Chinese Hackers Stole Medical Research Data in Year-Long Campaign Targeting North America

Google’s Threat Intelligence Group (GTIG) has identified a sustained cyber espionage campaign targeting North American medical, academic and military research organizations. The group, tracked as UNC6508 and attributed to the Chinese government, has been active since at least 2023 and remained undetected inside victim networks for more than a year.

The attackers focused on institutions using REDCap, a web platform for building and managing clinical research databases. GTIG reported that the hackers targeted servers hosting REDCap at major clinical providers, premier academic centers, military health institutions and health regulatory bodies across the US and Canada.

Custom Malware InfiniteRed Used for Data Theft

In one intrusion investigated by Google, the attackers deployed a custom malware payload named InfiniteRed three months after gaining initial access. InfiniteRed combines dropper, upgrade interception, credential harvesting, backdoor and command-and-control (C2) capabilities, according to Google’s analysis. The malware was found on systems at multiple victim organizations.

• Attackers abused a feature called content compliance rules in email systems to exfiltrate messages on specific topics.
• Targeted research areas included molecular discovery, clinical drug trials, state-level public health policy and military readiness.
• Beyond medical data, the group sought intelligence on national security, AI, drones, cyber offensive research, defense technology, naval assets and military command units.

Google researchers said it is unclear how the attackers initially compromised the REDCap servers but evidence suggests they may have targeted vulnerable legacy versions of the platform. The group used obfuscation networks, bulk-sourced accounts and legitimate credentials to hide their activity.

Implications for Research Sector Security

The campaign underscores the vulnerability of medical research infrastructure to state-sponsored espionage. REDCap is widely used in clinical trials and public health research, making it a high-value target for groups seeking intellectual property and sensitive personal health data. The attack is the latest in a series targeting North American research institutions.

Google said it has disrupted the threat actor’s infrastructure and notified identified victims. The company released technical indicators of compromise to help defenders detect similar activity. GTIG first named UNC6508 as a tracked group in February 2025 and has now provided a full campaign analysis. Organizations running REDCap should audit their deployments for unpatched versions and monitor for unusual email compliance rules or login activity.