CyberIntel ⬡ News
★ Saved ◆ Cyber Reads
← Back ◇ Industry News & Leadership Jun 16, 2026

PRC-Nexus Hackers Exploit REDCap Servers to Spy on US Medical Research Institutions

Cybersecurity News Archived Jun 16, 2026 ✓ Full text saved

Google’s Threat Intelligence Group (GTIG) uncovered a long-running Chinese cyber-espionage campaign targeting North American medical, academic, and military research institutions that remained undetected for over a year. GTIG has attributed the campaign with high confidence to UNC6508, a People’s Republic of China (PRC)-nexus threat actor with clear espionage motivations. The group’s collection priorities, national defense intelligence, […] The post PRC-Nexus Hackers Exploit REDCap Servers to Sp

Full text archived locally
✦ AI Summary · Claude Sonnet


    HomeCyber Security News PRC-Nexus Hackers Exploit REDCap Servers to Spy on US Medical Research Institutions By Abinaya June 16, 2026 Google’s Threat Intelligence Group (GTIG) uncovered a long-running Chinese cyber-espionage campaign targeting North American medical, academic, and military research institutions that remained undetected for over a year. GTIG has attributed the campaign with high confidence to UNC6508, a People’s Republic of China (PRC)-nexus threat actor with clear espionage motivations. The group’s collection priorities, national defense intelligence, Indo-Pacific military operations, artificial intelligence, uncrewed vehicle systems, offensive cyber programs, and medical research are closely aligned with the strategic interests of the Chinese state. The earliest known compromise dates back to September 2023, with activity observed continuously through November 2025. PRC-Nexus Hackers Exploit REDCap Servers The campaign’s initial foothold began with externally facing REDCap (Research Electronic Data Capture) servers, a widely used web-based platform in North American medical and scientific research communities. While GTIG could not confirm the exact initial access vector, UNC6508 was observed actively probing for legacy, unpatched REDCap versions running alongside current installations a classic downgrade attack (MITRE ATT&CK T1689). Campaign attack flow diagram (Source: Google) Upon gaining entry, the threat actor deployed a web shell named help.php, performed internal reconnaissance, and harvested database and service account credentials. Three months after the initial compromise, UNC6508 deployed INFINITERED, a sophisticated, modular malware that trojanizes legitimate REDCap system files. It operates through three key components: Dropper/Upgrade Interceptor: Injects malicious code into new REDCap upgrade packages, ensuring persistence even after software updates using a hardcoded GUID delimiter (b49e334d-9c01-463e-9bc5-00a6920fb66e). Credential Harvester: Captures plaintext usernames and passwords from POST login requests, encrypts them, and stores them covertly in the REDCap sessions database under the prefix xc32038474a. Backdoor with C2: Activates on every REDCap page load, listens for a specific HTTP Cookie parameter REDCAP-TOKEN, and supports commands including remote shell execution, SQL queries, file upload/download, and system beaconing. INFINITERED was discovered across multiple organizations in both the US and Canada. After more than a year of silent access, UNC6508 escalated by using harvested credentials to access a domain administrator account. INFINITERED diagram (Source: Google) The group then abused content compliance rules, a legitimate Google Workspace feature, to silently BCC-forward sensitive emails to an attacker-controlled Gmail account: BebitaBarefoot774[@]gmail[.]com. The rule, named “Patroit” (a misspelling of “Patriot”), used regular expressions to match nearly 150 keywords spanning military strategy, AI research, cyber programs, and medical topics. GTIG notes that this technique, using domain content compliance rules for data exfiltration, had never previously been observed from a PRC-nexus actor. One keyword stood out: “Chikungunya,” the mosquito-borne virus responsible for a July 2025 outbreak in China’s Guangdong province, suggesting real-time, mission-specific intelligence tasking. UNC6508 used US-based obfuscation (OBF) networks to route traffic through compromised ASUS routers, residential proxies, and VPS infrastructure to avoid detection and complicate attribution. Defensive Recommendations GTIG disrupted the malicious infrastructure and deactivated the Gmail exfiltration account upon discovery. GTIG and Mandiant Consulting recommend the following immediate actions: Patch REDCap to the latest version and completely remove all legacy installations. Enforce phishing-resistant 2-Step Verification (2SV) for all administrator accounts. Scan REDCap servers for INFINITERED using the published YARA rule. Audit content compliance rules in cloud mail suites for unauthorized BCC-forwarding configurations. Deploy Device Bound Session Credentials (DBSC) to prevent session cookie theft. Enable DLP rules and SIEM logging to detect anomalous data movement and email forwarding. GTIG has updated Google Security Operations (SecOps) with all relevant IOCs and has notified affected organizations directly. Indicators of Compromise (IOCs): Category Indicators Network BebitaBarefoot774[@]gmail[.]com, 23.169.65.49 Web Shell help.php, SHA256: ba6b73b0ca0dc7f86b3b397893ac32d729fd53f9df20643288f141f29d020af7 Credential Harvesters db65c1b9f9e4cb4d729f45ad4b6fcf3e277caf9eb4c875425dec93fd883f9136, c1ac43d23f89d41eb4ff131678ab562ab2cfed9aa334b13767ef141d303b0e5b Backdoors 8f0158855a656b629ca76ebca565f18bc25563ded34b65d6771632c20edb68ec, 51a57bfc9ed3eb6451c1c289607814d59e1698c666fb97ac5f694c398f23d045 Droppers 4efbef69eb3b09bacff892d6a55778d07c418e7f15eba3cf1245e8cdfd8dda0b, 58bb25777e0aa86bcd2125101e0bca4e8732b03d91bd8d2f205b446a2a8d5c86 Host Indicators REDCAP-TOKEN, xc32038474a, b49e334d-9c01-463e-9bc5-00a6920fb66e, YjQ5ZTMzNGQtOWMwMS00NjNlLTliYzUtMDBhNjkyMGZiNjZl, ej671a16i7fd8202nu6ltfg5p6x7u Persistence Modified Upgrade.php, AWS Elastic Beanstalk persistence Exfiltration “Patroit” email-forwarding rule to attacker Gmail C2 Functions Remote shell, file upload/download, SQL execution, credential theft, anti-forensics Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM. Follow us on Google News, LinkedIn, and X to Get More Instant Updates. Tags cyber security cyber security news Copy URL Linkedin Twitter ReddIt Telegram Abinayahttps://cybersecuritynews.com/ Abi is a Security Editor and fellow reporter with Cyber Security News. She is covering various cyber security incidents happening in the Cyber Space. Trending News Microsoft Exchange Server 0-Day Vulnerability Exploited in Attacks Using Weaponized Email Infinite Campus Data Breach Exposes 137,000 Users Personal Details CISA Warns of Check Point Security Gateway Vulnerability Actively Exploited in Ransomware Attacks SHEETCREEP C# RAT Abuses Google Sheets API as C2 to Target Diplomatic Organizations Hackers Abuse Residential Proxy Networks to Hide Malicious Activity and Evade Detection Latest News Cyber Security News OptinMonster Plugin Hack Exposes 1.2 Million WordPress Sites to Cyberattack Cyber Security News Ransomware Ecosystem Consolidates Around LockBit Alumni, Qilin, Hyflock, and The Gentlemen Cyber Security News Hackers Abuse Legitimate RMM Tools in The Quarry IRS and SSA Phishing Campaigns Cyber Security News LiteSpeed cPanel Plugin 0-Day Vulnerability Actively Exploited in the Wild Cisco Cisco SD-WAN vManage Vulnerability Exploited in Zero-Day Attacks
    💬 Team Notes
    Article Info
    Source
    Cybersecurity News
    Category
    ◇ Industry News & Leadership
    Published
    Jun 16, 2026
    Archived
    Jun 16, 2026
    Full Text
    ✓ Saved locally
    Open Original ↗