RSS

PRC-linked spies hid inside medical and military networks for more than a year

Bender1 pts0 comments

Google says PRC-linked spies hid in medical research networks for more than a year

Jump to main content

Search

REG AD

RESEARCH

PRC-linked spies hid inside medical and military networks for more than a year, snooping through Gmail and stealing data

Google says the intruders were on the hunt for everything from drone tech to pathogens

Jessica Lyons

Jessica<br>Lyons

Published<br>mon 15 Jun 2026 // 15:00 UTC

Chinese government spies remained hidden in the networks of multiple North American medical and military research organizations for more than a year, deploying custom malware and snooping through Gmail inboxes and stealing sensitive data.<br>This PRC-nexus espionage crew, which Google tracks as UNC6508, used some particularly noteworthy search terms as they were scanning for data to steal. They included such esoteric topics as drone technology and a viral disease that spreads from mosquitoes to humans.<br>“It’s one of the most interesting grocery shopping lists of things to collect that I’ve seen from a state-sponsored actor,” Luke McNamara, deputy chief analyst at Google Threat Intelligence Group, told The Register.

REG AD

“We have defense-related activity, which was a significant bulk of the different terms, or emails related to defense platform systems or companies,” McNamara said. “Some of those were looking for any emails that were coming in or going out that used @ and then a big defense name. Others were specific email addresses of individuals at more niche defense companies.”

REG AD

While most of the terms related to defense and technology, the intruders also searched for some medical research facilities – and the very specific pathogen, “Chikungunya,” a viral disease transmitted to humans from mosquitoes that was responsible for an outbreak in China's Guangdong province in July 2025.<br>Google won’t say how many organizations were compromised in this campaign. A Monday report said the operation targeted several national, state, and private medical entities.<br>“These organizations comprise world-renowned clinical providers, premier academic centers, North American military health institutions, professional advocacy groups, and health regulatory bodies,” according to the report. “Their research areas span a broad spectrum of modern medicine, from molecular discovery and clinical drug trials to state-level public health policy and military readiness.”

MORE CONTEXT

Google catches Beijing spies using Sheets to spread espionage across 4 continents

China-linked snoops have been exploiting Dell 0-day since mid-2024, using 'ghost NICs' to avoid detection

Google's new open-weights model brings image-generation tricks to AI text generation

ShinyHunters hacked 100+ orgs by exploiting an Oracle PeopleSoft 0-day

McNamara told us that the tech company’s incident responders notified all the victims they identified, “and we suspect there's probably even more.”<br>Incident responders first detected this campaign in early 2025, but told us it dates back to at least 2023. And all of these attacks began with the digital intruders somehow exploiting externally facing REDCap (Research Electronic Data Capture) servers. These servers are primarily used by universities, hospitals, and research institutions to build and manage online databases and surveys, and to store sensitive clinical research data.<br>The earliest known intrusion happened in September 2023, when UNC6508 compromised a REDCap server belonging to a North American medical research institution. McNamara told us that all of the intrusions followed this same pattern.<br>Seeing (Infinite)Red<br>After three months, the snoops silently deployed custom malware named InfiniteRed to capture legitimate REDCap login credentials.

REG AD

The malware includes three modular components. The first allows it to maintain persistent remote access by injecting its code into new REDCap versions after intercepting the upgrade process. Then it injects a credential harvester into the authentication system file to compromise user accounts. Finally, it functions as a backdoor with custom hooks that executes on every REDCap page load.<br>Google’s threat intelligence team identified “multiple” US and Canada-based organizations infected with InfiniteRed, and offered assistance with removing the malware.<br>After remaining undetected for more than a year, UNC6508 used the stolen credentials to access admin accounts and the victims’ internal network. Finally, the attackers added sneaky domain content compliance rules for data theft.<br>All 'Patroit' themed emails sent to BebitaBarefoot774<br>Content compliance rules are legitimate features in many cloud-based enterprise productivity suites - like Google Workspace - to exfiltrate specific email communications. Administrators can create these rules to manage messages that contain predefined sets of words or phrases, and these rules apply to all of the users in an organizational unit.<br>UNC6508 created a compliance rule named "Patroit" (yes, they misspelled...

google research medical data spies military

Related Articles

The Newest Instagram "Exploit" Is the Goofiest I've Seen

ssiddharth34 ptsaccount attacker email instagram seen like

Apple WWDC 2026 Livestream

nextstep32 ptsapple stream video event live feed

Claude Fable 5

Philpax30 ptsfable claude mythos model models capabilities

US Government directive to suspend access to Fable 5 and Mythos 5

Dylan131224 ptsfable government anthropic jailbreak access mythos

It's Not Just X. It's Y

mooreds21 ptslanguage model writing like grammarly human
terms · privacy · disclaimer · contact · policy
© 2026 NewsHub. All rights reserved.
This site is for informational purposes only. Content is aggregated from publicly available sources. We may earn commissions through affiliate links. Not affiliated with Y Combinator or Hacker News.