The Attack Method
A China-linked espionage group tracked as UNC6508 targeted exposed REDCap servers at a North American medical research organization, gaining undetected access for over a year. Google Threat Intelligence Group (GTIG) reported that the compromise began in September 2023, with attackers probing outdated REDCap versions before deploying a custom malware payload called InfiniteRed three months later. The malware was concealed by trojanizing legitimate system files.
InfiniteRed consists of three components: a persistence module, a credential harvester that captures usernames and passwords from REDCap login pages, and a backdoor that receives commands via HTTP cookies. The backdoor enables attackers to execute shell commands, upload and download files, run SQL queries, and retrieve stolen credentials.
Impact and Scope
Once attackers gained administrator access, they exploited a legitimate content compliance rule feature in cloud productivity tools to exfiltrate data via email. They created a rule named “Patroit” that scanned for keywords related to medical research, advanced technology, military topics, and geo strategic policy, automatically BCCing matching messages to an external email address. The campaign used US based residential proxies and compromised routers to maintain operational security.
Google notified multiple affected organizations in the U.S. and Canada. GTIG recommends upgrading REDCap to the latest version, removing legacy deployments, enforcing multi factor authentication on high privilege accounts, and using device bound session credentials to prevent session hijacking. YARA rules and indicators of compromise are available to help detect InfiniteRed infections.
