Google's Threat Intelligence Group has been tracking a China-linked cyberespionage group, designated UNC6508, since early 2025. The group recently breached REDCap servers—a widely used platform for clinical research—by exploiting exposed instances to deploy a novel backdoor called InfiniteRed.
The campaign targeted a medical institution in North America, stealing sensitive medical research data. While the full scope remains unclear, the attack underscores a growing focus on stealing intellectual property related to healthcare and biotechnology.
InfiniteRed establishes persistent access through encrypted communication channels, allowing attackers to exfiltrate data over time. Indicators of compromise include unusual outbound connections to unknown IPs and changes to REDCap configuration files.
No patch or official mitigation has been released yet for the exposed server vulnerability. Organizations using REDCap are advised to restrict access to the platform, implement network segmentation, and monitor for anomalous database queries or file transfers.
Attribution to UNC6508 highlights Chinese state-sponsored actors' continued targeting of medical and research institutions. This breach adds to a broader pattern of espionage campaigns aimed at acquiring competitive advantages in biotechnology and pharmaceuticals.