- Google GTIG exposes UNC6508, a PRC‑linked group exploiting REDCap servers with custom INFINITERED malware
- Attackers stole credentials, exfiltrated sensitive data via manipulated compliance rules, and hid for over a year
- Gmail accounts tied to campaign disabled; admins urged to enforce phishing‑resistant MFA, device‑bound sessions, and advanced protections
For more than a year, Chinese state-sponsored threat actors have been lurking in servers belonging to North American academic, medical, and military research organizations, deploying bespoke malware and exfiltrating sensitive files, experts have warned.
Google Threat Intelligence Group (GTIG) published a new report detailing the recent works of UNC6508, a People’s Republic of China (PRC)-nexus threat actor, who allegedly managed to exploit externally facing Research Electronic Data Capture (REDCap) servers to deploy a custom piece of malware called INFINITERED.
Through this malware they stole login credentials, allowing them to access the servers’ contents and remain undetected for more than a year. They then moved laterally throughout the network, exfiltrating sensitive data using a novel technique of manipulating domain content compliance rules.
“Patroit”
Google says content compliance rules are a “legitimate feature present in many cloud-based enterprise productivity suites”. Using admin accounts, the attackers created specific rules to manage email messages that contained matching predefined sets of words, phrases, and text patterns.
They named the rule “Patroit” and tasked it to BCC-forward certain emails to actor-controlled Gmail addresses.
Google has since disabled the Gmail accounts associated with this threat actor and this campaign.
In the blog, the researchers gave a rather extensive list of things admins should do to make sure they’re safe from UNC6508 and similar actors, including enforcing phishing-resistant…
