Chinese Hackers Stole Medical Research Data Undetected for a Year
Key Takeaways
- Chinese threat actor UNC6508 maintained access to a medical research network for over 14 months before detection
- Custom malware called Infinitered was designed specifically to compromise REDCap research database servers
- Attackers used legitimate email compliance features to automatically exfiltrate data matching military and medical research keywords
What Happened
A China-linked hacking group breached REDCap servers at a North American medical research institution and remained undetected for more than a year. Google Threat Intelligence Group (GTIG) published findings on the campaign, attributing the attacks to a threat actor they track as UNC6508.
REDCap (Research Electronic Data Capture) is a web-based platform used by thousands of medical and academic institutions worldwide to manage clinical trial databases, patient surveys, and research data. The platform is designed to comply with medical research regulations, making it a repository of valuable intellectual property.
According to GTIG, the initial compromise occurred in September 2023. The attackers maintained access through November 2025. That's 14 months of undetected infiltration.
How the Attack Worked
GTIG researchers couldn't determine the exact initial entry point, but they observed UNC6508 probing older, vulnerable versions of REDCap. Three months after gaining access, the attackers deployed custom malware called Infinitered, designed specifically for REDCap systems.
Infinitered consists of three components: a persistence and update module, a credential harvester, and a backdoor. The attackers hid these components by trojanizing the server's system files.
The login harvester captures usernames and passwords submitted through REDCap login pages. It encrypts and stores them in local REDCap database tables for later retrieval. The backdoor receives commands via HTTP cookies and gives attackers the ability to:
- Execute shell commands on the server
- Upload and download files
- Run arbitrary SQL queries against research databases
- Retrieve or delete stolen credentials
- Extract system and database information
A Novel Exfiltration Technique
One technique stood out to GTIG researchers as new for China-linked threat actors. After gaining administrator access, UNC6508 abused the legitimate "content compliance rules" feature found in cloud-based enterprise productivity tools to exfiltrate data over email.
The attackers created a compliance rule named "Patroit" (the misspelling is as it appeared). This rule scanned the organization's systems for specific keywords, content patterns, email addresses, and phone numbers. Any matches were automatically sent as a blind carbon copy to an attacker-controlled Gmail address: BebitaBarefoot774@gmail.com. Google has since disabled this account.
The keywords targeted by this automated exfiltration reveal the attackers' priorities: medical research, advanced technology, military topics, and geo-strategic policy.
“The actors targeted institutions involved in clinical trials, drug discovery, and military intelligence, demonstrating a strategic interest in high-value intellectual property.”
— Google Threat Intelligence Group researchers
Strong Operational Security
GTIG noted a high level of operational security throughout the campaign. The attackers used US-based residential proxy infrastructure to mask their true location. They also routed traffic through compromised routers and virtual private servers, replayed legitimate credentials to blend in with normal activity, and maintained dedicated infrastructure solely for data exfiltration.
This layered approach explains how UNC6508 avoided detection for so long. Traffic appeared to originate from legitimate US IP addresses, and the attackers used valid credentials rather than exploiting vulnerabilities that might trigger security alerts.
Who's at Risk
Google has notified multiple organizations in the US and Canada that were compromised. The company did not disclose the specific institutions affected.
Any organization running REDCap should audit their installations. The attackers specifically targeted older, vulnerable versions. Self-hosted research infrastructure at academic institutions is particularly vulnerable. Cybersecurity experts note that underfunded academic IT departments often struggle to patch legacy server software as quickly as commercial enterprises.
Another example of how enterprise productivity features can be weaponized
Recent breach affecting educational institution infrastructure
Defensive Recommendations
Organizations using REDCap should take immediate steps to protect their installations. Update all REDCap instances to the latest version. Review server system files for unauthorized modifications. Audit content compliance rules for suspicious configurations. Monitor for unusual email forwarding rules, especially those sending BCCs to external addresses.
Network segmentation can limit damage if attackers breach perimeter defenses. Research databases containing sensitive IP should not share network segments with general-purpose systems. Credential monitoring can detect the kind of harvesting Infinitered performs.
Logicity's Take
Frequently Asked Questions
Frequently Asked Questions
What is REDCap and why was it targeted?
REDCap (Research Electronic Data Capture) is a web-based platform used by thousands of medical and academic institutions to manage clinical research databases. It stores sensitive patient data and proprietary research findings, making it valuable for state-sponsored espionage groups seeking advantages in medical innovation.
How long did the hackers have access before being detected?
UNC6508 maintained undetected access for more than 14 months, from September 2023 through November 2025.
What data was stolen in the REDCap breach?
The attackers targeted data related to clinical trials, drug discovery, military topics, and geo-strategic policy. They used automated keyword searches to identify and exfiltrate valuable research.
How can organizations protect their REDCap installations?
Update to the latest REDCap version, audit system files for modifications, review email compliance rules for suspicious configurations, and implement network segmentation to isolate research databases.
Which organizations were affected by this breach?
Google notified multiple organizations in the US and Canada but did not publicly disclose specific names. Any institution running older REDCap versions should conduct security audits.
Need Help Implementing This?
Source: BleepingComputer
Manaal Khan
Tech & Innovation Writer
Related Articles
Browse all
Kraken Crypto Exchange Extortion: Hackers Threaten to Leak Internal Videos After Insider Breach
Cryptocurrency exchange Kraken is being extorted by hackers who obtained videos of internal systems through bribed support employees. The company says no funds were compromised and refuses to pay, with only about 2,000 accounts affected. Kraken is working with federal law enforcement to prosecute everyone involved.
Windows 11 KB5083769 and KB5082052: April 2026 Patch Tuesday Brings Smart App Control Changes and Security Fixes
Microsoft's April 2026 Patch Tuesday updates are now live for Windows 11, bringing critical security patches alongside a welcome change to Smart App Control. You can finally toggle SAC on or off without wiping your entire system. The updates cover versions 23H2, 24H2, and 25H2.
Zero Trust Identity Security: 5 Ways This Framework Actually Stops Credential Theft
Stolen credentials caused 22% of breaches in 2025, making them the top attack vector. Zero Trust promises to fix this, but only when it's built around identity as the core principle. Here's how organizations can implement it properly.
Open Source PR Backlogs: Why Your GitHub Contribution Sits Unreviewed for a Year
A developer's Jellyfin pull request has been waiting over a year for merge despite two approvals, exposing a systemic crisis in open source maintenance. Queuing theory explains why backlogs grow exponentially, and 60% of maintainers have quit or considered quitting due to burnout.
Also Read
Why One Compromised Device Can Take Down Your Home Network
Most people build home networks for speed, but security researcher Monica J. White argues the real question is what happens when things fail. Her approach treats every smart device as a potential threat, using network segmentation to contain breaches before they spread.
5 New Movies to Stream This Week on Netflix and Prime Video
From the A24 thriller Babygirl to a new SpongeBob adventure, streaming platforms are stacking their June lineup with diverse releases. Here are the five films worth your time between June 15-21.
Chinese Hackers Stole US Research Data for Over a Year: Google
A hacking group linked to China spent 14 months stealing data from American and Canadian research institutions before Google detected them. The campaign targeted defense intelligence, AI research, military strategy, and medical studies. Google identified the group as UNC6508 and has notified all compromised organizations.