Skip to content

Chinese Hackers Breach REDCap Servers, Stealing Sensitive Medical Research Data

A sophisticated China-linked espionage campaign has been uncovered, targeting exposed REDCap servers to deploy the InfiniteRed malware and steal sensitive medical research data from a North American institution. The attacks were carried out by a threat actor tracked as UNC6508, who remained undetected for over a year in the victim network.

The REDCap platform is widely used in medical and scientific research to build and manage databases and surveys that comply with regulations for medical and scientific research. Although the researchers couldn’t determine the exact initial compromise vector, they observed UNC6508 probing older, vulnerable versions of REDCap. Based on the investigation, the compromise of the medical research organization occurred in September 2023, and the malicious activity continued for more than a year through November 2025.

GTIG says that three months after the initial compromise, the attackers deployed the ‘Infinitered’ custom malware designed specifically for REDCap systems. The Infinitered malware consists of three components: a persistence/update module, a credential harvester, and a backdoor. The login harvester captures usernames and passwords submitted through REDCap login pages, then encrypts and stores them in local REDCap database tables for future retrieval.

The backdoor, which receives commands via HTTP cookies, provides UNC6508 with the following abilities:

* Persistence: allowing the malware to remain on the system even after a reboot or update

* Credential harvesting: capturing usernames and passwords submitted through REDCap login pages

* Backdoor functionality: providing UNC6508 with remote access to the compromised system

One notable technique in the campaign, and new for China-linked threat actors, is the use of the legitimate ‘content compliance rules’ feature that is present in cloud-based enterprise productivity tools, to exfiltrate data over email. After gaining administrator access, UNC6508 created a content compliance rule named “Patroit,” which scans the organization for specific keywords, content patterns, email addresses, and phone numbers.

Any matches are then automatically sent as a blind carbon copy (BCC) to ‘BebitaBarefoot774@gmail.com,’ now disabled by Google. The keywords used to look for data of value relate to medical research, advanced technology, military topics, and geo-strategic policy.

GTIG observed a high level of operational security across this campaign, including the use of US-based residential proxy infrastructure, compromised routers, VPS, credential replay, and dedicated infrastructure for data exfiltration. Google notified multiple organizations in the U.S. and Canada that were compromised with the InfiniteRed malware.

The research areas span a broad spectrum of modern medicine, from molecular discovery and clinical drug trials to state-level public health policy and military readiness. REDCap administrators are recommended to upgrade their instances to the latest available versions and remove legacy deployments. Google also advises using MFA/2SV on high-privilege accounts and Device Bound Session Credentials (DBSC) to prevent session hijacking.

YARA rules and indicators of compromise (IoCs) are present in the report to help scan environments for Infinitered malware infections.

Source: Original article

Leave a Reply

Your email address will not be published. Required fields are marked *