{"id":8506,"date":"2026-06-16T11:48:36","date_gmt":"2026-06-16T11:48:36","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=8506"},"modified":"2026-06-16T11:48:36","modified_gmt":"2026-06-16T11:48:36","slug":"china-linked-hackers-target-us-canada-research-using-legacy-redcap-exploits","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=8506","title":{"rendered":"China-linked hackers target US, Canada research using legacy REDCap exploits"},"content":{"rendered":"<div>\n<div class=\"grid grid--cols-10@md grid--cols-8@lg article-column\">\n<div class=\"col-12 col-10@md col-6@lg col-start-3@lg\">\n<div class=\"article-column__content\">\n<div class=\"container\"><\/div>\n<p>Google is warning of a cyber espionage campaign linked to a China-nexus threat actor, UNC6508, that kept close tabs on valuable US and Canadian research environments for over a year.<\/p>\n<p>The campaign abused REDCap, a widely adopted platform for collecting and managing research data. Attackers, now disrupted, intercepted REDCap\u2019s upgrade process to inject persistence malware.<\/p>\n<p>According to Google\u2019s Threat Intelligence Group (GTIG), the campaign was particularly interested in academic institutions, medical research centers, healthcare providers, military health networks, and defense-focused research programs.<\/p>\n<p>Google said UNC6508 historically infected the legacy REDCap versions, and the observed campaign was just building on that initial compromise to push code for persistence.<\/p>\n<p>\u201cGTIG was not able to confirm how UNC6508 initially gained access to the REDCap server,\u201d GTIG researchers said in a blog <a href=\"https:\/\/cloud.google.com\/blog\/topics\/threat-intelligence\/prc-targets-us-medical-research\" target=\"_blank\" rel=\"noopener\">post<\/a>. \u201cBy design, REDCap allows administrators to continue running legacy software side-by-side with the current version. UNC6508 was observed probing for these vulnerable legacy versions on several target organizations\u2019 REDCap systems.\u201d<\/p>\n<p>The state-sponsored group was after a wide range of sensitive research and defense-related information, spanning national security, AI, cyber operations, and medical research.<\/p>\n<h2 class=\"wp-block-heading\"><a><\/a>Research platform became the front door<\/h2>\n<p>Other than persistence, the campaign supported credential discovery, internal reconnaissance, and post-compromise operations.<\/p>\n<p>UNC6508 used a payload tracked as INFINITERED, which is a modular malware designed to trojanize legitimate REDCap system files. The malware has three dedicated components: a dropper and upgrade Interception, a credential harvester, and a backdoor with command and control (c2).<\/p>\n<p>The upgrade interception module reads the legacy REDCap versions still accessible on some current REDCap deployments, already infected with malicious logic through an unknown initial access, and extracts the malicious logic from that version. It then injects this code into the upgrade system file.<\/p>\n<p>Parallelly, the other two modules inject credential harvester code into the authentication system file, and backdoor code into the custom hooks configuration file, respectively.<\/p>\n<p>\u201cUpon establishing a foothold on the REDCap server, UNC6508 performed internal reconnaissance and credential discovery to obtain database and service account credentials,\u201d GTIG researchers said in a blog post. \u201cThe threat actor also deployed a web shell named \u201chelp.php\u201d, which maintained persistence and functioned as an uploader in the REDCap application.\u201d<\/p>\n<p>The backdoor supports a range of remote commands that allow operators to manage files, execute shell commands, gather system information, and maintain control over compromised REDCap servers, providing UNC6508 with a rich post-compromise toolkit.<\/p>\n<p>REDCap\u2019s maintainers did not respond to CSO\u2019s request for comments.<\/p>\n<h2 class=\"wp-block-heading\"><a><\/a>Hunting for and removing INFINITERED<\/h2>\n<p>Because INFINITERED embeds itself into REDCap\u2019s upgrade workflow and modifies legitimate application files, organizations are encouraged to inspect REDCap environments for unauthorized file modifications, unexpected web shells, and signs of credential harvesting activity using the GTIG provided YARA rule.<\/p>\n<p>Google also recommends upgrading vulnerable REDCap deployments, reviewing legacy versions that remain accessible alongside current installations, and validating the integrity of application files before and after upgrades. Enforcing phishing-resistant 2-step <a href=\"https:\/\/www.csoonline.com\/article\/4100393\/hybrid-2fa-phishing-kits-are-making-attacks-harder-to-detect.html\">verification<\/a>, device-bound session credentials, and relevant <a href=\"https:\/\/www.csoonline.com\/article\/569559\/what-is-dlp-how-data-loss-prevention-software-works-and-why-you-need-it.html\">DLP<\/a> rules were also recommended for tighter controls.<\/p>\n<p>Google said it notified several organizations across the US and Canada that it believes were compromised with INFINITERED, and offered remediation assistance.<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"<p>Google is warning of a cyber espionage campaign linked to a China-nexus threat actor, UNC6508, that kept close tabs on valuable US and Canadian research environments for over a year. The campaign abused REDCap, a widely adopted platform for collecting and managing research data. Attackers, now disrupted, intercepted REDCap\u2019s upgrade process to inject persistence malware. [&hellip;]<\/p>\n","protected":false},"author":0,"featured_media":8507,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-8506","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/8506"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=8506"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/8506\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/8507"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=8506"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=8506"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=8506"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}