A China-linked cyberespionage group has been stealing data from medical, academic and military research organizations across North America since at least 2023, according to new findings from Google’s Threat Intelligence Group (GTIG).
The group, identified by Google as UNC6508 repeatedly targeted externally facing REDCap servers, a widely used platform for managing clinical research databases and surveys.
“These organizations comprise world-renowned clinical providers, premier academic centers, North American military health institutions, professional advocacy groups, and health regulatory bodies,” Google’s researchers explained. “Their research areas span a broad spectrum of modern medicine, from molecular discovery and clinical drug trials to state-level public health policy and military readiness.”
Researchers said the threat group breached a medical research university in September 2023, stole credentials and communications, and remained active on the institution’s systems through November 2025, when it was discovered.
GTIG said the group deployed custom malware known as InfiniteRed, described as a toolset that provides dropper, upgrade interception, credential harvesting, backdoor and command-and-control capabilities.
“GTIG discovered multiple organizations across the U.S. and Canada compromised with InfiniteRed,” Google said. “All of these organizations were promptly notified of the compromise upon detection and offered our assistance with remediation.”
Researchers also found that the hackers abused legitimate administrative features to extract sensitive communications, including email content tied to specific topics. The targeting extended beyond medical research into defense and emerging technology sectors.
Luke McNamara, deputy chief analyst at GTIG said the intruders used highly specific search terms while hunting for intelligence.
“We have defense-related activity, which was a significant bulk of the different terms, or emails related to defense platform systems or companies,” McNamara told The Register. “Some of those were looking for any emails that were coming in or going out that used @ and then a big defense name. Others were specific email addresses of individuals at more niche defense companies.”
McNamara added that the hackers also searched for niche medical and biological topics, including the mosquito-borne disease chikungunya.
“We don’t know the full extent or impact of the campaign,” Patrick Whitsell, senior security engineer at GTIG, told CyberScoop. “Given the breadth of the threat actor’s intelligence collection criteria and their ability to remain undetected within compromised networks for more than a year, we assess the known victims likely represent only a fraction of a larger campaign.”
GTIG recommends a layered defense approach to reduce risk from the threat. Key measures include enforcing phishing-resistant two-factor authentication for admin accounts and using advanced protection for high-risk users.
On the data protection side, GTIG said organizations should implement data loss prevention rules, review compliance and admin logs regularly, and integrate security logs into SIEM platforms for centralized detection and response. Password leak detection tools are also recommended to identify compromised credentials.
