Published on June 15, 2026
Chinese-Linked UNC6508 Exploits REDCap Servers and Google Workspace Rules to Steal Sensitive Research Emails
Severity
Medium
Detail
Google’s Threat Intelligence Group (GTIG) has disclosed a cyber espionage campaign attributed with high confidence to a China-linked threat cluster tracked as UNC6508. The threat actor maintained access to North American medical, academic, and military research networks for more than a year, targeting organizations across the United States and Canada.
The campaign affected clinical providers, academic institutions, military health organizations, advocacy groups, and health regulators. The attackers leveraged compromised REDCap servers to obtain credentials and subsequently abused legitimate Google Workspace administrative features to exfiltrate sensitive emails related to research, defense, and geopolitical topics.
How?
According to GTIG, the campaign began with the compromise of externally exposed REDCap (Research Electronic Data Capture) servers. While Google observed the threat actor targeting older vulnerable REDCap instances, the exact initial access method, affected versions, and specific vulnerability used have not been identified.
Approximately three months after gaining access, UNC6508 deployed a custom malware family known as INFINITERED. The malware modified REDCap system files and established persistence by hijacking the platform’s upgrade mechanism, allowing the malicious code to be reintroduced during future software upgrades. INFINITERED also harvested usernames and passwords entered through the REDCap login page and stored the captured credentials in encrypted form within local database tables. Additionally, it functioned as a backdoor by receiving commands through HTTP cookies and executing them whenever REDCap pages were loaded.
After compromising the REDCap environment, the attackers conducted internal reconnaissance and credential discovery activities. They obtained database credentials and service account credentials, which were then used to move laterally through the network. Eventually, the threat actor gained domain administrator privileges, enabling broader access to the victim environment.
To exfiltrate information, UNC6508 abused Google Workspace content compliance rules, a legitimate administrative feature that scans email messages for specified keywords and can automatically copy or forward matching content. The attackers created a content compliance rule named “Patroit” and configured it to monitor nearly 150 keywords, search terms, and email addresses. When matching emails were identified, Google Workspace automatically sent blind carbon copies (BCCs) to an attacker-controlled Gmail account. Google has since disabled the account.
Impact?
The attackers used the Google Workspace rule to collect sensitive emails and research information without deploying malware on email servers or generating unusual network traffic. The monitored keywords reflected the group’s intelligence collection priorities, which included geopolitical policy, military strategy, military equipment, advanced technologies, artificial intelligence, uncrewed vehicles, offensive cyber programs, and medical research.
Recommendation
Organizations using REDCap should immediately patch externally accessible servers and remove outdated REDCap versions rather than maintaining them alongside current releases. The report notes that legacy REDCap versions can operate side-by-side with newer versions, creating opportunities for downgrade attacks that force software back to vulnerable releases.
Administrators should review Google Workspace content compliance rules and email forwarding configurations for unauthorized rules that copy or redirect messages to external email addresses. Audit logs should be examined to identify when rules were created or modified.
Organizations are also encouraged to review GTIG’s published indicators of compromise, search for evidence of INFINITERED activity within their environments, and implement phishing-resistant multi-factor authentication for administrator accounts.
Conclusion
The UNC6508 campaign demonstrates a combination of REDCap server compromise and abuse of legitimate Google Workspace administrative functionality to conduct long-term espionage operations against research and healthcare organizations. By leveraging content compliance rules for email collection, the threat actor was able to quietly exfiltrate sensitive information using built-in cloud features, highlighting the importance of monitoring both server security and cloud administration configurations.
Source
https://thehackernews.com/2026/06/chinese-hackers-abused-google-workspace.html
