Analysis of a China-Linked Cyber Espionage Campaign Targeting Research, Healthcare and Defense Organizations
A China-linked cyber espionage actor tracked as UNC6508 conducted a long-term intelligence collection campaign against healthcare, academic, research, and defense-related organizations in North America. The campaign leveraged compromised REDCap servers and custom malware known as INFINITERED to maintain persistence and harvest credentials. Following privilege escalation, the threat actor abused Google Workspace Content Compliance Rules to silently copy sensitive emails to attacker-controlled accounts. This activity demonstrates the increasing use of legitimate cloud administration features for covert data exfiltration and highlights the need for organizations to monitor cloud administrative actions in addition to traditional endpoint and network activity.
UNC6508
High
Espionage
INFINITERED
Research & Defense
High
Google Threat Intelligence Group attributed this activity with high confidence to UNC6508, a China-linked espionage cluster focused on intelligence gathering operations. The threat actor demonstrated interest in collecting information related to military strategy, defense technology, artificial intelligence, offensive cyber operations, healthcare research, and geopolitical policy. The operation appears consistent with long-term strategic intelligence collection objectives rather than financial motivations.
Earliest observed compromise activity.
Deployment of INFINITERED malware on REDCap servers.
Credential harvesting and internal reconnaissance.
Privilege escalation and lateral movement activities.
Email exfiltration via Google Workspace compliance rules.
UNC6508 compromised internet-facing REDCap servers. Public reporting indicates the actor targeted older and potentially vulnerable REDCap deployments.
The actor deployed INFINITERED malware which modified REDCap system files and survived software upgrades by reinjecting malicious code during future update cycles.
INFINITERED harvested usernames and passwords entered through REDCap authentication portals and stored collected credentials in encrypted form.
Using harvested credentials and internal reconnaissance, the actor obtained elevated privileges including domain administrator access.
The threat actor targeted communications and documents related to strategic policy, defense programs, artificial intelligence, healthcare research, and advanced technologies.
Rather than deploying dedicated exfiltration malware, UNC6508 created Google Workspace Content Compliance Rules which automatically copied matching emails to attacker-controlled accounts.
| Tactic | Observed Technique |
|---|---|
| Initial Access | Exploit Public-Facing Application |
| Persistence | Server-Side Component |
| Credential Access | Credentials from Web Forms |
| Discovery | Account Discovery |
| Privilege Escalation | Valid Accounts |
| Collection | Email Collection |
| Exfiltration | Exfiltration to Cloud Services |
Confidence Level: High The technical findings, attribution assessment, and campaign details are based on reporting from Google Threat Intelligence Group and supporting industry analysis.
This campaign highlights a growing trend in which adversaries abuse trusted cloud-native administrative features rather than deploying traditional malware for data exfiltration. The use of Google Workspace Content Compliance Rules enabled the threat actor to blend malicious actions with legitimate administrative activity, reducing visibility and complicating detection efforts. Organizations should expand monitoring capabilities beyond endpoint telemetry and network traffic to include cloud audit logs, configuration changes, and administrative activity within SaaS platforms.