PRC-Nexus Hackers Exploit REDCap to Spy Servers Medical
Google’s Threat Intelligence Group (GTIG) has uncovered a long-running Chinese cyber-espionage campaign. This operation targeted North American medical, academic, and military research institutions,...
Google’s Threat Intelligence Group (GTIG) has uncovered a long-running Chinese cyber-espionage campaign. This operation targeted North American medical, academic, and military research institutions, remaining undetected for over a year.
GTIG has attributed the campaign with high confidence to UNC6508, a People’s Republic of China (PRC)-nexus threat actor with clear espionage motivations.
The group’s collection priorities, national defense intelligence, Indo-Pacific military operations, artificial intelligence, uncrewed vehicle systems, offensive cyber programs, and medical research are closely aligned with the strategic interests of the Chinese state.
The earliest known compromise dates back to September 2023, with activity observed continuously through November 2025.
PRC-Nexus Hackers Exploit REDCap Servers
The campaign’s initial foothold began with externally facing REDCap (Research Electronic Data Capture) servers, a widely used web-based platform in North American medical and scientific research communities.
While GTIG could not confirm the exact initial access vector, UNC6508 was observed actively probing for legacy, unpatched REDCap versions running alongside current installations a classic downgrade attack (MITRE ATT&CK T1689).
Upon gaining entry, the threat actor deployed a web shell named help.php, performed internal reconnaissance, and harvested database and service account credentials.
Three months after the initial compromise, UNC6508 deployed INFINITERED, a sophisticated, modular malware that trojanizes legitimate REDCap system files.
It operates through three key components:
- Dropper/Upgrade Interceptor: Injects malicious code into new REDCap upgrade packages, ensuring persistence even after software updates using a hardcoded GUID delimiter (b49e334d-9c01-463e-9bc5-00a6920fb66e).
- Credential Harvester: Captures plaintext usernames and passwords from POST login requests, encrypts them, and stores them covertly in the REDCap sessions database under the prefix xc32038474a.
- Backdoor with C2: Activates on every REDCap page load, listens for a specific HTTP Cookie parameter REDCAP-TOKEN, and supports commands including remote shell execution, SQL queries, file upload/download, and system beaconing.
INFINITERED was discovered across multiple organizations in both the US and Canada. After more than a year of silent access, UNC6508 escalated by using harvested credentials to access a domain administrator account.
The group then abused content compliance rules, a legitimate Google Workspace feature, to silently BCC-forward sensitive emails to an attacker-controlled Gmail account: BebitaBarefoot774[@]gmail[.]com.
The rule, named “Patroit” (a misspelling of “Patriot”), used regular expressions to match nearly 150 keywords spanning military strategy, AI research, cyber programs, and medical topics.
GTIG notes that this technique, using domain content compliance rules for data exfiltration, had never previously been observed from a PRC-nexus actor.
One keyword stood out: “Chikungunya,” the mosquito-borne virus responsible for a July 2025 outbreak in China’s Guangdong province, suggesting real-time, mission-specific intelligence tasking.
UNC6508 used US-based obfuscation (OBF) networks to route traffic through compromised ASUS routers, residential proxies, and VPS infrastructure to avoid detection and complicate attribution.
Defensive Recommendations
GTIG disrupted the malicious infrastructure and deactivated the Gmail exfiltration account upon discovery. GTIG and Mandiant Consulting recommend the following immediate actions:
- Patch REDCap to the latest version and completely remove all legacy installations.
- Enforce phishing-resistant 2-Step Verification (2SV) for all administrator accounts.
- Scan REDCap servers for INFINITERED using the published YARA rule.
- Audit content compliance rules in cloud mail suites for unauthorized BCC-forwarding configurations.
- Deploy Device Bound Session Credentials (DBSC) to prevent session cookie theft.
- Enable DLP rules and SIEM logging to detect anomalous data movement and email forwarding.
GTIG has updated Google Security Operations (SecOps) with all relevant IOCs and has notified affected organizations directly.
Indicators of Compromise (IOCs):
| Category | Indicators |
|---|---|
| Network | BebitaBarefoot774[@]gmail[.]com, 23.169.65.49 |
| Web Shell | help.php, SHA256: ba6b73b0ca0dc7f86b3b397893ac32d729fd53f9df20643288f141f29d020af7 |
| Credential Harvesters | db65c1b9f9e4cb4d729f45ad4b6fcf3e277caf9eb4c875425dec93fd883f9136, c1ac43d23f89d41eb4ff131678ab562ab2cfed9aa334b13767ef141d303b0e5b |
| Backdoors | 8f0158855a656b629ca76ebca565f18bc25563ded34b65d6771632c20edb68ec, 51a57bfc9ed3eb6451c1c289607814d59e1698c666fb97ac5f694c398f23d045 |
| Droppers | 4efbef69eb3b09bacff892d6a55778d07c418e7f15eba3cf1245e8cdfd8dda0b, 58bb25777e0aa86bcd2125101e0bca4e8732b03d91bd8d2f205b446a2a8d5c86 |
| Host Indicators | REDCAP-TOKEN, xc32038474a, b49e334d-9c01-463e-9bc5-00a6920fb66e, YjQ5ZTMzNGQtOWMwMS00NjNlLTliYzUtMDBhNjkyMGZiNjZl, ej671a16i7fd8202nu6ltfg5p6x7u |
| Persistence | Modified Upgrade.php, AWS Elastic Beanstalk persistence |
| Exfiltration | “Patroit” email-forwarding rule to attacker Gmail |
| C2 Functions | Remote shell, file upload/download, SQL execution, credential theft, anti-forensics |
Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.
Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.
No Comment! Be the first one.