
Public and Private Medical Research Community Targeted by China-Nexus Threat Actor UNC6508
Indicators of Compromise
No domains found for this campaign
APT Groups1
UNC6508 is a People’s Republic of China (PRC) nexus cyber espionage threat actor. The group has been active since at least September 2023 and remained undetected for over a year in multiple victim environments. UNC6508 specializes in targeting academic, medical, and military research institutions in North America to steal sensitive data related to national security, defense technologies, artificial intelligence, and medical research. Key Characteristics Heavy focus on compromising REDCap (Research Electronic Data Capture) servers — a widely used platform in medical and academic research. Deployment of a custom malware called INFINITERED, which acts as a recursive dropper and credential harvester. Stealthy post-compromise operations: internal reconnaissance, privilege escalation, and covert data exfiltration. Use of enterprise administrative tools and custom rules (e.g., email forwarding rules named “Patroit”) for long-term data collection. Broad collection priorities aligned with PRC strategic interests (defense intelligence, Indo-Pacific operations, AI, uncrewed systems, cyber capabilities)
Campaign Guidance
Remediation, mitigation, notes, history and related intelligence
REMEDIATION/DETECTION (MITRE ATT&CK)
The table below maps each observed technique to its MITRE ATT&CK Detection Strategy. Each DET code links to the corresponding detection strategy page on the MITRE ATT&CK site.
Tactic | Technique (MITRE ATT&CK) | Detection Strategy |
|---|---|---|
Initial Access | T1190 — Exploit Public-Facing Application | |
Persistence | T1505.003 — Server Software Component: Web Shell | |
Persistence | T1554 — Compromise Host Software Binary | |
Credential Access | T1056.003 — Input Capture: Web Portal Capture | |
Privilege Escalation | T1078 — Valid Accounts | |
Collection / Exfiltration | T1114.003 — Email Collection: Email Forwarding Rule |