Executive Summary
Between September 2023 and November 2025, the China-aligned threat actor UNC6508 conducted a covert cyber-espionage campaign targeting U.S. academic, medical, and military research institutions. The attackers exploited vulnerabilities in REDCap servers to deploy custom malware named Infinitered, enabling them to steal credentials and maintain persistent access. This operation led to the exfiltration of sensitive data related to defense intelligence, military strategy, artificial intelligence, and medical research. (darkreading.com)
This incident underscores the evolving sophistication of state-sponsored cyber threats, highlighting the need for enhanced security measures in research institutions. The use of tailored malware and novel data exfiltration techniques by UNC6508 reflects a broader trend of advanced persistent threats employing innovative methods to achieve their objectives.
Why This Matters Now
The UNC6508 campaign exemplifies the increasing complexity and persistence of state-sponsored cyber-espionage, emphasizing the urgent need for organizations to implement robust security protocols, including phishing-resistant multi-factor authentication and continuous monitoring for unauthorized activities.
Attack Path Analysis
UNC6508 exploited vulnerabilities in externally facing REDCap servers to deploy custom malware, Infinitered, capturing credentials over a year. Using these credentials, they escalated privileges to access domain administrator accounts. They moved laterally within the network, compromising additional systems. The attackers established command and control channels to maintain persistent access. They exfiltrated sensitive data by manipulating domain content-compliance rules to forward emails matching strategic keywords to attacker-controlled accounts. The impact included unauthorized access to sensitive research data and potential compromise of national security information.
Kill Chain Progression
Initial Compromise
Description
UNC6508 exploited vulnerabilities in externally facing REDCap servers to deploy custom malware, Infinitered, capturing credentials over a year.
Related CVEs
CVE-2024-55374
CVSS 5.3An information disclosure vulnerability in REDCap 14.3.13 allows remote attackers to enumerate valid usernames through observable discrepancies in login attempts.
Affected Products:
Vanderbilt REDCap – 14.3.13
Exploit Status:
no public exploitCVE-2024-56377
CVSS 5.4A stored cross-site scripting (XSS) vulnerability in REDCap 14.9.6 allows authenticated users to inject malicious scripts into survey titles, potentially enabling the execution of arbitrary web scripts.
Affected Products:
Vanderbilt REDCap – 14.9.6
Exploit Status:
no public exploitReferences:
CVE-2025-23113
CVSS 8.8A cross-site request forgery (CSRF) vulnerability in REDCap 14.9.6 allows attackers to inject HTML into alert titles during CSV uploads, potentially leading to session termination or redirection to phishing sites.
Affected Products:
Vanderbilt REDCap – 14.9.6
Exploit Status:
no public exploitReferences:
MITRE ATT&CK® Techniques
Exploit Public-Facing Application
Valid Accounts
Command and Scripting Interpreter
Application Layer Protocol
Exfiltration Over Web Service
Modify Authentication Process
Indicator Removal on Host
Obfuscated Files or Information
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Ensure all system components and software are protected from known vulnerabilities
Control ID: 6.2
NYDFS 23 NYCRR 500 – Cybersecurity Policy
Control ID: 500.03
DORA – ICT Risk Management Framework
Control ID: Article 5
CISA ZTMM 2.0 – Identity and Access Management
Control ID: 3.1
NIS2 Directive – Cybersecurity Risk Management Measures
Control ID: Article 21
HIPAA – Risk Analysis
Control ID: 164.308(a)(1)(ii)(A)
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Health Care / Life Sciences
Advanced persistent threat targeting medical research institutions exploiting REDCap credentials threatens patient data, clinical trials, and compliance with HIPAA regulations.
Higher Education/Acadamia
China-nexus actors infiltrated academic research networks for year-long espionage, compromising sensitive research data and institutional intellectual property through credential theft.
Defense/Space
Military research institutions targeted for intelligence gathering on defense technology and strategy, requiring enhanced zero trust segmentation and encrypted communications.
Government Administration
State-level public health policy research compromised through sophisticated credential harvesting attacks, necessitating improved egress security and threat detection capabilities.
Sources
- China-Nexus Actor Spy on US Researchers Undetected for a Yearhttps://www.darkreading.com/threat-intelligence/china-nexus-actor-us-researchers-undetectedVerified
- CVE-2024-55374: REDCap Username Enumeration Vulnerabilityhttps://www.sentinelone.com/vulnerability-database/cve-2024-55374/Verified
- CVE-2024-56377: A stored cross-site scripting (XSS) vulnerability in surveyhttps://cve.imfht.com/detail/CVE-2024-56377Verified
- CVE-2025-23113: An issue was discovered in REDCap 14.9.6. It has anhttps://cve.imfht.com/detail/CVE-2025-23113Verified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Aviatrix Zero Trust CNSF is pertinent to this incident as it could have constrained the attacker's ability to exploit vulnerabilities, escalate privileges, move laterally, establish command and control, and exfiltrate data, thereby reducing the overall blast radius.
Control: Cloud Native Security Fabric (CNSF)
Mitigation: The attacker's ability to exploit vulnerabilities in externally facing servers would likely be constrained, reducing the risk of initial compromise.
Control: Zero Trust Segmentation
Mitigation: The attacker's ability to escalate privileges to access domain administrator accounts would likely be constrained, reducing the scope of unauthorized access.
Control: East-West Traffic Security
Mitigation: The attacker's ability to move laterally within the network would likely be constrained, reducing the number of compromised systems.
Control: Multicloud Visibility & Control
Mitigation: The attacker's ability to establish command and control channels would likely be constrained, reducing the duration of persistent access.
Control: Egress Security & Policy Enforcement
Mitigation: The attacker's ability to exfiltrate sensitive data would likely be constrained, reducing the volume of data loss.
The attacker's ability to access sensitive research data and national security information would likely be constrained, reducing the potential impact of the breach.
Impact at a Glance
Affected Business Functions
- Clinical Research Data Management
- Medical Records Access
- Research Collaboration Platforms
Estimated downtime: N/A
Estimated loss: N/A
Potential exposure of sensitive research data, including clinical trial information and medical records.
Recommended Actions
Key Takeaways & Next Steps
- • Implement Zero Trust Segmentation to restrict lateral movement within the network.
- • Enforce Multi-Factor Authentication (MFA) to prevent unauthorized access through compromised credentials.
- • Deploy Egress Security & Policy Enforcement to monitor and control outbound traffic, preventing data exfiltration.
- • Utilize Threat Detection & Anomaly Response systems to identify and respond to unusual activities promptly.
- • Regularly update and patch externally facing applications to mitigate known vulnerabilities.
