SOC Incident Toolkit
Back to Campaigns
Public and Private Medical Research Community Targeted by China-Nexus Threat Actor UNC6508

Public and Private Medical Research Community Targeted by China-Nexus Threat Actor UNC6508

UNC6508INFINITEREDRedCapCyber EspionageEmail Exfiltration

UNC6508, a People's Republic of China (PRC)-nexus espionage cluster, compromised externally facing REDCap (Research Electronic Data Capture) servers at multiple U.S. and Canadian medical,academic, and military research organizations and deployed the custom INFINITERED malware to harvest legitimate login credentials. After remaining undetected for more than a year, the actor pivoted to a domain administrator account and abused a Google Workspace domain content compliance rule to silently BCC matching emails to an attacker-controlled mailbox, exfiltrating research on medical, artificial intelligence, defense, and geo-strategic topics.

Indicators of Compromise

Hashes (7)

db65c1b9f9e4cb4d729f45ad4b6fcf3e277caf9eb4c875425dec93fd883f91368f0158855a656b629ca76ebca565f18bc25563ded34b65d6771632c20edb68ec58bb25777e0aa86bcd2125101e0bca4e8732b03d91bd8d2f205b446a2a8d5c86c1ac43d23f89d41eb4ff131678ab562ab2cfed9aa334b13767ef141d303b0e5b4efbef69eb3b09bacff892d6a55778d07c418e7f15eba3cf1245e8cdfd8dda0b51a57bfc9ed3eb6451c1c289607814d59e1698c666fb97ac5f694c398f23d045ba6b73b0ca0dc7f86b3b397893ac32d729fd53f9df20643288f141f29d020af7

IPv4 (1)

23.169.65.49

APT Groups

UNC6508

CN

Notes

<p style="margin: 11pt 0px 5pt; line-height: 1.2;"><span style="font-size: 11pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); font-weight: 700; font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">CONCLUSION</span></p><p style="margin: 0pt 0px 6pt; line-height: 1.2;"><span style="font-size: 11pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">The UNC6508 campaign shows how a built-in cloud productivity feature can be turned into a low-noise exfiltration channel once an adversary holds administrative access, leaving no malware on the mail server and little anomalous network traffic. Organizations in the medical, academic, and defense research sectors should treat externally facing research platforms such as REDCap and their administrative mail rules as high-value monitoring targets. SOCRadar customers can operationalize this intelligence through </span><span style="font-size: 11pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;"><a href="https://socradar.io/products/ioc-radar/" style="color: rgb(59, 130, 246);">IOC Radar</a></span><span style="font-size: 11pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;"> to track and enrich the indicators, </span><span style="font-size: 11pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;"><a href="https://socradar.io/products/cyber-threat-intelligence/" style="color: rgb(59, 130, 246);">Cyber Threat Intelligence</a></span><span style="font-size: 11pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;"> for actor and campaign context, </span><span style="font-size: 11pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;"><a href="https://socradar.io/products/attack-surface-management/" style="color: rgb(59, 130, 246);">Attack Surface Management</a></span><span style="font-size: 11pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;"> to identify exposed REDCap and other internet-facing assets, and </span><span style="font-size: 11pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;"><a href="https://socradar.io/products/dark-web-monitoring/" style="color: rgb(59, 130, 246);">Dark Web Monitoring</a></span><span style="font-size: 11pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;"> to detect leaked credentials that could enable similar valid-account abuse.</span></p><div><span style="font-size: 11pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;"><br></span></div>

Mitigation

<p style="margin: 11pt 0px 5pt; line-height: 1.2;"><span style="font-size: 11pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); font-weight: 700; font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">MITIGATION (MITRE ATT&amp;CK)</span></p><p style="margin: 0pt 0px 6pt; line-height: 1.2;"><span style="font-size: 11pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">The mappings below reflect the techniques observed across the UNC6508 intrusion chain with their corresponding MITRE ATT&amp;CK mitigations. Each technique code links to its MITRE ATT&amp;CK technique page and each mitigation code links to its mitigation page.</span></p><div align="left" style="margin-left: 0pt;"><table style="border-width: medium; border-style: none; border-color: currentcolor; border-image: initial; border-collapse: collapse;"><colgroup><col><col><col></colgroup><thead><tr style="height: 0pt;"><th style="border-width: 0.5pt; border-style: solid; border-color: rgb(153, 153, 153); vertical-align: top; padding: 3pt 5pt; overflow: hidden; overflow-wrap: break-word;"><p style="margin: 0pt 0px; line-height: 1.2;"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">Tactic</span></p></th><th style="border-width: 0.5pt; border-style: solid; border-color: rgb(153, 153, 153); vertical-align: top; padding: 3pt 5pt; overflow: hidden; overflow-wrap: break-word;"><p style="margin: 0pt 0px; line-height: 1.2;"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">Technique (MITRE ATT&amp;CK)</span></p></th><th style="border-width: 0.5pt; border-style: solid; border-color: rgb(153, 153, 153); vertical-align: top; padding: 3pt 5pt; overflow: hidden; overflow-wrap: break-word;"><p style="margin: 0pt 0px; line-height: 1.2;"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">Mitigation</span></p></th></tr></thead><tbody><tr style="height: 0pt;"><td style="border-width: 0.5pt; border-style: solid; border-color: rgb(153, 153, 153); vertical-align: top; padding: 3pt 5pt; overflow: hidden; overflow-wrap: break-word;"><p style="margin: 0pt 0px; line-height: 1.2;"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">Initial Access</span></p></td><td style="border-width: 0.5pt; border-style: solid; border-color: rgb(153, 153, 153); vertical-align: top; padding: 3pt 5pt; overflow: hidden; overflow-wrap: break-word;"><p style="margin: 0pt 0px; line-height: 1.2;"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(46, 116, 181); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;"><a href="https://attack.mitre.org/techniques/T1190/" style="color: rgb(59, 130, 246);">T1190</a></span><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(46, 116, 181); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;"> — Exploit Public-Facing Application</span></p></td><td style="border-width: 0.5pt; border-style: solid; border-color: rgb(153, 153, 153); vertical-align: top; padding: 3pt 5pt; overflow: hidden; overflow-wrap: break-word;"><p style="margin: 0pt 0px; line-height: 1.2;"><a href="https://attack.mitre.org/mitigations/M1051" style="color: rgb(59, 130, 246);"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(46, 116, 181); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">M1051</span></a><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(46, 116, 181); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;"> / </span><a href="https://attack.mitre.org/mitigations/M1016" style="color: rgb(59, 130, 246);"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(46, 116, 181); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">M1016</span></a><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(46, 116, 181); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;"> / </span><a href="https://attack.mitre.org/mitigations/M1030" style="color: rgb(59, 130, 246);"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(46, 116, 181); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">M1030</span></a><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(46, 116, 181); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;"> / </span><a href="https://attack.mitre.org/mitigations/M1048" style="color: rgb(59, 130, 246);"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(46, 116, 181); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">M1048</span></a><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(46, 116, 181); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;"> / </span><a href="https://attack.mitre.org/mitigations/M1050" style="color: rgb(59, 130, 246);"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(46, 116, 181); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">M1050</span></a></p></td></tr><tr style="height: 0pt;"><td style="border-width: 0.5pt; border-style: solid; border-color: rgb(153, 153, 153); vertical-align: top; padding: 3pt 5pt; overflow: hidden; overflow-wrap: break-word;"><p style="margin: 0pt 0px; line-height: 1.2;"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">Persistence</span></p></td><td style="border-width: 0.5pt; border-style: solid; border-color: rgb(153, 153, 153); vertical-align: top; padding: 3pt 5pt; overflow: hidden; overflow-wrap: break-word;"><p style="margin: 0pt 0px; line-height: 1.2;"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(46, 116, 181); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;"><a href="https://attack.mitre.org/techniques/T1505/003/" style="color: rgb(59, 130, 246);">T1505.003</a></span><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(46, 116, 181); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;"> — Server Software Component: Web Shell</span></p></td><td style="border-width: 0.5pt; border-style: solid; border-color: rgb(153, 153, 153); vertical-align: top; padding: 3pt 5pt; overflow: hidden; overflow-wrap: break-word;"><p style="margin: 0pt 0px; line-height: 1.2;"><a href="https://attack.mitre.org/mitigations/M1042" style="color: rgb(59, 130, 246);"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(46, 116, 181); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">M1042</span></a><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(46, 116, 181); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;"> / </span><a href="https://attack.mitre.org/mitigations/M1018" style="color: rgb(59, 130, 246);"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(46, 116, 181); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">M1018</span></a></p></td></tr><tr style="height: 0pt;"><td style="border-width: 0.5pt; border-style: solid; border-color: rgb(153, 153, 153); vertical-align: top; padding: 3pt 5pt; overflow: hidden; overflow-wrap: break-word;"><p style="margin: 0pt 0px; line-height: 1.2;"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">Persistence</span></p></td><td style="border-width: 0.5pt; border-style: solid; border-color: rgb(153, 153, 153); vertical-align: top; padding: 3pt 5pt; overflow: hidden; overflow-wrap: break-word;"><p style="margin: 0pt 0px; line-height: 1.2;"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(46, 116, 181); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;"><a href="https://attack.mitre.org/techniques/T1554/" style="color: rgb(59, 130, 246);">T1554</a></span><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(46, 116, 181); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;"> — Compromise Host Software Binary</span></p></td><td style="border-width: 0.5pt; border-style: solid; border-color: rgb(153, 153, 153); vertical-align: top; padding: 3pt 5pt; overflow: hidden; overflow-wrap: break-word;"><p style="margin: 0pt 0px; line-height: 1.2;"><a href="https://attack.mitre.org/mitigations/M1045" style="color: rgb(59, 130, 246);"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(46, 116, 181); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">M1045</span></a></p></td></tr><tr style="height: 0pt;"><td style="border-width: 0.5pt; border-style: solid; border-color: rgb(153, 153, 153); vertical-align: top; padding: 3pt 5pt; overflow: hidden; overflow-wrap: break-word;"><p style="margin: 0pt 0px; line-height: 1.2;"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">Credential Access</span></p></td><td style="border-width: 0.5pt; border-style: solid; border-color: rgb(153, 153, 153); vertical-align: top; padding: 3pt 5pt; overflow: hidden; overflow-wrap: break-word;"><p style="margin: 0pt 0px; line-height: 1.2;"><a href="https://attack.mitre.org/techniques/T1056/003/" style="color: rgb(59, 130, 246);"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(46, 116, 181); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">T1056.003</span></a><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(46, 116, 181); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;"> — Input Capture: Web Portal Capture</span></p></td><td style="border-width: 0.5pt; border-style: solid; border-color: rgb(153, 153, 153); vertical-align: top; padding: 3pt 5pt; overflow: hidden; overflow-wrap: break-word;"><p style="margin: 0pt 0px; line-height: 1.2;"><a href="https://attack.mitre.org/mitigations/M1026" style="color: rgb(59, 130, 246);"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(46, 116, 181); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">M1026</span></a></p></td></tr><tr style="height: 0pt;"><td style="border-width: 0.5pt; border-style: solid; border-color: rgb(153, 153, 153); vertical-align: top; padding: 3pt 5pt; overflow: hidden; overflow-wrap: break-word;"><p style="margin: 0pt 0px; line-height: 1.2;"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">Privilege Escalation</span></p></td><td style="border-width: 0.5pt; border-style: solid; border-color: rgb(153, 153, 153); vertical-align: top; padding: 3pt 5pt; overflow: hidden; overflow-wrap: break-word;"><p style="margin: 0pt 0px; line-height: 1.2;"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(46, 116, 181); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;"><a href="https://attack.mitre.org/techniques/T1078/" style="color: rgb(59, 130, 246);">T1078</a></span><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(46, 116, 181); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;"> — Valid Accounts</span></p></td><td style="border-width: 0.5pt; border-style: solid; border-color: rgb(153, 153, 153); vertical-align: top; padding: 3pt 5pt; overflow: hidden; overflow-wrap: break-word;"><p style="margin: 0pt 0px; line-height: 1.2;"><a href="https://attack.mitre.org/mitigations/M1032" style="color: rgb(59, 130, 246);"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(46, 116, 181); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">M1032</span></a><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(46, 116, 181); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;"> / </span><a href="https://attack.mitre.org/mitigations/M1026" style="color: rgb(59, 130, 246);"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(46, 116, 181); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">M1026</span></a><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(46, 116, 181); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;"> / </span><a href="https://attack.mitre.org/mitigations/M1015" style="color: rgb(59, 130, 246);"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(46, 116, 181); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">M1015</span></a><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(46, 116, 181); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;"> / </span><a href="https://attack.mitre.org/mitigations/M1036" style="color: rgb(59, 130, 246);"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(46, 116, 181); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">M1036</span></a><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(46, 116, 181); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;"> / </span><a href="https://attack.mitre.org/mitigations/M1018" style="color: rgb(59, 130, 246);"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(46, 116, 181); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">M1018</span></a></p></td></tr><tr style="height: 0pt;"><td style="border-width: 0.5pt; border-style: solid; border-color: rgb(153, 153, 153); vertical-align: top; padding: 3pt 5pt; overflow: hidden; overflow-wrap: break-word;"><p style="margin: 0pt 0px; line-height: 1.2;"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">Collection / Exfiltration</span></p></td><td style="border-width: 0.5pt; border-style: solid; border-color: rgb(153, 153, 153); vertical-align: top; padding: 3pt 5pt; overflow: hidden; overflow-wrap: break-word;"><p style="margin: 0pt 0px; line-height: 1.2;"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(46, 116, 181); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;"><a href="https://attack.mitre.org/techniques/T1114/003/" style="color: rgb(59, 130, 246);">T1114.003</a></span><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(46, 116, 181); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;"> — Email Collection: Email Forwarding Rule</span></p></td><td style="border-width: 0.5pt; border-style: solid; border-color: rgb(153, 153, 153); vertical-align: top; padding: 3pt 5pt; overflow: hidden; overflow-wrap: break-word;"><p style="margin: 0pt 0px; line-height: 1.2;"><a href="https://attack.mitre.org/mitigations/M1047" style="color: rgb(59, 130, 246);"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(46, 116, 181); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">M1047</span></a><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(46, 116, 181); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;"> / </span><a href="https://attack.mitre.org/mitigations/M1042" style="color: rgb(59, 130, 246);"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(46, 116, 181); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">M1042</span></a><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(46, 116, 181); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;"> / </span><a href="https://attack.mitre.org/mitigations/M1041" style="color: rgb(59, 130, 246);"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(46, 116, 181); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">M1041</span></a><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(46, 116, 181); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;"> / </span><a href="https://attack.mitre.org/mitigations/M1060" style="color: rgb(59, 130, 246);"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(46, 116, 181); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">M1060</span></a></p></td></tr></tbody></table></div>