Campaigns
Public and Private Medical Research Community Targeted by China-Nexus Threat Actor UNC6508

Public and Private Medical Research Community Targeted by China-Nexus Threat Actor UNC6508

UNC6508INFINITEREDRedCapCyber EspionageEmail Exfiltration
UNC6508, a People's Republic of China (PRC)-nexus espionage cluster, compromised externally facing REDCap (Research Electronic Data Capture) servers at multiple U.S. and Canadian medical,academic, and military research organizations and deployed the custom INFINITERED malware to harvest legitimate login credentials. After remaining undetected for more than a year, the actor pivoted to a domain administrator account and abused a Google Workspace domain content compliance rule to silently BCC matching emails to an attacker-controlled mailbox, exfiltrating research on medical, artificial intelligence, defense, and geo-strategic topics.

Indicators of Compromise

No domains found for this campaign

APT Groups1

UNC6508CN

UNC6508 is a People’s Republic of China (PRC) nexus cyber espionage threat actor. The group has been active since at least September 2023 and remained undetected for over a year in multiple victim environments. UNC6508 specializes in targeting academic, medical, and military research institutions in North America to steal sensitive data related to national security, defense technologies, artificial intelligence, and medical research. Key Characteristics Heavy focus on compromising REDCap (Research Electronic Data Capture) servers — a widely used platform in medical and academic research. Deployment of a custom malware called INFINITERED, which acts as a recursive dropper and credential harvester. Stealthy post-compromise operations: internal reconnaissance, privilege escalation, and covert data exfiltration. Use of enterprise administrative tools and custom rules (e.g., email forwarding rules named “Patroit”) for long-term data collection. Broad collection priorities aligned with PRC strategic interests (defense intelligence, Indo-Pacific operations, AI, uncrewed systems, cyber capabilities)

Campaign Guidance

Remediation, mitigation, notes, history and related intelligence

REMEDIATION/DETECTION (MITRE ATT&CK)

The table below maps each observed technique to its MITRE ATT&CK Detection Strategy. Each DET code links to the corresponding detection strategy page on the MITRE ATT&CK site.

Tactic

Technique (MITRE ATT&CK)

Detection Strategy

Initial Access

T1190 — Exploit Public-Facing Application

DET0080

Persistence

T1505.003 — Server Software Component: Web Shell

DET0394

Persistence

T1554 — Compromise Host Software Binary

DET0336

Credential Access

T1056.003 — Input Capture: Web Portal Capture

DET0480

Privilege Escalation

T1078 — Valid Accounts

DET0560

Collection / Exfiltration

T1114.003 — Email Collection: Email Forwarding Rule

DET0576

Observed Countries3

CA (661)
MX (649)
US (651)