GOOGLE Threat Intelligence Group has uncovered a Chinese cyberespionage campaign that has been spying on US medical, military and AI research organisations for more than a year.
The activity is attributed to the threat actor UNC6508, which has deployed custom malware named InfiniteRed to harvest credentials from researchers’ web applications.
The group frequently targets REDCap servers used for managing clinical trial data, exploiting weak configurations to gain initial access.
InfiniteRed includes capabilities for credential dumping, establishing persistent backdoors and obfuscating network traffic to evade detection.
Exfiltration is performed through encrypted channels that mimic legitimate traffic, making the activity hard to spot with conventional security tools.
The malware employs living‑off‑the‑land techniques, using native Windows utilities to move laterally within compromised networks.
Google worked with Mandiant to dismantle the attacker’s infrastructure and has released indicators of compromise to help defenders hunt for related activity.
Intrusion activity linked to UNC6508 has been observed since at least 2023, with a steady focus on North American medical, academic and military research centres.
The campaign aligns with broader strategic priorities of gathering intelligence on health innovations and artificial intelligence advances.
Google’s Threat Intelligence Group published an advisory detailing the tactics, techniques and procedures used by the group and urged organisations to review their exposure.
By sharing technical details publicly, the company aims to enable defenders to detect and block similar intrusions before they cause significant loss.
Organisations should enforce multi‑factor authentication on all web‑facing applications, especially those handling sensitive research data.
Administrators must patch and harden REDCap instances, disabling unnecessary features and restricting network access to trusted zones.
Security teams ought to monitor authentication logs for unusual login attempts and watch for unauthorised changes to configuration files or scheduled tasks.
Deploying network traffic analysis tools can help spot encrypted exfiltration attempts that blend with normal HTTPS flows.
Application allow‑listing and strict endpoint controls reduce the risk of malicious payloads executing on workstations.
Sharing indicators with industry peers and updating intrusion detection signatures for InfiniteRed‑related artefacts will improve collective defence against this espionage threat.