CyberIntel ⬡ News
★ Saved ◆ Cyber Reads
← Back ◇ Industry News & Leadership Jun 17, 2026

Chinese Espionage Actor Abuses Email Rules to Steal Research Data

Data Breach Today Archived Jun 17, 2026 ✓ Full text saved

Threat Actor Silently Forwarded Sensitive Emails Matching Strategic Topics Google says Chinese espionage group UNC6508 compromised REDCap environments at North American research institutions, deployed custom malware, stole credentials and covertly forwarded strategically relevant emails through abused compliance rules to support long-term intelligence collection.

Full text archived locally
✦ AI Summary · Claude Sonnet


    Cyberwarfare / Nation-State Attacks , Fraud Management & Cybercrime Chinese Espionage Actor Abuses Email Rules to Steal Research Data Threat Actor Silently Forwarded Sensitive Emails Matching Strategic Topics Tiffany Wang • June 16, 2026     Share Post Share Credit Eligible Get Permission Image: Shutterstock/ISMG A Chinese espionage campaign deployed malware and abused an email filtering tool to steal data from North American academic, medical and military research institutions, the Google Threat Intelligence Group said. See Also: Experts Offer Insights from Theoretical to the Realities of AI-enabled Cybercrime The threat cluster, tracked as UNC6508, compromised publicly accessible software used by the victim organizations, infected systems with custom malware that stole credentials and exfiltrated email communications of interest. Although Google discovered the activity in late 2025, it traced the earliest known compromise to September 2023. The abuse of content compliance rules, an advanced email content filtering and forwarding function used by administrators, is a novel data exfiltration technique observed for the first time among Chinese-nexus threat actors. Google said it disrupted the group's malicious infrastructure, but a wide range of institutions could have been affected, including clinical providers, academic centers, North American military health institutions, professional advocacy groups and health regulatory bodies. Although it is unclear how the threat actor gained initial access, Google said it was able to piece together the attack lifecycle from an incident at a medical research university. Google said it observed the hacker group probing for vulnerable legacy versions of REDCap, a commonly used web-based software platform in the medical research field for building and managing online databases and surveys, which ran side-by-side with the current version. After gaining initial access, the threat actor searched through database and service account credentials and deployed a web shell to maintain persistence. Three months after, it dropped a custom malware payload, named InfiniteRed by Google. To maintain persistent remote access, the malware intercepted REDCap software upgrades and injected backdoor, credential harvester and extraction code into the new versions' legitimate system files. The credential harvester captured usernames and passwords during the login process and hid them in a local REDCap sessions database table. The backdoor lived in the custom hooks system file inside the update package and ran on every page load. It looked for a specific HTTP cookie containing an encrypted payload, allowing attackers to communicate with the malware and issue commands. "If the decrypted payload is empty, the malware acts as a beacon, returning system details such as the OS, PHP version, working directory and database credentials including the hostname, username, password and salt. When non-empty, the malware will parse the payload for command tags, which the threat actor can use to execute shell commands, run raw SQL queries and transfer files," Google wrote. More than a year after the initial compromise, the threat actor used credentials stolen from REDCap to log into an administrator account and modified content compliance rules. Popular among many cloud-based enterprise productivity suites, content compliance filters emails that match one or more predefined sets of words, phrases, text or numerical patterns. The function supports routing targeted messages to a certain destination, such as the legal department. Instead, the threat actor configured the rules to silently Bcc matching emails to its own Gmail address. The new compliance rule set up by the attacker used regular expression to match keywords associated with geo-strategic policy, military strategy, advanced technology and medical research, as well as professional emails and phone numbers of people in these fields. "GTIG assesses these collection priorities are aligned with the strategic interests of the People's Republic of China," Google wrote. Although only a few organizations are known to have been affected, Google said the broad range of intelligence collection suggests victims beyond those in medical research. The group also employed obfuscation networks, a widely used strategy among Chinese actors, to hide its tracks by routing traffic through a cluster of compromised routers and residential proxies. "By maintaining a high level of OpSec, UNC6508 significantly complicates the efforts of defenders to identify malicious patterns, establish accurate attribution and map the threat actor's infrastructure," Google wrote.
    💬 Team Notes
    Article Info
    Source
    Data Breach Today
    Category
    ◇ Industry News & Leadership
    Published
    Jun 17, 2026
    Archived
    Jun 17, 2026
    Full Text
    ✓ Saved locally
    Open Original ↗