Executive Summary
Between September 2023 and November 2025, the China-linked espionage group UNC6508 infiltrated North American medical, academic, and military research networks by compromising externally facing REDCap servers. They deployed custom malware named INFINITERED, which trojanized REDCap system files to harvest login credentials and establish persistent access. With domain administrator rights, UNC6508 abused Google Workspace's content compliance rules to silently BCC emails containing specific keywords to attacker-controlled Gmail addresses, effectively exfiltrating sensitive research and defense communications without deploying additional malware or generating unusual network traffic.
This incident underscores the evolving tactics of state-sponsored actors who exploit legitimate administrative features within cloud services to conduct stealthy data exfiltration. Organizations must enhance monitoring of administrative configurations and implement robust security measures to detect and prevent such abuses.
Why This Matters Now
The exploitation of legitimate cloud service features for data exfiltration highlights the urgent need for organizations to scrutinize administrative configurations and enhance security protocols to prevent similar stealthy attacks.
Attack Path Analysis
UNC6508 exploited vulnerabilities in externally facing REDCap servers to gain initial access. They escalated privileges by harvesting credentials and deploying custom malware. The attackers moved laterally within the network, accessing sensitive systems and data. They established command and control through a backdoor embedded in REDCap, allowing remote execution of commands. Exfiltration was achieved by abusing Google Workspace content compliance rules to silently forward emails containing specific keywords to an attacker-controlled Gmail account. The impact was the prolonged undetected theft of sensitive research and defense-related emails over more than a year.
Kill Chain Progression
Initial Compromise
Description
UNC6508 exploited vulnerabilities in externally facing REDCap servers to gain initial access.
Related CVEs
CVE-2024-37394
CVSS 5.4A stored cross-site scripting (XSS) vulnerability in REDCap versions prior to 15.0.27 LTS allows attackers to execute malicious JavaScript code in victims' browsers, potentially compromising sensitive data.
Affected Products:
Vanderbilt University REDCap – < 15.0.27 LTS
Exploit Status:
proof of conceptCVE-2024-37395
CVSS 5.4A stored cross-site scripting (XSS) vulnerability in REDCap versions prior to 15.0.27 LTS allows attackers to execute malicious JavaScript code in victims' browsers, potentially compromising sensitive data.
Affected Products:
Vanderbilt University REDCap – < 15.0.27 LTS
Exploit Status:
proof of conceptCVE-2024-37396
CVSS 5.4A stored cross-site scripting (XSS) vulnerability in REDCap versions prior to 15.0.27 LTS allows attackers to execute malicious JavaScript code in victims' browsers, potentially compromising sensitive data.
Affected Products:
Vanderbilt University REDCap – < 15.0.27 LTS
Exploit Status:
proof of concept
MITRE ATT&CK® Techniques
Valid Accounts
Account Manipulation: Additional Email Delegate Permissions
Domain or Tenant Policy Modification
Email Collection: Email Forwarding Rule
Exfiltration Over Web Service: Exfiltration to Cloud Storage
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
NIST SP 800-53 – Account Management
Control ID: AC-2
PCI DSS 4.0 – Limit Access to System Components and Cardholder Data
Control ID: 7.2.1
NYDFS 23 NYCRR 500 – Cybersecurity Policy
Control ID: 500.03
DORA – ICT Risk Management Framework
Control ID: Article 5
CISA ZTMM 2.0 – Identity Governance and Administration
Control ID: Pillar 2
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Health Care / Life Sciences
Medical research networks compromised via REDCap servers enabling prolonged espionage access to sensitive patient data and research requiring enhanced encryption and segmentation controls.
Higher Education/Acadamia
Academic institutions targeted through research platform vulnerabilities allowing credential theft and Google Workspace rule manipulation for sustained intellectual property and defense research exfiltration.
Defense/Space
Military research networks infiltrated for over a year through backdoored research servers, compromising defense communications and requiring immediate zero trust implementation and egress filtering.
Research Industry
REDCap research platforms exploited as entry vectors enabling credential harvesting and email exfiltration through manipulated workspace rules, demanding enhanced threat detection and anomaly response.
Sources
- Chinese Hackers Abused Google Workspace Rules to Steal Research and Defense Emailshttps://thehackernews.com/2026/06/chinese-hackers-abused-google-workspace.htmlVerified
- Dangerous XSS Bugs in REDCap Threaten Academic & Scientific Researchhttps://www.darkreading.com/threat-intelligence/dangerous-xss-bugs-redcap-academic-scientific-researchVerified
- REDCap: Multiple Cross-Site Scripting (XSS) Vulnerabilitieshttps://www.levelblue.com/blogs/spiderlabs-blog/redcap-multiple-cross-site-scripting-xss-vulnerabilitiesVerified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Aviatrix Zero Trust CNSF is pertinent to this incident as it could have constrained the attacker's ability to move laterally and exfiltrate data by enforcing strict segmentation and identity-based access controls.
Control: Cloud Native Security Fabric (CNSF)
Mitigation: While initial access may still occur, the attacker's ability to exploit vulnerabilities in externally facing servers would likely be constrained, reducing the risk of further compromise.
Control: Zero Trust Segmentation
Mitigation: The attacker's ability to escalate privileges by harvesting credentials and deploying malware would likely be constrained, reducing the risk of further compromise.
Control: East-West Traffic Security
Mitigation: The attacker's ability to move laterally within the network to access sensitive systems and data would likely be constrained, reducing the risk of further compromise.
Control: Multicloud Visibility & Control
Mitigation: The attacker's ability to establish command and control through a backdoor would likely be constrained, reducing the risk of further compromise.
Control: Egress Security & Policy Enforcement
Mitigation: The attacker's ability to exfiltrate data by abusing content compliance rules would likely be constrained, reducing the risk of data loss.
The prolonged undetected theft of sensitive emails would likely be constrained, reducing the overall impact of the attack.
Impact at a Glance
Affected Business Functions
- Research Data Management
- Email Communications
- IT Security Operations
Estimated downtime: N/A
Estimated loss: N/A
Sensitive research data and defense-related emails were accessed and exfiltrated.
Recommended Actions
Key Takeaways & Next Steps
- • Implement Zero Trust Segmentation to restrict lateral movement and limit access to critical systems.
- • Deploy East-West Traffic Security to monitor and control internal network communications, detecting unauthorized movements.
- • Utilize Multicloud Visibility & Control to gain comprehensive insights into cloud environments and detect anomalous activities.
- • Enforce Egress Security & Policy Enforcement to prevent unauthorized data exfiltration through outbound traffic controls.
- • Regularly update and patch externally facing applications like REDCap to mitigate known vulnerabilities.
