RSS

Abusing email "content compliance rules" to BCC out data

Lihh271 pts0 comments

Chinese hackers breach REDCap servers, steal medical research

Home<br>News<br>Security<br>Chinese hackers breach REDCap servers, steal medical research

Chinese hackers breach REDCap servers, steal medical research

By Bill Toulas

June 15, 2026

10:00 AM

A China-linked espionage campaign targeted exposed REDCap servers to deploy the InfiniteRed malware and steal sensitive data from a medical institution in North America.

Google Threat Intelligence Group (GTIG) researchers attribute the attacks to a threat actor tracked as UNC6508, who remained undetected for more than a year in the victim network.

The REDCap platform is widely used in medical and scientific research to build and manage databases and surveys that comply with regulations for medical and scientific research.

Although the researchers couldn&rsquo;t determine the exact initial compromise vector, they observed UNC6508 probing older, vulnerable versions of REDCap.

Based on the investigation, the compromise of the medical research organization occurred in September 2023, and the malicious activity continued for more than a year through November 2025.

GTIG says that three months after the initial compromise, the attackers deployed the 'Infinitered' custom malware designed specifically for REDCap systems, and hid its components by trojanizing the server&rsquo;s system files.

Infinitered consists of three components: a persistence/update module, a credential harvester, and a backdoor.

Infinitered components<br>Source: Google

The login harvester captures usernames and passwords submitted through REDCap login pages, then encrypts and stores them in local REDCap database tables for future retrieval.

The backdoor, which receives commands via HTTP cookies, provides UNC6508 with the following abilities:

Execute shell commands

Upload files to the REDCap server

Download files from the server

Run arbitrary SQL queries

Retrieve stolen credentials

Delete stolen credential records

Return system and database information

One notable technique in the campaign, and new for China-linked threat actors, is the use of the legitimate 'content compliance rules' feature that is present in cloud-based enterprise productivity tools, to exfiltrate data over email.

After gaining administrator access, UNC6508 created a content compliance rule named &ldquo;Patroit,&rdquo; which scans the organization for specific keywords, content patterns, email addresses, and phone numbers.

Any matches are then automatically sent as a blind carbon copy (BCC) to &lsquo;BebitaBarefoot774@gmail.com,&rsquo; now disabled by Google.

The keywords used to look for data of value relate to medical research, advanced technology, military topics, and geo-strategic policy.

Keywords used for email-based exfiltration<br>Source: Google

GTIG observed a high level of operational security across this campaign, including the use of US-based residential proxy infrastructure, compromised routers, VPS, credential replay, and dedicated infrastructure for data exfiltration.

Google notified multiple organizations in the U.S. and Canada that were compromised with the InfiniteRed malware.

"Their research areas span a broad spectrum of modern medicine, from molecular discovery and clinical drug trials to state-level public health policy and military readiness."

REDCap administrators are recommended to upgrade their instances to the latest available versions and remove legacy deployments.

Google also advises using MFA/2SV on high-privilege accounts and Device Bound Session Credentials (DBSC) to prevent session hijacking.

YARA rules and indicators of compromise (IoCs) are present in the report to help scan environments for Infinitered malware infections.

Test every layer before attackers do

Security teams log 54% of successful attacks and alert on just 14%. The rest move through your environment unseen.<br>The Picus whitepaper shows how breach and attack simulation tests your SIEM and EDR rules so threats stop slipping by detection.

Get the whitepaper

Related Articles:

Chinese APT deploys new malware to keep access to hacked networks<br>Chinese hackers target telcos with new Linux, Windows malware<br>New GopherWhisper APT group abuses Outlook, Slack, Discord for comms<br>Chinese hackers hijack auth flow, spy on isolated network for a decade<br>China-linked JDY botnet expands targeting of U.S. military networks

China

Cyber-espionage

Espionage

Infinitered

Malware

REDCap

UNC6508

Bill Toulas

Bill Toulas is a tech writer and infosec news reporter with over a decade of experience working on various online publications, covering open-source, Linux, malware, data breach incidents, and hacks.

Previous Article

Next Article

Post a Comment Community Rules

You need to login in order to post a comment

Not a member yet? Register Now

You may also like:

Upcoming Webinar

Popular Stories

Over 400 Arch Linux packages compromised to push rootkit, infostealer

Microsoft fixes Windows update failures linked to WUSA...

redcap medical research malware infinitered data

Related Articles

The Newest Instagram "Exploit" Is the Goofiest I've Seen

ssiddharth34 ptsaccount attacker email instagram seen like

Apple WWDC 2026 Livestream

nextstep32 ptsapple stream video event live feed

Claude Fable 5

Philpax30 ptsfable claude mythos model models capabilities

US Government directive to suspend access to Fable 5 and Mythos 5

Dylan131224 ptsfable government anthropic jailbreak access mythos

It's Not Just X. It's Y

mooreds21 ptslanguage model writing like grammarly human
terms · privacy · disclaimer · contact · policy
© 2026 NewsHub. All rights reserved.
This site is for informational purposes only. Content is aggregated from publicly available sources. We may earn commissions through affiliate links. Not affiliated with Y Combinator or Hacker News.