[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fP0IXTJkmTVfJVTEzXVuOZ8BDHm8IsJyvKyLRjmZm2Kk":3},{"article":4,"iocs":53},{"id":5,"title":6,"slug":7,"summary":8,"ai_summary":9,"brief":10,"full_text":11,"url":12,"image_url":13,"published_at":14,"ingested_at":15,"relevance_score":16,"entities":17,"category_id":30,"category":31,"article_tags":35},"b8d2c82b-d9c5-4783-ac12-330f78864b66","Chinese hackers breach REDCap servers, steal medical research","chinese-hackers-breach-redcap-servers-steal-medical-research-82e1f9","A China-linked espionage campaign targeted exposed REDCap servers to deploy the InfiniteRed malware and steal sensitive data from a medical institution in North America. [...]","A China-linked espionage campaign, attributed to UNC6508, has been targeting exposed REDCap servers in North America for over a year, deploying custom InfiniteRed malware to steal sensitive medical research data. The attackers utilized a novel technique involving cloud-based enterprise productivity tool features for data exfiltration via email and maintained high operational security throughout the campaign.","China-linked hackers used InfiniteRed malware to steal medical research data from North American institutions.","Chinese hackers breach REDCap servers, steal medical research By Bill Toulas June 15, 2026 10:00 AM 0 A China-linked espionage campaign targeted exposed REDCap servers to deploy the InfiniteRed malware and steal sensitive data from a medical institution in North America. Google Threat Intelligence Group (GTIG) researchers attribute the attacks to a threat actor tracked as UNC6508, who remained undetected for more than a year in the victim network. The REDCap platform is widely used in medical and scientific research to build and manage databases and surveys that comply with regulations for medical and scientific research. Although the researchers couldn’t determine the exact initial compromise vector, they observed UNC6508 probing older, vulnerable versions of REDCap. Based on the investigation, the compromise of the medical research organization occurred in September 2023, and the malicious activity continued for more than a year through November 2025. GTIG says that three months after the initial compromise, the attackers deployed the 'Infinitered' custom malware designed specifically for REDCap systems, and hid its components by trojanizing the server’s system files. Infinitered consists of three components: a persistence\u002Fupdate module, a credential harvester, and a backdoor. Infinitered componentsSource: Google The login harvester captures usernames and passwords submitted through REDCap login pages, then encrypts and stores them in local REDCap database tables for future retrieval. The backdoor, which receives commands via HTTP cookies, provides UNC6508 with the following abilities: Execute shell commands Upload files to the REDCap server Download files from the server Run arbitrary SQL queries Retrieve stolen credentials Delete stolen credential records Return system and database information One notable technique in the campaign, and new for China-linked threat actors, is the use of the legitimate 'content compliance rules' feature that is present in cloud-based enterprise productivity tools, to exfiltrate data over email. After gaining administrator access, UNC6508 created a content compliance rule named “Patroit,” which scans the organization for specific keywords, content patterns, email addresses, and phone numbers. Any matches are then automatically sent as a blind carbon copy (BCC) to ‘BebitaBarefoot774@gmail.com,’ now disabled by Google. The keywords used to look for data of value relate to medical research, advanced technology, military topics, and geo-strategic policy. Keywords used for email-based exfiltrationSource: Google GTIG observed a high level of operational security across this campaign, including the use of US-based residential proxy infrastructure, compromised routers, VPS, credential replay, and dedicated infrastructure for data exfiltration. Google notified multiple organizations in the U.S. and Canada that were compromised with the InfiniteRed malware. \"Their research areas span a broad spectrum of modern medicine, from molecular discovery and clinical drug trials to state-level public health policy and military readiness.\" REDCap administrators are recommended to upgrade their instances to the latest available versions and remove legacy deployments. Google also advises using MFA\u002F2SV on high-privilege accounts and Device Bound Session Credentials (DBSC) to prevent session hijacking. YARA rules and indicators of compromise (IoCs) are present in the report to help scan environments for Infinitered malware infections. Test every layer before attackers do Security teams log 54% of successful attacks and alert on just 14%. The rest move through your environment unseen.The Picus whitepaper shows how breach and attack simulation tests your SIEM and EDR rules so threats stop slipping by detection. Get the whitepaper Related Articles: Chinese APT deploys new malware to keep access to hacked networksChinese hackers target telcos with new Linux, Windows malwareNew GopherWhisper APT group abuses Outlook, Slack, Discord for commsChinese hackers hijack auth flow, spy on isolated network for a decadeChina-linked JDY botnet expands targeting of U.S. military networks","https:\u002F\u002Fwww.bleepingcomputer.com\u002Fnews\u002Fsecurity\u002Fchinese-hackers-breach-redcap-servers-steal-medical-research\u002F","https:\u002F\u002Fwww.bleepstatic.com\u002Fcontent\u002Fhl-images\u002F2025\u002F03\u002F05\u002Fhacker-china-flag.jpg","2026-06-15T14:00:00+00:00","2026-06-15T16:00:03.446111+00:00",8,[18,21,24,27],{"name":19,"type":20},"UNC6508","threat_actor",{"name":22,"type":23},"RECap","product",{"name":25,"type":26},"Google","vendor",{"name":28,"type":29},"Cloud-based enterprise productivity tools","technology","6cbdd207-aaa1-4176-9534-e156b125e917",{"id":30,"icon":32,"name":33,"slug":34},null,"Nation-state","nation-state",[36,38,43,48],{"category":37},{"id":30,"icon":32,"name":33,"slug":34},{"category":39},{"id":40,"icon":32,"name":41,"slug":42},"89f78b1c-3503-45a1-9fc7-e23d2ce1c6d5","Malware","malware",{"category":44},{"id":45,"icon":32,"name":46,"slug":47},"e7b231c8-5f79-4465-8d38-1ef13aea5a14","Threat Intelligence","threat-intelligence",{"category":49},{"id":50,"icon":32,"name":51,"slug":52},"fbace4ad-a9f5-407c-b73c-88cd9d221ecc","HIPAA","hipaa",[54,57,61,65,68,71,74],{"type":42,"value":55,"context":56},"InfiniteRed","Custom malware deployed by UNC6508 to steal data from REDCap servers.",{"type":58,"value":59,"context":60},"email","BebitaBarefoot774@gmail.com","Email address used for data exfiltration via BCC.",{"type":62,"value":63,"context":64},"mitre_attack","T1078.004","Valid Accounts: Cloud Accounts - used for data exfiltration via cloud productivity tools.",{"type":62,"value":66,"context":67},"T1041","Exfiltration Over C2 Channel - used for data exfiltration via cloud productivity tools.",{"type":62,"value":69,"context":70},"T1573.002","Encrypted Channel: Asymmetric Cryptography - used by InfiniteRed malware for credential harvesting.",{"type":62,"value":72,"context":73},"T1059.003","Command and Scripting Interpreter: Windows Command Shell - used by InfiniteRed backdoor.",{"type":62,"value":75,"context":76},"T1047","Windows Management Instrumentation - potentially used for backdoor execution."]