Chinese Hackers Target Medical, Military, and AI Research in North America

Summary

Google Threat Intelligence Group (GTIG) is tracking a Chinese government-linked cyberespionage group, UNC6508, active since at least 2023. The group has been targeting major medical, academic, and military research organizations in North America, focusing on areas like drug discovery, public health policy, and military readiness. They have been observed deploying custom malware named InfiniteRed, which offers capabilities such as credential harvesting and command-and-control.

Full text

The Google Threat Intelligence Group (GTIG) has published an analysis of the attacks carried out by a cyberespionage group linked to the Chinese government. Tracked as UNC6508, the group is believed to have been active since at least 2023, but Google’s researchers started tracking it in early 2025. UNC6508 was mentioned by Google in a report published in February. The UNC6508 campaign observed by GTIG was mainly aimed at North America, with the hackers targeting major medical, academic, and military research organizations. “These organizations comprise world-renowned clinical providers, premier academic centers, North American military health institutions, professional advocacy groups, and health regulatory bodies,” Google’s researchers explained. “Their research areas span a broad spectrum of modern medicine, from molecular discovery and clinical drug trials to state-level public health policy and military readiness.” According to GTIG, the cyberspies regularly target servers hosting REDCap, a web platform for building and managing clinical research databases and surveys in the medical field. Google said it’s unclear how the attackers gained access to REDCap servers, but evidence suggests they may be targeting vulnerable legacy versions. In one of the intrusions investigated by the tech giant’s researchers, the hackers deployed a piece of malware named InfiniteRed three months after the initial intrusion. Advertisement. Scroll to continue reading. InfiniteRed is a custom malware payload that provides dropper, upgrade interception, credential harvesting, backdoor, and command-and-control (C&C) capabilities. The malware was discovered on the systems of multiple organizations in the US and Canada. Google’s analysis found that the hackers abused a legitimate feature named content compliance rules to exfiltrate emails related to specific topics. The attackers’ compliance rules indicated that they were targeting entities beyond those identified in the medical research community. UNC6508 appears to have also been after valuable intelligence related to national security, AI, drones, cyber offensive research, defense technology, naval assets, diplomatic and government entities, and military command units. The hackers leveraged obfuscation networks, bulk-sourced accounts, legitimate credentials, and operation-specific infrastructure to hide their activities from defenders. Google said it disrupted the threat actor’s infrastructure and notified the identified victims. The company has released technical details and indicators of compromise (IoCs) to help defenders. Related: Five Eyes: Chinese Spies Target Government, Military Staff With Fake Job Opportunities Related: Chinese Cybercrime Group in Spotlight for Record Campaign Pace Related: Chinese APTs Expand Targets, Update Backdoors in Recent Campaigns Written By Eduard Kovacs Eduard Kovacs (@EduardKovacs) is senior managing editor at SecurityWeek. He worked as a high school IT teacher before starting a career in journalism in 2011. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering. Daily Briefing Newsletter Subscribe to the SecurityWeek Email Briefing for the latest cybersecurity threats, trends, and expert insights. More from Eduard Kovacs Industry Reactions to Claude Fable 5: Feedback FridayAnthropic Disputes Fable 5 AI JailbreakGoogle Confirms Exploitation of Oracle PeopleSoft Zero-Day by ShinyHuntersOracle Addresses PeopleSoft Vulnerability Amid Reports of Zero-Day AttacksSiemens Says Desigo CC Files Flagged as Malware by Security EnginesUniversity of Nottingham Confirms Breach After Hackers Leak DataMicrosoft Patches Exploited Exchange Server VulnerabilityCritical HVAC and UPS Vulnerabilities Could Let Hackers Disrupt Data Centers Latest News Ransomware Attack Shuts Down Mills of Australia’s Second-Largest Sugar ProducerNewCore Emerges From Stealth Mode With $66 Million in FundingUkrainian Man Pleads Guilty in US to Conti Ransomware ChargesOzempic Maker Novo Nordisk Says Hackers Breached IT SystemsFrench Government Messaging Platform Breached by Mysterious ‘Misere’ HackerShinyHunters Claims Council of Europe HackFBI, Google Dismantle ‘Outsider Enterprise’ Phishing ServiceMaine Disables Data Breach Portal Due to Fake Submissions Trending Daily Briefing NewsletterSubscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts. Webinar: How Modern Breaches Bypass MFA and Evade Detection June 17, 2026 Today’s attackers are no longer breaking in — they’re logging in. Join this live webinar as we break down the modern identity attack chain and examine how recent breaches exploited weaknesses in authentication, identity verification, and access management processes. Register Webinar: Modern Exposure Validation in the AI Era June 24, 2026 AI has accelerated both sides of the fight. Adversaries are weaponizing vulnerabilities faster, while defenders are racing to ship detections and configurations. Join this live webinar as we explore how to prove your controls actually hold against new threats, map your security maturity, and unite breach simulation with automated pentesting into a single, coordinated program. Register People on the MoveStephen Garcia has been named Chief Information Security Officer at BreachRx.Kasper Lindgaard has been appointed Vice President of Security Strategy at CoreView.Chaim Mazal has been named Chief Information Security Officer at GitLab.More People On The MoveExpert Insights After AI Reaches Production: 12 Ways Security Teams Can Take Control Security teams need more than visibility into AI applications, they need a repeatable framework for monitoring, investigating, and defending them in production. (Joshua Goldfarb) Everybody Is Vibe Coding But Nobody Told the Security Team AI-driven development is not something organizations can or should block. But it must be governed. (Danelle Au) The Zero-Knowledge Threat Actor and the End of Responsible Disclosure AI can help attackers generate malware, create malicious payloads, bypass simple security checks, and convert vague malicious intent into functional code. (Etay Maor) Raising the Cybersecurity Stakes: Ante up for the Agentic Era CISOs are now facing machine-speed attacks and asking, “How do I agent?” The industry must provide remediation at scale. (Nadir Izrael) Caught Off Guard: Securing AI After It Hits Production As enterprises rush AI projects into production, security teams are increasingly being forced into reactive mode. (Joshua Goldfarb) Flipboard Reddit Whatsapp Whatsapp Email

Indicators of Compromise

• malware — InfiniteRed

Entities