CyberIntel ⬡ News
★ Saved ◆ Cyber Reads
← Back ◇ Industry News & Leadership Jun 15, 2026

China-Nexus Actor Spy on US Researchers Undetected for a Year

Dark Reading Archived Jun 15, 2026 ✓ Full text saved

Google discovered and disrupted the sprawling campaign, which stole RedCAP credentials to target numerous institutions and exfiltrate sensitive data.

Full text archived locally
✦ AI Summary · Claude Sonnet


    THREAT INTELLIGENCE CYBER RISK DATA PRIVACY CYBERATTACKS & DATA BREACHES NEWS China-Nexus Actor Spy on US Researchers Undetected for a Year Google discovered and disrupted the sprawling campaign, which stole RedCAP credentials to target numerous institutions and exfiltrate sensitive data. Elizabeth Montalbano,Contributing Writer June 15, 2026 5 Min Read SOURCE: BEEBRIGHT VIA SHUTTERSTOCK An emerging China-nexus threat actor covertly spied on US academic, medical, and military research institutions for at least a year in a sweeping intelligence-gathering effort.  The campaign, uncovered by the Google Threat Intelligence Group (GTIG), relied on using custom malware to steal credentials from a Web application widely used by researchers, as well as a novel technique to stealthily transfer data out of an IT environment. GTIG, working with Google subsidiary Mandiant Consulting, discovered and subsequently disrupted the sprawling operation, which targeted the network of a single medical university with ties to the US military, but affected numerous organizations, according to a report published Monday.  Google attributed the campaign to a group tracked as UNC6508, a relatively new China-aligned threat actor aimed at pursuing intelligence objectives aligned with the strategic interests of the People's Republic of China (PRC) by targeting "a diverse set of national, state, and private medical entities," according to the report.  Related:China's TA4922 Expands Cybercrime Attacks Globally Indeed, the organizations affected by the activity comprise world-renowned clinical providers, premier academic centers, North American military health institutions, professional advocacy groups, and health regulatory bodies, according to GTIG and Mandiant researchers. "Their research areas span a broad spectrum of modern medicine, from molecular discovery and clinical drug trials to state-level public health policy and military readiness," the report stated. "They employ thousands of people with a combined research budget in the billions of dollars." Surprising Scope for UNC6508 Patrick Whitsell, senior security engineer from GTIG, tells Dark Reading that despite the long and storied history of China-nexus threat actors conducting cyber espionage on US organizations, GTIG still found the scope of the intelligence-collection effort surprising. Indeed, while the activity "aligns with historical PRC intelligence objectives, the broad scope of their collection criteria at a single site was highly unusual," he says. "The scope of attempted collection encompassed military strategy and programs, foreign policy, advanced defense technology, medical research, and companies in the defense industrial base," Whitsell says. "Typically we would expect to see a more focused collection tailored to the specific targeted organization." GTIG discovered the earliest known activity of the intrusion in September 2023, with the threat actor exploiting the university's externally facing servers for REDCap (Research Electronic Data Capture), a Web application designed for clinical research. UNC6508 then deployed custom malware named Infinitered to capture credentials for REDCap, with malicious activity continuing consistently through November 2025. Related:China Uses Dual-Method Cyberattack on Czech Orgs Initially, the group remained undetected for more than a year before using the captured credentials to access the victim’s internal network. Three months after initial intrusion, UNC6508 compromised externally facing Web applications, deployed bespoke malware, and abused enterprise administrative tools for covert data exfiltration. "We determined this data was being targeted based on the specific keywords in the malicious compliance rules created by the adversary," Whitsell tells Dark Reading. The general attack chain during the period of the malicious activity was as follows: exploitation of the REDCap server; the later deployment of Infinitered malware to stealthily records credentials and persist through upgrades for more than a year; the use of stolen credentials to access a domain administrator account; the addition of the malicious content compliance rule; and the forwarding of emails matching strategic keywords to a threat actor-controlled account. Related:Patch Now: Another Palo Alto Auth Bypass Bug Under Active Exploit Novel Methods Demonstrate Evolution for China-Nexus Actors The campaign had some expected hallmarks of sophisticated PRC-nexus activity, such as long-term stealthy access to the target network, according to GTIG. In addition, the Infinitered malware was tailored specifically for, and will only function on, REDCap servers, demonstrating "a level of targeted engineering [that] aligns with the sophisticated tactics of PRC-nexus actors," Whitsell says. Indeed, these actors tend to "strategically reverse-engineer specialized software and appliances when targeting high-value environments," he says. However, other techniques showed deviation from standard procedure for China-backed threat actors. One was how data was exfiltrated, which occurred via a novel and "creative" technique that manipulates domain content-compliance rules, Whitsell says. "The technique does not rely on malware or even standard 'living off the land' tools, making it very difficult to detect" because it avoids many traditional endpoint and network security controls, he tells Dark Reading. UNC6508 also used a different approach to conceal its malicious activity than other China-backed actors. Specifically, the threat actor used exclusively US-based IP addresses in their obfuscation network to access both target environments and attacker infrastructure.  "Typically when we see obfuscation network usage the IPs used are mostly random," Whitsell says. "This indicates a meticulous management of operations security, and an understanding that the targets would find non-US IP logins to be suspicious." Next Steps for Defenders Adversaries from China are among the most active state-sponsored groups conducting cyber espionage on US institutions and organizations, and the discovery of the operation should be taken seriously by any organization that may be a target, according to GTIG and Mandiant. In addition to disrupting the malicious infrastructure associated with UNC6508, Google also notified the affected organizations upon detection and offered assistance with remediation, as well as updated its Google Security Operations (SecOps) with relevant intelligence, enabling defenders to identify indicators of compromise (IOCs) within their networks.  Aside from paying attention to these updates and IOCs, the "No. 1 thing defenders can do" to avoid compromise by the actor's techniques is enforcing phishing-resistant, two-factor authentication on all accounts possible, Whitsell says. "Many attacks we see today still rely on reusing compromised credentials," he says. Other recommendations include monitoring audit logs for unauthorized changes to enterprise systems and data, enabling DLP rules to alert on sharing of sensitive data, and ensuring systems are fully updated with the latest security patches. About the Author Elizabeth Montalbano Contributing Writer Elizabeth Montalbano is freelance writer, editor, and  journalist with 30 years of professional experience and a master's degree from Arizona State University. Her areas of expertise include enterprise technology, cybersecurity, business, and culture. During her long career, Elizabeth has lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City. She specializes in news coverage and analysis, using her years of experience to look at the current state of cybersecurity with a critical gaze. She currently resides in a village on the southwest coast of Portugal, where in her free time she enjoys surfing, hiking with her dogs, growing plants, and playing and performing as a singer and musician. Want more Dark Reading stories in your Google search results? ADD US NOW More Insights Industry Reports How Organizations Are Managing Incident Response How Enterprises Are Developing Secure Applications Inside RSAC 2026: security leaders reveal the risks redefining your defense strategy Essential News & Insights from Black Hat USA 2025 How Enterprises Are Harnessing Emerging Technologies in Cybersecurity Access More Research Webinars Advanced Persistent Threats: A Practical Guide to Detection and Response The Frontier AI Era: Why Cybersecurity Must Move at Machine Speed Build vs. Buy: The Hidden Cost of Building Your Own AI Security Stack Defending in the Shadow Era: When the CVE Feed Goes Dark Building SecOps That Make the Most of Every Dollar More Webinars You May Also Like THREAT INTELLIGENCE Hackers Target Cybersecurity Firm Outpost24 in 7-Stage Phish by Jai Vijayan MAR 17, 2026 THREAT INTELLIGENCE Iran's Cyber-Kinetic War Doctrine Takes Shape by Alexander Culafi MAR 06, 2026 THREAT INTELLIGENCE React2Shell Exploits Flood the Internet as Attacks Continue by Rob Wright DEC 12, 2025 THREAT INTELLIGENCE Chinese Gov't Fronts Trick the West to Obtain Cyber Tech by Nate Nelson, Contributing Writer OCT 06, 2025 Editor's Choice CYBERSECURITY OPERATIONS 20 Leaders Who Built the CISO Era: 2 Decades of Change byDark Reading Editorial Team MAY 12, 2026 41 MIN READ APPLICATION SECURITY It's Patch Tuesday for Microsoft & Not a Zero-Day In Sight byJai Vijayan MAY 12, 2026 5 MIN READ CYBERATTACKS & DATA BREACHES Instructure Breach Exposes Schools' Vendor Dependence byAlexander Culafi MAY 6, 2026 4 MIN READ Want more Dark Reading stories in your Google search results? Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox. SUBSCRIBE AUG 1-6 | MANDALAY BAY, LAS VEGAS USE CODE: DARKREADING & SAVE $200 ON A BRIEFINGS PASS OR $100 ON A BUSINESS PASS The premier cybersecurity event returns. GET YOUR PASS ANATOMY OF A DATA BREACH This comprehensive virtual event examines the main vulnerabilities and exploits that lead to enterprise data breaches, plus the latest tools and best practices for conducting incident response. BEAT HACKERS TO IT
    💬 Team Notes
    Article Info
    Source
    Dark Reading
    Category
    ◇ Industry News & Leadership
    Published
    Jun 15, 2026
    Archived
    Jun 15, 2026
    Full Text
    ✓ Saved locally
    Open Original ↗