Skip to content

x-unc6508

UNC6508

🔴 New Intel
State-sponsored Capability: High PRC-nexus (specific sponsoring unit unconfirmed) / China B2
Cut-off: June 21, 2026 · TLP:AMBER

Diamond Model

B2B2B2B2

Adversary

PRC-nexus espionage · Active since Sep 2023

Infrastructure

US-based ORB relay IPs · Gmail BCC exfil · help.php web shell

Victim

N. American academic · medical · military research

Capability

INFINITERED PHP implant · Workspace rule abuse · Downgrade attacks

REDCap Research Espionage

Motive & Objectives

Espionage Defense / national-security IP collection AI & uncrewed-systems R&D theft Cyber-offensive program intelligence Medical research collection

Sector Proximity

  • Higher education / research institutions: Primary REDCap-using target set

  • Defense technology / high-tech startups: DIB, AI, uncrewed-systems R&D core target

  • Government / think tanks: National-defense & Indo-Pacom collection intent

  • Venture capital / investment: Portfolio exposure via defense/AI holdings

  • Global telecommunications: Not an observed target set

Capability Assessment

  • Tooling High
  • Persistence High
  • Attribution evade High
  • Zero-days Low

Malware Lineage

INFINITERED (modular PHP implant) INFINITERED Dropper / Upgrade Interceptor INFINITERED Credential Harvester INFINITERED Backdoor (SQL-capable) help.php (web shell / file uploader)

Key TTPs (MITRE ATT&CK)

Initial Access

T1190 Exploit Public-Facing Application T1190 · Exploit Public-Facing Application Legacy/unpatched externally facing REDCap servers

Persistence

T1505.003 Web Shell T1505.003 · Web Shell `help.php` web shell / file uploader within REDCap T1554 Compromise Host Software Binary T1554 · Compromise Host Software Binary INFINITERED trojanizes REDCap upgrade packages to survive patching

Defense Evasion

T1211 Exploitation for Defense Evasion T1211 · Exploitation for Defense Evasion Forced downgrade to vulnerable REDCap version `[Unverified ID]` T1665 Hide Infrastructure T1665 · Hide Infrastructure Exclusively US-based obfuscation IPs to defeat geo-IP detection `[Unverified ID]`

Credential Access

T1056.003 Web Portal Capture T1056.003 · Web Portal Capture Plaintext credential harvest from login POST requests

Collection

T1114.003 Email Forwarding Rule T1114.003 · Email Forwarding Rule "Patroit" Workspace compliance rule silently BCCs matching mail

Command and Control

T1071.001 Web Protocols T1071.001 · Web Protocols HTTP-based C2 to INFINITERED backdoor (REDCAP-TOKEN cookie)

Exfiltration

T1567 Exfiltration Over Web Service T1567 · Exfiltration Over Web Service Mail routed to attacker-controlled Gmail address

Victimology

  • Defense & military research · National-defense, cyber-offensive, Indo-Pacom-relevant data

  • Academic / research institutions · REDCap-using North American universities

  • Medical & clinical research · Public and private medical community

  • AI & uncrewed-systems programs · Dual-use emerging-technology research

Geographic Focus

North America (United States primary)

Activity Timeline

  1. 2026-06 A2

    GTIG + Mandiant publicly disclose the campaign; affected organizations notified and offered remediation support

    Source: GTIG / Google Cloud blog

  2. 2025-11 B2

    Continued UNC6508 activity observed across victim research networks

    Source: GTIG / Google Cloud blog

  3. 2023–2025 B2

    More than one year of undetected dwell: credential harvesting, lateral movement, and Workspace-rule email exfiltration

    Source: GTIG / Google Cloud blog

  4. 2023-09 B2

    Earliest known compromise via an externally facing REDCap server

    Source: GTIG / Google Cloud blog

Do What (Now What)

  1. 01

    Scan REDCap servers for INFINITERED

    Hunt for the `help.php` web shell, the upgrade-interception GUID delimiter (`b49e334d-9c01-463e-9bc5-00a6920fb66e`), the stolen-credential session prefix (`xc32038474a`), and the C2 cookie `REDCAP-TOKEN`; apply GTIG's published YARA/YARA-L detections.

  2. 02

    Verify upgrade integrity and block downgrades

    Validate REDCap upgrade-package signatures and prevent forced version downgrades to counter INFINITERED's patch-surviving persistence (MITRE T1554).

  3. 03

    Audit Google Workspace mail rules

    Inventory compliance, routing, and BCC rules; flag any rule forwarding to external (Gmail) addresses — review specifically for the "Patroit" rule pattern (MITRE T1114.003).

  4. 04

    Reset REDCap and connected-system credentials

    Assume plaintext capture from login POSTs; rotate credentials for REDCap and any systems reachable from compromised research hosts.

  5. 05

    Hunt behaviorally, not by geo-IP

    Because the actor used US-based relays, prioritize impossible-travel analysis, anomalous service-account use, and unusual administrative-rule changes over country-of-origin login filtering.

Technical Evidence

Type Value First Last Confidence
Email (exfil) BebitaBarefoot774[@]gmail[.]com 2023-09 2025-11 HIGH
Web shell help.php (within REDCap) 2023-09 2025-11 HIGH
Magic string b49e334d-9c01-463e-9bc5-00a6920fb66e (upgrade-interception GUID) 2023-09 2025-11 HIGH
Magic string xc32038474a (stolen-credential session prefix) 2023-09 2025-11 HIGH
Magic string ej671a16i7fd8202nu6ltfg5p6x7u (backdoor file-download flag) 2023-09 2025-11 HIGH
Identifier REDCAP-TOKEN (C2 cookie name) 2023-09 2025-11 HIGH
Config artifact "Patroit" Google Workspace mail-compliance rule (~150-keyword regex) 2023-09 2025-11 HIGH

Full Analysis

Executive Summary

Intelligence Cut-off Date: 21-Jun-2026

UNC6508 is a People’s Republic of China (PRC)-nexus cyber-espionage cluster disclosed by the Google Threat Intelligence Group (GTIG) and Mandiant in June 2026, after the actor spent more than a year undetected inside North American academic, medical, and military research networks [Source: GTIG / Google Cloud blog, Rating: B2]. Its defining tradecraft is the compromise of externally facing REDCap research-database servers, on which it deploys bespoke PHP malware (INFINITERED) that trojanizes REDCap’s own upgrade process to survive patching, harvests plaintext logins, and exfiltrates data by abusing a legitimate Google Workspace mail-compliance rule to silently BCC matching email to an attacker-controlled Gmail address.

Overall Assessment: [Confidence: HIGH] UNC6508 is a patient, well-resourced espionage actor whose collection priorities — defense and national security, Indo-Pacific command operations, artificial intelligence, uncrewed vehicle systems, cyber-offensive programs, and medical research — align tightly with PRC strategic intelligence requirements. The actor’s blend of custom tooling, living-off-legitimate-SaaS exfiltration, and exclusively US-based obfuscation infrastructure makes it a high-evasion threat to the research base. Attribution rests on a single primary vendor with no corroborating government advisory at the cut-off date [Single-source].

Identity and Attribution

UNC6508 is an uncategorized (“UNC”) cluster in Mandiant/GTIG’s naming convention — a tracked activity set not yet graduated to a named, fully-attributed group. No community aliases (Microsoft, CrowdStrike, MITRE G-number) had been assigned at the cut-off date [Data Gap: no cross-vendor aliases published].

GTIG assesses the actor as PRC-nexus based on victimology (collection priorities aligned to PRC strategic interests), tradecraft, and operational patterns [Source: GTIG / Google Cloud blog, Rating: B2]. The specific sponsoring organization — a Ministry of State Security (MSS) or People’s Liberation Army (PLA) unit — was not publicly specified [Data Gap]. Attribution is single-vendor at the cut-off date; no CISA, NSA, or allied government advisory had corroborated the assessment [Single-source].

Motive and Objective

UNC6508’s motive is espionage — collection in service of PRC strategic and military priorities, not financial gain or disruption [Source: GTIG / Google Cloud blog, Rating: B2].

Its stated collection aspirations were broad and explicitly defense-weighted: sensitive defense intelligence related to national security, Indo-Pacific command operations, artificial intelligence, uncrewed (autonomous) vehicle systems, cyber-offensive programs, and medical research [Source: GTIG / Google Cloud blog, Rating: B2]. The “Patroit” mail-compliance rule the actor created used regular expressions matching roughly 150 keywords spanning military strategy, AI research, cyber programs, and medical topics — a direct, machine-readable expression of intent [Source: GTIG via secondary reporting, Rating: C3]. The targeting of the medical-research community appears to be both an end in itself and a means of access to dual-use and defense-adjacent research housed in the same institutions [Inference].

Victimology

UNC6508 targeted institutions in the North American academic, medical, and military research community [Source: GTIG / Google Cloud blog, Rating: B2]. The common technical denominator across victims was the use of REDCap (Research Electronic Data Capture), a web-based platform widely deployed across North American research institutions for building and managing regulatory-compliant research databases and surveys.

Geographic targeting was concentrated in North America, with the United States as the primary focus [Source: GTIG / Google Cloud blog, Rating: B2]. Technology-stack targeting centered on externally facing REDCap servers (initial access and malware host) and Google Workspace (exfiltration via abused mail-compliance rules). The actor’s use of exclusively US-based IP addresses for its obfuscation network indicates a deliberate effort to blend with legitimate domestic access and defeat geo-IP-based anomaly detection [Source: GTIG / Google Cloud blog, Rating: B2]. No specific victim organizations are named in this profile; GTIG and Mandiant notified affected organizations directly.

Sector Proximity Assessment:

  • Global telecommunications: Low — carrier infrastructure is not an observed target set for this actor.
  • Defense technology / high-tech startups: Direct — defense, AI, and uncrewed-systems research is core collection tasking; dual-use research entities sit inside the target aperture.
  • Venture capital / investment: Adjacent — firms are not primary targets, but portfolio companies in defense-tech, AI, and research-adjacent spaces carry exposure.
  • Government / think tanks: Adjacent — national-defense and Indo-Pacific-focused research and policy entities align with the actor’s stated collection intent.
  • Higher education / research institutions: Direct — North American universities and medical-research centers running REDCap are the primary, defining target set.

Capability Assessment

Rating: High [Confidence: HIGH]

UNC6508 demonstrates sustained nation-state tradecraft despite not relying on zero-day exploitation. The evidence supporting the HIGH rating: a bespoke, modular implant (INFINITERED) purpose-built to trojanize a specific research platform; persistence engineered to survive patching by hijacking REDCap’s upgrade mechanism; more than a year of undetected dwell time; a novel exfiltration technique abusing legitimate Google Workspace mail-compliance rules; and meticulous operational security, using exclusively US-based obfuscation IPs to avoid suspicious foreign logins [Source: GTIG / Google Cloud blog, Rating: B2].

The actor’s zero-day capability is assessed Low — initial access was achieved against legacy, unpatched REDCap instances and aided by a downgrade attack, rather than novel exploit development [Source: GTIG via secondary reporting, Rating: C3]. The overall picture is a capable, disciplined espionage operator that prioritizes stealth and persistence over exploit pyrotechnics.

Modus Operandi

Key Campaigns

REDCap research-espionage campaign (Sep 2023 – Nov 2025, disclosed Jun 2026). UNC6508 compromised externally facing REDCap servers at North American research institutions, deployed INFINITERED to harvest credentials, used captured credentials to pivot into internal networks, and abused enterprise administrative tooling for covert, continuous email exfiltration. The campaign remained undetected for more than a year before GTIG and Mandiant identified it [Source: GTIG / Google Cloud blog, Rating: B2]. This is the only campaign attributed to the cluster at the cut-off date.

MITRE ATT&CK TTPs

PhaseTechnique IDTechnique NameNotes
Initial AccessT1190Exploit Public-Facing ApplicationLegacy/unpatched externally facing REDCap servers
Defense EvasionT1211Exploitation for Defense EvasionForced downgrade to vulnerable REDCap version [Unverified ID]
PersistenceT1505.003Web Shellhelp.php web shell / file uploader within REDCap
PersistenceT1554Compromise Host Software BinaryINFINITERED trojanizes REDCap upgrade packages to survive patching
Credential AccessT1056.003Web Portal CapturePlaintext credential harvest from login POST requests
CollectionT1114.003Email Forwarding Rule”Patroit” Workspace compliance rule silently BCCs matching mail
Command and ControlT1071.001Web ProtocolsHTTP-based C2 to INFINITERED backdoor (REDCAP-TOKEN cookie)
ExfiltrationT1567Exfiltration Over Web ServiceMail routed to attacker-controlled Gmail address
Defense EvasionT1665Hide InfrastructureExclusively US-based obfuscation IPs to defeat geo-IP detection [Unverified ID]

Tools and Malware

INFINITERED — Custom modular PHP implant that trojanizes legitimate REDCap system files across three components: a Dropper / Upgrade Interceptor (injects malicious code into new REDCap upgrade packages using a hardcoded GUID delimiter, ensuring persistence across updates), a Credential Harvester (captures plaintext usernames and passwords from POST login requests, encrypts them, and hides them in the legitimate redcap_sessions table under a fixed prefix), and a Backdoor with C2 capability supporting command tags for system-command execution, file upload, harvested-credential retrieval, and raw SQL query execution [Source: GTIG via secondary reporting, Rating: C3].

help.php — A web shell deployed within the REDCap application to maintain persistent access and serve as a file uploader [Source: GTIG via secondary reporting, Rating: C3].

Infrastructure Patterns

UNC6508 operated an obfuscation network composed exclusively of US-based IP addresses, used to reach both victim environments and attacker infrastructure — a deliberate choice to make logins appear domestic and evade geo-IP anomaly detection [Source: GTIG / Google Cloud blog, Rating: B2]. Exfiltration leveraged legitimate Google Workspace functionality (a mail-compliance/BCC rule) rather than dedicated attacker C2, and data was routed to a threat-actor-controlled Gmail account. C2 to the INFINITERED backdoor used web protocols keyed off a REDCAP-TOKEN cookie. Full atomic infrastructure inventory (relay IP ranges, additional C2) is [Data Gap].

Activity Timeline

DateEventSourceRating
2026-06GTIG + Mandiant publicly disclose the campaign; affected organizations notified and offered remediation supportGTIG / Google Cloud blogA2
2025-11Continued UNC6508 activity observed across victim research networksGTIG / Google Cloud blogB2
2023–2025More than one year of undetected dwell: credential harvesting, lateral movement, and Workspace-rule email exfiltrationGTIG / Google Cloud blogB2
2023-09Earliest known compromise via an externally facing REDCap serverGTIG / Google Cloud blogB2

Forecast, Implications, and Recommendations

What Next (Forecast)

[Confidence: MODERATE] Continued targeting of the research base. The collection priorities (defense, AI, uncrewed systems, cyber programs) are durable PRC requirements, and the research-institution attack surface — externally facing, often under-resourced, widely deployed platforms like REDCap — remains attractive.

[Confidence: MODERATE] Tradecraft reuse and adaptation. The “trojanize the application’s own update mechanism” persistence pattern and the “abuse legitimate SaaS admin rules for exfiltration” technique are generalizable beyond REDCap and Workspace; expect the actor (or peers learning from the disclosure) to apply the pattern to other research platforms and enterprise SaaS.

[Confidence: LOW] Possible graduation from UNC to a named group as additional reporting and government corroboration accumulate.

So What (Implications)

This actor targets exactly the dual-use research base that intersects Brandon’s national-security, academic (USNA), and venture (Fulcrum defense-tech/AI) exposure. Long-dwell collection conducted through trusted SaaS features and domestic-looking infrastructure defeats perimeter, geo-IP, and signature-based defenses — the compromise is quiet and the data loss continuous. For research institutions and dual-use startups, the implication is that identity, application integrity, and SaaS administrative configuration — not just network perimeter — are the decisive control surfaces. [Confidence: MODERATE]

Now What (Recommendations)

  1. Scan REDCap servers for INFINITERED — Hunt for the help.php web shell, the upgrade-interception GUID delimiter (b49e334d-9c01-463e-9bc5-00a6920fb66e), the stolen-credential session prefix (xc32038474a), and the C2 cookie REDCAP-TOKEN; apply GTIG’s published YARA/YARA-L detections.
  2. Verify upgrade integrity and block downgrades — Validate REDCap upgrade-package signatures and prevent forced version downgrades to counter INFINITERED’s patch-surviving persistence (MITRE T1554).
  3. Audit Google Workspace mail rules — Inventory compliance, routing, and BCC rules; flag any rule forwarding to external (Gmail) addresses — review specifically for the “Patroit” rule pattern (MITRE T1114.003).
  4. Reset REDCap and connected-system credentials — Assume plaintext capture from login POSTs; rotate credentials for REDCap and any systems reachable from compromised research hosts.
  5. Hunt behaviorally, not by geo-IP — Because the actor used US-based relays, prioritize impossible-travel analysis, anomalous service-account use, and unusual administrative-rule changes over country-of-origin login filtering.

Technical Evidence

TypeValueFirst SeenLast SeenConfidence
Email (exfil)BebitaBarefoot774[@]gmail[.]com2023-092025-11HIGH
Web shellhelp.php (within REDCap)2023-092025-11HIGH
Magic stringb49e334d-9c01-463e-9bc5-00a6920fb66e (upgrade-interception GUID)2023-092025-11HIGH
Magic stringxc32038474a (stolen-credential session prefix)2023-092025-11HIGH
Magic stringej671a16i7fd8202nu6ltfg5p6x7u (backdoor file-download flag)2023-092025-11HIGH
IdentifierREDCAP-TOKEN (C2 cookie name)2023-092025-11HIGH
Config artifact”Patroit” Google Workspace mail-compliance rule (~150-keyword regex)2023-092025-11HIGH

[Note: Atomic network IOCs (relay IP ranges, additional C2 domains) are not comprehensively disclosed in public reporting; consult GTIG's published indicator set and YARA-L rules for the authoritative, current list.]

References

  1. Google Threat Intelligence Group — “Public and Private Medical Community Targeted by China-Nexus Threat Actor Pursuing Artificial Intelligence, Cyber, Medical, and National Defense Research.” https://cloud.google.com/blog/topics/threat-intelligence/prc-targets-us-medical-researchRating: B2
  2. Mandiant Consulting (incident response and remediation, via GTIG reporting). No standalone public link. — Rating: B2
  3. CyberScoop — “Google exposes China espionage group that’s been lurking in networks undetected since 2023.” https://cyberscoop.com/google-unc6508-china-espionage-threat/Rating: C3
  4. Help Net Security — “Chinese hackers breached North American research institutions via REDCap servers.” https://www.helpnetsecurity.com/2026/06/15/chinese-hackers-redcap-medical-research-institutions-breach/Rating: C3
  5. Dark Reading — “China-Nexus Actor Spies on US Researchers Undetected for a Year.” https://www.darkreading.com/threat-intelligence/china-nexus-actor-us-researchers-undetectedRating: C3
  6. SecurityAffairs — “China-linked actor UNC6508 spent two years inside medical research networks.” https://securityaffairs.com/193667/apt/china-linked-actor-unc6508-spent-two-years-inside-medical-research-networks.htmlRating: C3
  7. GBHackers — “PRC-Nexus Hackers Abuse REDCap Servers to Monitor US Medical Research Organizations.” https://gbhackers.com/prc-nexus-hackers-abuse-redcap-servers/Rating: C3

Source: PDB Threat Actor Registry · Profile v1

Brandon writes the profiles personally. See /work for the operator background →