Chinese hackers abused Google Workspace compliance rules to siphon medical and defense research emails

China-linked espionage group UNC6508 spent more than a year inside North American medical, academic, and military research networks, using a legitimate Google Workspace feature to steal sensitive data and defense email, according to a report by Google Threat Intelligence published this week.

The group compromised externally facing REDCap (Research Electronic Data Capture) servers starting in September 2023, with activity continuing through November 2025. Google says the earliest known compromise involved versions of REDCap that were old or vulnerable, though the company did not name a specific CVE or initial access vector.

Custom malware and lateral movement into domain admin

After initial access, UNC6508 deployed a custom backdoor that Google tracks as INFINITERED. The malware trojanises REDCap system files, hijacks the upgrade process so each new version of REDCap reinjects the code, harvests login credentials from the login page, and responds to commands embedded in HTTP cookies. From the compromised REDCap server, the group conducted internal reconnaissance, stole database and service account credentials, and eventually gained domain administrator privileges.

Key technical details from the report include:

• INFINITERED encrypts stolen credentials and stores them in local REDCap database tables, surviving software updates.
• The group abused Google Workspace content compliance rules, a domain-level email scanning feature, to match nearly 150 keywords and email addresses.
• When a message matched, Workspace silently BCC'd a copy to an attacker-controlled Gmail address, leaving no extra malware on the mail server.
• The rule was misspelled as “Patroit” to avoid detection by administrators.
• Google disabled the attacker's Gmail account after identifying the campaign.

Keyword targets and implications for security monitoring

The keyword list UNC6508 used covered geo-strategic policy, military strategy, advanced technology including artificial intelligence and uncrewed vehicles, offensive cyber programs, medical research, and the term chikungunya, a mosquito-borne virus that caused a major outbreak in China's Guangdong province in 2025. Google says the technique is novel for a China-linked actor. While MITRE catalogues email forwarding rule abuse as T1114.003, using domain-level content compliance rules for exfiltration had not been previously documented from this threat cluster.

The abuse exploits a blind spot in standard monitoring: since the email copying is performed by a legitimate system feature operating as designed, it generates no unusual network traffic or server-side anomalies. Google recommends organizations patch externally facing REDCap servers, remove legacy versions that enable downgrade attacks, and audit domain-level Workspace rules for unexpected forwarding patterns. The group's infrastructure has been disrupted, but Google notes that similar techniques could be reused by other actors targeting research and government networks.