Skip to content

UNC6508

Summary

UNC6508 is a Google Threat Intelligence Group (GTIG) cluster that GTIG attributes with high confidence to a People's Republic of China (PRC)-nexus espionage operation. Public GTIG reporting describes UNC6508 targeting North American academic, medical, military, and health-policy organizations, with collection priorities spanning medical research, artificial intelligence, uncrewed systems, cyber offensive programs, Indo-Pacific command topics, and national-defense intelligence.

The durable defender lesson is the blend of long-lived research-platform compromise and enterprise productivity-suite abuse: UNC6508 used REDCap access to harvest credentials for more than a year, then replayed overlapping credentials into administrator access and abused mail content-compliance rules for silent exfiltration.

Tags

Why this matters

  • REDCap is common in medical and scientific research environments; legacy co-installed versions and externally exposed instances create a long-lived edge foothold risk.
  • INFINITERED trojanized legitimate REDCap files, harvested credentials from login POST requests, and reinjected itself during REDCap upgrades, making normal patching insufficient if older code and compromised files remain.
  • The campaign shows a SaaS-control-plane exfiltration path: after credential replay to an administrator account, UNC6508 created a content compliance rule to silently BCC messages matching keywords and contacts to an attacker-controlled mailbox.
  • GTIG says the collection priorities aligned with PRC strategic interests and included medical research, AI, cyber, uncrewed vehicle systems, defense, and Indo-Pacific command themes.

Reported intrusion pattern

  1. UNC6508 targeted externally facing REDCap servers; GTIG could not confirm the initial access vector, but observed probing for vulnerable legacy REDCap versions.
  2. The actor used internal reconnaissance and credential discovery to obtain database and service-account credentials.
  3. A help.php web shell provided persistence and upload capability inside the REDCap application.
  4. About three months after initial compromise, UNC6508 deployed INFINITERED, a custom REDCap malware framework.
  5. INFINITERED injected a credential harvester into REDCap authentication code, storing encrypted stolen credentials in a legitimate REDCap sessions database table with a distinctive xc32038474a session-ID prefix.
  6. INFINITERED used REDCap upgrade logic to inject itself into newer REDCap versions after upgrades.
  7. A backdoor path used a REDCAP-TOKEN cookie value, decrypted through the environment's default decryption routine, to beacon system/database details or execute command tags for shell commands, SQL queries, file transfer, stolen-credential retrieval, and cleanup.
  8. More than a year after initial compromise, UNC6508 replayed overlapping credentials into an administrator account.
  9. The actor created a mail content-compliance rule named Patroit [sic] to match strategic keywords, email addresses, and phone-number patterns, silently BCC-forwarding matching messages to an attacker-controlled Gmail account.
  10. GTIG observed U.S.-based obfuscation (OBF) network IPs, including a compromised ASUS router, used for admin login and exfiltration-account access.

Defender heuristics

REDCap and research-platform triage

  • Inventory internet-facing REDCap instances, including side-by-side legacy installs that remain reachable after upgrades.
  • Compare REDCap authentication, custom-hooks, update, and plugin files against trusted release media; do not assume an upgraded version removed malicious code.
  • Hunt REDCap databases for unusual session records or prefixes, especially xc32038474a, and preserve database evidence before cleanup.
  • Review web roots for unexpected uploaders or shells such as help.php and for code that reads special cookies such as REDCAP-TOKEN.
  • Rotate database, service-account, and user credentials exposed to REDCap after compromise; overlapping credentials enabled UNC6508's later administrator access.

SaaS and mail-control-plane triage

  • Review mail content-compliance / transport / DLP rules for unauthorized forwarding, BCC, redirect, journaling, regex-heavy keyword matching, or unusual rule names such as Patroit.
  • Alert when administrator-created mail rules send matched content to consumer mailboxes or newly created external destinations.
  • Require phishing-resistant MFA / 2SV on administrator accounts and third-party identity-provider accounts; GTIG specifically recommends hardening admin accounts and 2-Step Verification.
  • Correlate administrator logins from residential routers, VPS, and other OBF-style infrastructure with rule creation, mailbox export, forwarding, or content-compliance changes.

Public indicators

GTIG published the following public indicators in the June 2026 report:

Indicator Type Context
BebitaBarefoot774[@]gmail[.]com Email Mail exfiltration account disabled by GTIG
23.169.65[.]49 IP address Source of administrator login; GTIG describes it as a compromised ASUS router
ba6b73b0ca0dc7f86b3b397893ac32d729fd53f9df20643288f141f29d020af7 SHA-256 help.php persistence
db65c1b9f9e4cb4d729f45ad4b6fcf3e277caf9eb4c875425dec93fd883f9136 SHA-256 INFINITERED credential harvester
c1ac43d23f89d41eb4ff131678ab562ab2cfed9aa334b13767ef141d303b0e5b SHA-256 INFINITERED credential harvester
8f0158855a656b629ca76ebca565f18bc25563ded34b65d6771632c20edb68ec SHA-256 INFINITERED backdoor
51a57bfc9ed3eb6451c1c289607814d59e1698c666fb97ac5f694c398f23d045 SHA-256 INFINITERED backdoor
4efbef69eb3b09bacff892d6a55778d07c418e7f15eba3cf1245e8cdfd8dda0b SHA-256 INFINITERED dropper
58bb25777e0aa86bcd2125101e0bca4e8732b03d91bd8d2f205b446a2a8d5c86 SHA-256 INFINITERED dropper
b49e334d-9c01-463e-9bc5-00a6920fb66e Host artifact INFINITERED current software-version GUID delimiter
xc32038474a Host artifact INFINITERED REDCap database session-ID prefix

Sources

  • Google Cloud / GTIG: https://cloud.google.com/blog/topics/threat-intelligence/prc-targets-us-medical-research