolkit.
REDCap’s maintainers did not respond to CSO’s request for comments.
Hunting for and removing INFINITERED
Because INFINITERED embeds itself into REDCap’s upgrade workflow and modifies legitimate application files, organizations are encouraged to inspect REDCap environments for unauthorized file modifications, unexpected web shells, and signs of credential harvesting activity using the GTIG provided YARA rule.
Google also recommends upgrading vulnerable REDCap deployments, reviewing legacy versions that remain accessible alongside current installations, and validating the integrity of application files before and after upgrades. Enforcing phishing-resistant 2-step verification, device-bound session credentials, and relevant DLP rules were also recommended for tighter controls.
Google said it notified several organizations across the US and Canada that it believes were compromised with INFINITERED, and offered remediation assistance.
