A China-linked espionage campaign targeted exposed REDCap servers to deploy the InfiniteRed malware and steal sensitive data from a medical institution in North America.
Google Threat Intelligence Group (GTIG) researchers attribute the attacks to a threat actor tracked as UNC6508, who remained undetected for more than a year in the victim network.
The REDCap platform is widely used in medical and scientific research to build and manage databases and surveys that comply with regulations for medical and scientific research.
Although the researchers couldn’t determine the exact initial compromise vector, they observed UNC6508 probing older, vulnerable versions of REDCap.
Based on the investigation, the compromise of the medical research organization occurred in September 2023, and the malicious activity continued for more than a year through November 2025.
GTIG says that three months after the initial compromise, the attackers deployed the 'Infinitered' custom malware designed specifically for REDCap systems, and hid its components by trojanizing the server’s system files.
Infinitered consists of three components: a persistence/update module, a credential harvester, and a backdoor.
Infinitered componentsSource: Google
The login harvester captures usernames and passwords submitted through REDCap login pages, then encrypts and stores them in local REDCap database tables for future retrieval.
The backdoor, which receives commands via HTTP cookies, provides UNC6508 with the following abilities:
- Execute shell commands
- Upload files to the REDCap server
- Download files from the server
- Run arbitrary SQL queries
- Retrieve stolen credentials
- Delete stolen credential records
- Return system and database information
One notable technique in the campaign, and new for China-linked threat actors, is the use of the legitimate 'content compliance rules' feature that is present in cloud-based enterprise productivity tools, to exfiltrate data over email.
After gaining administrator access, UNC6508 created a content compliance rule named “Patroit,” which scans the organization for specific keywords, content patterns, email addresses, and phone numbers.
Any matches are then automatically sent as a blind carbon copy (BCC) to ‘[email protected],’ now disabled by Google.
The keywords used to look for data of value relate to medical research, advanced technology, military topics, and geo-strategic policy.
Keywords used for email-based exfiltrationSource: Google
GTIG observed a high level of operational security across this campaign, including the use of US-based residential proxy infrastructure, compromised routers, VPS, credential replay, and dedicated infrastructure for data exfiltration.
Google notified multiple organizations in the U.S. and Canada that were compromised with the InfiniteRed malware.
"Their research areas span a broad spectrum of modern medicine, from molecular discovery and clinical drug trials to state-level public health policy and military readiness."
REDCap administrators are recommended to upgrade their instances to the latest available versions and remove legacy deployments.
Google also advises using MFA/2SV on high-privilege accounts and Device Bound Session Credentials (DBSC) to prevent session hijacking.
YARA rules and indicators of compromise (IoCs) are present in the report to help scan environments for Infinitered malware infections.
Test every layer before attackers do
Security teams log 54% of successful attacks and alert on just 14%. The rest move through your environment unseen.
The Picus whitepaper shows how breach and attack simulation tests your SIEM and EDR rules so threats stop slipping by detection.
English (US) ·