Platform
Arbis AI
Solutions
About
Book a Demo
Dropdown

China-Nexus Espionage: UNC6508 Strikes North America

Red | Attack
Download Now
UNC6508: China-Nexus Espionage via REDCap & INFINITERED | Attack Report TA2026170
HiveForce Labs  ·  Threat Advisory  ·  Attack Report  

China-Nexus Espionage: UNC6508 Strikes North America

UNC6508, a PRC-nexus espionage actor, compromised externally facing REDCap research servers and deployed bespoke malware INFINITERED to harvest legitimate login credentials. After dwelling undetected for more than a year, the actor replayed harvested credentials to reach a domain administrator account, then abused Google Workspace content compliance rules to silently BCC-forward sensitive research and defense email to an actor-controlled mailbox — leaving no malware on the mail server and generating no anomalous network traffic. Activity spanned September 2023 through November 2025.

⚠ THREAT LEVEL: RED  ·  ACTOR: UNC6508 (PRC-nexus)  ·  MALWARE: INFINITERED  ·  TARGET: REDCap servers · Google Workspace  ·  SECTORS: Medical/Clinical Research · Academic · Military Health · Defense  ·  DWELL TIME: 14+ months  ·  EXFIL: Google Workspace BCC compliance rule — no malware on mail server
⚠ Threat Level: RedUNC6508 · PRC-NexusINFINITERED MalwareREDCap Credential HarvestingGoogle Workspace BCC Abuse14+ Month Dwell TimeNorth America · Medical & Defense ResearchPublished: June 17, 2026
TA Number
TA2026170
Threat Actor
UNC6508
Threat Level
Red
Origin
PRC-nexus
Malware
INFINITERED
Target Region
North America
Active Period
Sep 2023 – Nov 2025
Dwell Time
14+ months
Admiralty Code
A1
01 — Overview

Summary

UNC6508 is a People's Republic of China (PRC)-nexus espionage actor that targeted North American medical research, academic, military health, health regulatory, and defense organizations between September 2023 and November 2025. The actor's primary targets were externally facing REDCap (Research Electronic Data Capture) servers — the web platform hospitals and universities use to build and manage clinical research databases and surveys.

The attack chain begins with exploitation of vulnerable REDCap instances, followed by deployment of INFINITERED — a bespoke, REDCap-specific implant that trojanizes the server's own system files to harvest credentials and persist through software upgrades. After dwelling for more than a year, UNC6508 replayed harvested credentials to pivot laterally to a domain administrator account, then created a Google Workspace content compliance rule to silently BCC-forward matching email to an attacker-controlled mailbox. The technique abused a legitimate admin feature, producing no mail-server malware, no separate exfiltration tool, and no anomalous network traffic — making detection extremely difficult.

02 — Technical Analysis

Attack Details

Five stages cover the UNC6508 intrusion chain: REDCap initial access, INFINITERED deployment, backdoor capabilities, credential replay and lateral movement, and Google Workspace mail exfiltration.

#1
Initial Access — Externally Facing REDCap Server Exploitation
UNC6508 gained its foothold by probing externally facing REDCap servers for older, vulnerable releases. The actor's interest in legacy versions running alongside current builds points to an exploitation strategy targeting version coexistence — a configuration that enables downgrade attacks against known-vulnerable releases. In the primary investigated intrusion, initial compromise of the medical research organization dated to September 2023, roughly three months before INFINITERED was deployed.
#2
INFINITERED — REDCap-Specific Implant with Upgrade Interception and Credential Harvesting
Three months after initial access, UNC6508 deployed INFINITERED, a custom payload built specifically for REDCap that hides itself by trojanizing the server's own system files. The malware has two key passive components: a persistence and update-interception module that hijacks the REDCap upgrade process so each new version reinjects the malicious code rather than clearing it; and a credential harvester that captures usernames and passwords submitted through REDCap login pages and stores them, encrypted, in local REDCap database tables for later retrieval.
#3
INFINITERED Backdoor — HTTP Cookie C2, Shell Commands, SQL Execution
INFINITERED's backdoor component receives commands embedded in HTTP cookies and executes on every page load. Operator capabilities include: running shell commands; uploading and downloading files; executing arbitrary SQL queries; retrieving and deleting stored credential records; and returning system and database information. INFINITERED is characterized across reporting as providing dropper, upgrade-interception, credential-harvesting, backdoor, and command-and-control capabilities in a single REDCap-native implant.
#4
Credential Replay and Lateral Movement — REDCap to Domain Administrator
With the backdoor established, UNC6508 conducted internal reconnaissance and credential discovery, pulling database and service-account credentials from the compromised REDCap environment. The actor reused those valid logins to move laterally from the REDCap server into the internal network, ultimately reaching and compromising a domain administrator account — establishing the elevated access needed for the final exfiltration phase.
#5
Google Workspace BCC Exfiltration — Compliance Rule "Patroit," ~150 Keywords, No Malware
Holding domain administrator access, UNC6508 created a Google Workspace content compliance rule — a legitimate admin feature that scans outgoing mail for keywords and can copy or forward matching messages — with the misspelled name "Patroit." The rule monitored nearly 150 keywords, search terms, content patterns, email addresses, and phone numbers tied to sensitive research and defense topics, and silently BCC'd any matching message to an actor-controlled address. The technique left no malware on the mail server, required no separate exfiltration tool, and generated no anomalous network traffic.
03 — Mitigations

Recommendations

01
Patch and Decommission Legacy REDCap Instances
Upgrade all externally facing REDCap servers to the latest available version and fully remove older versions rather than running them side-by-side. Version coexistence is the direct enabler of downgrade attacks against known-vulnerable REDCap releases — eliminating legacy instances removes this attack surface entirely.
02
Audit Mail Content-Compliance and Forwarding Rules — Check Change History
Review Google Workspace (or equivalent cloud mail) content compliance, routing, and forwarding rules for any rule that BCCs or reroutes mail to external addresses. Critically, check admin audit logs for when rules were changed — not just what they say now. The "Patroit" rule would not be visible in a spot audit without reviewing creation history. Alert on any new or modified compliance rule created by an account that did not historically manage mail routing.
03
Inspect REDCap Databases for Staged Credentials
Examine local REDCap database tables for encrypted credential stores planted by the INFINITERED harvester and purge any malicious records discovered. Audit REDCap system files for unexpected modifications consistent with trojanization, and validate the integrity of REDCap installation files against known-good checksums from official releases.
04
Adopt Device-Bound Session Credentials (DBSC)
Deploy Device Bound Session Credentials to prevent session hijacking and frustrate the credential-replay lateral movement technique central to this campaign. DBSC prevents replayed credentials from succeeding on a different device, directly breaking the path UNC6508 used to move from the REDCap server to the internal network and domain administrator account.
05
Reset All Credentials Reachable from Compromised REDCap Hosts
Rotate database, service-account, and administrator credentials reachable from any compromised REDCap host. Review directory services for unauthorized or anomalous domain administrator accounts created by the actor. Treat any account that authenticated from a compromised REDCap host as potentially replayed and requiring immediate credential rotation.
04 — Threat Intelligence

Indicators of Compromise (IoCs)

Type Value
GUID Delimiter 
b49e334d-9c01-463e-9bc5-00a6920fb66e
Session ID Prefix 
xc32038474a
Email (defanged) 
BebitaBarefoot774[@]gmail[.]com
IPv4 
23[.]169[.]65[.]49
SHA256 
ba6b73b0ca0dc7f86b3b397893ac32d729fd53f9df20643288f141f29d020af7
db65c1b9f9e4cb4d729f45ad4b6fcf3e277caf9eb4c875425dec93fd883f9136
c1ac43d23f89d41eb4ff131678ab562ab2cfed9aa334b13767ef141d303b0e5b
8f0158855a656b629ca76ebca565f18bc25563ded34b65d6771632c20edb68ec
51a57bfc9ed3eb6451c1c289607814d59e1698c666fb97ac5f694c398f23d045
4efbef69eb3b09bacff892d6a55778d07c418e7f15eba3cf1245e8cdfd8dda0b
58bb25777e0aa86bcd2125101e0bca4e8732b03d91bd8d2f205b446a2a8d5c86
Mail Rule Name 
Patroit (misspelled — Google Workspace content compliance rule used for BCC exfiltration)
05 — MITRE ATT&CK Framework

MITRE ATT&CK TTPs

Tactic Technique Sub-technique & Notes
Initial Access T1190 Exploit Public-Facing Application — externally facing REDCap servers probed for vulnerable legacy versions; downgrade attacks against older releases running alongside current builds
Execution T1059 Command and Scripting Interpreter — INFINITERED backdoor executes shell commands received via HTTP cookie C2 on every REDCap page load
Persistence T1505 T1505.003 Web Shell — INFINITERED trojanizes REDCap system files; upgrade-interception module reinjects malicious code into each new REDCap version rather than being cleared
Persistence T1554 Compromise Host Software Binary — INFINITERED hijacks the REDCap upgrade process so software updates preserve and reinject the implant
Credential Access T1056 T1056.003 Web Portal Capture — INFINITERED credential harvester captures usernames and passwords submitted via REDCap login pages; stores encrypted records in local database tables
Discovery T1087 Account Discovery — database and service-account credentials pulled from the compromised REDCap environment to identify targets for lateral movement
Lateral Movement T1021 Remote Services — harvested credentials replayed to move from the REDCap server into internal network; ultimately reaching a domain administrator account
Priv Escalation T1078 Valid Accounts — harvested and replayed credentials used to authenticate as domain administrator without brute force or exploitation
Collection T1074 T1074.001 Local Data Staging — harvested credentials stored encrypted in local REDCap database tables pending retrieval via backdoor
Collection T1114 T1114.003 Email Forwarding Rule — Google Workspace content compliance rule "Patroit" silently BCC'd ~150-keyword-matched research and defense email to actor-controlled mailbox
Collection T1213 Data from Information Repositories — REDCap clinical research databases and SQL-accessible data collected via INFINITERED backdoor's arbitrary SQL query capability
C2 T1071 T1071.001 Web Protocols — INFINITERED backdoor receives commands embedded in HTTP cookies on every REDCap page load; blends with legitimate web traffic
C2 T1090 T1090.002 External Proxy — actor-controlled infrastructure used as proxy for C2 communications
Exfiltration T1567 Exfiltration Over Web Service — matching email silently BCC'd to attacker Gmail address via Google Workspace compliance rule; no anomalous network traffic generated
Defense Evasion T1027 Obfuscated Files or Information — INFINITERED stores harvested credentials encrypted in REDCap database tables; payload obfuscated within legitimate REDCap system files
06 — Sources

References

Report Generated: June 17, 2026  ·  02:30 AM
TA Number: TA2026170  ·  Admiralty Code: A1  ·  Threat Level: Red
© 2026 All Rights Reserved by Hive Pro  ·  www.hivepro.com
HiveForce Labs
Threat Advisory · Attack Report
UNC6508 · INFINITERED · PRC Espionage
hive pro logo
Agentic AI for Exposure Management. Security operations that think, prioritize, and act autonomously.
twitterLinkdeinYoutubeEmail
Resources
Threat Advisories
Threat Digests
Solutions
Total Attack Surface Management
Multi-Environment Security Scanners
Complete Exposure Assessment
Comprehensive Security Intelligence
Vulnerability & Threat Prioritization
Adversarial Exposure Validation
© 2026
Hive Pro.
All rights reserved.
Privacy Policy