PRC-Nexus Hackers Exploit REDCap Servers to Spy on US Medical Research Institutions

Google’s Threat Intelligence Group (GTIG) uncovered a long-running Chinese cyber-espionage campaign targeting North American medical, academic, and military research institutions that remained undetected for over a year.

GTIG has attributed the campaign with high confidence to UNC6508, a People’s Republic of China (PRC)-nexus threat actor with clear espionage motivations.

The group’s collection priorities, national defense intelligence, Indo-Pacific military operations, artificial intelligence, uncrewed vehicle systems, offensive cyber programs, and medical research are closely aligned with the strategic interests of the Chinese state.

The earliest known compromise dates back to September 2023, with activity observed continuously through November 2025.

PRC-Nexus Hackers Exploit REDCap Servers

The campaign’s initial foothold began with externally facing REDCap (Research Electronic Data Capture) servers, a widely used web-based platform in North American medical and scientific research communities.

While GTIG could not confirm the exact initial access vector, UNC6508 was observed actively probing for legacy, unpatched REDCap versions running alongside current installations a classic downgrade attack (MITRE ATT&CK T1689).

Upon gaining entry, the threat actor deployed a web shell named help.php, performed internal reconnaissance, and harvested database and service account credentials.

Three months after the initial compromise, UNC6508 deployed INFINITERED, a sophisticated, modular malware that trojanizes legitimate REDCap system files.

It operates through three key components:

• Dropper/Upgrade Interceptor: Injects malicious code into new REDCap upgrade packages, ensuring persistence even after software updates using a hardcoded GUID delimiter (b49e334d-9c01-463e-9bc5-00a6920fb66e).
• Credential Harvester: Captures plaintext usernames and passwords from POST login requests, encrypts them, and stores them covertly in the REDCap sessions database under the prefix xc32038474a.
• Backdoor with C2: Activates on every REDCap page load, listens for a specific HTTP Cookie parameter REDCAP-TOKEN, and supports commands including remote shell execution, SQL queries, file upload/download, and system beaconing.

INFINITERED was discovered across multiple organizations in both the US and Canada. After more than a year of silent access, UNC6508 escalated by using harvested credentials to access a domain administrator account.

The group then abused content compliance rules, a legitimate Google Workspace feature, to silently BCC-forward sensitive emails to an attacker-controlled Gmail account: BebitaBarefoot774[@]gmail[.]com.

The rule, named “Patroit” (a misspelling of “Patriot”), used regular expressions to match nearly 150 keywords spanning military strategy, AI research, cyber programs, and medical topics.

GTIG notes that this technique, using domain content compliance rules for data exfiltration, had never previously been observed from a PRC-nexus actor.

One keyword stood out: “Chikungunya,” the mosquito-borne virus responsible for a July 2025 outbreak in China’s Guangdong province, suggesting real-time, mission-specific intelligence tasking.

UNC6508 used US-based obfuscation (OBF) networks to route traffic through compromised ASUS routers, residential proxies, and VPS infrastructure to avoid detection and complicate attribution.

Defensive Recommendations

GTIG disrupted the malicious infrastructure and deactivated the Gmail exfiltration account upon discovery. GTIG and Mandiant Consulting recommend the following immediate actions:

• Patch REDCap to the latest version and completely remove all legacy installations.
• Enforce phishing-resistant 2-Step Verification (2SV) for all administrator accounts.
• Scan REDCap servers for INFINITERED using the published YARA rule.
• Audit content compliance rules in cloud mail suites for unauthorized BCC-forwarding configurations.
• Deploy Device Bound Session Credentials (DBSC) to prevent session cookie theft.
• Enable DLP rules and SIEM logging to detect anomalous data movement and email forwarding.

GTIG has updated Google Security Operations (SecOps) with all relevant IOCs and has notified affected organizations directly.

Indicators of Compromise (IOCs):

Category	Indicators
Network	BebitaBarefoot774[@]gmail[.]com, 23.169.65.49
Web Shell	help.php, SHA256: ba6b73b0ca0dc7f86b3b397893ac32d729fd53f9df20643288f141f29d020af7
Credential Harvesters	db65c1b9f9e4cb4d729f45ad4b6fcf3e277caf9eb4c875425dec93fd883f9136, c1ac43d23f89d41eb4ff131678ab562ab2cfed9aa334b13767ef141d303b0e5b
Backdoors	8f0158855a656b629ca76ebca565f18bc25563ded34b65d6771632c20edb68ec, 51a57bfc9ed3eb6451c1c289607814d59e1698c666fb97ac5f694c398f23d045
Droppers	4efbef69eb3b09bacff892d6a55778d07c418e7f15eba3cf1245e8cdfd8dda0b, 58bb25777e0aa86bcd2125101e0bca4e8732b03d91bd8d2f205b446a2a8d5c86
Host Indicators	REDCAP-TOKEN, xc32038474a, b49e334d-9c01-463e-9bc5-00a6920fb66e, YjQ5ZTMzNGQtOWMwMS00NjNlLTliYzUtMDBhNjkyMGZiNjZl, ej671a16i7fd8202nu6ltfg5p6x7u
Persistence	Modified Upgrade.php, AWS Elastic Beanstalk persistence
Exfiltration	“Patroit” email-forwarding rule to attacker Gmail
C2 Functions	Remote shell, file upload/download, SQL execution, credential theft, anti-forensics

Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates.