A China-linked espionage cluster tracked as UNC6508 hid inside North American medical, academic, and military research networks for more than a year by exploiting REDCap servers and the INFINITERED backdoor. Instead of using obvious exfiltration tools, the attackers abused Google Workspace content compliance rules to silently copy sensitive email to an attacker-controlled inbox. #UNC6508 #REDCap #INFINITERED #GoogleWorkspace
Keypoints
- UNC6508 targeted organizations across the US and Canada, including clinical, academic, military health, and regulatory groups.
- The attackers compromised externally facing REDCap servers and used the INFINITERED backdoor to steal credentials and maintain access.
- INFINITERED hijacked REDCap updates, harvested logins, and accepted commands through HTTP cookies.
- Google Workspace content compliance rules were abused to BCC matching emails to an attacker-controlled Gmail account.
- Defenders should patch REDCap, remove legacy versions, review mail-forwarding rules, and enforce phishing-resistant MFA for admins.
Read More: https://thehackernews.com/2026/06/chinese-hackers-abused-google-workspace.html