Google Threat Intelligence Group (GTIG) warns that Chinese hackers targeted North American research facilities in the cyber, artificial intelligence, medicine, and defense sectors.
GTIG attributed the hacking campaign to a relatively new advanced persistent threat actor (APT), UNC6508, linked to the People’s Republic of China. GTIG detected the cyber espionage campaign in September 2023, when the China-Nexus group exploited a university’s externally-facing web application.
Chinese hackers target research facilities via REDCap web application
According to GTIG, Chinese hackers compromised publicly accessible web applications, deployed malware, pivoted to internal systems, and abused enterprise administrative tools to exfiltrate data, remaining undetected for over a year.
Between September 2023 and November 2025, Chinese hackers linked to UNC6508 exploited Research Electronic Data Capture (REDCap) servers and deployed INFINITERED malware to steal login credentials. The threat actor also deployed a web shell ‘help.php’ to maintain persistence, which also functioned as a REDCap uploader.
REDCap is a web application used by research facilities and non-profit organizations to manage online surveys and databases. INFINITERED hooks to system files and has a backdoor that executes on every REDCap page load.
After gaining access, the China-Nexus group used the stolen credentials to breach the internal networks of the affected research facilities.
“More than a year after the initial compromise, UNC6508 used overlapping credentials, harvested from REDCap, to access an administrator account,” GTIG stated.
In some cases, Chinese hackers BCC-forwarded matched emails containing at least 150 keywords to threat-actor-controlled Gmail accounts. The keywords included email addresses and phone numbers of targeted individuals. The China-Nexus actor leveraged content compliance rules found in many enterprise applications to exfiltrate email communications.
“Specifically, UNC6508 created a compliance rule named “Patroit” [sic] that used regular expressions to match on keyword and email address patterns in sent or received emails,” GTIG stated.
GTIG found that the suspected Chinese hackers had broad objectives, including collecting information related to national security intelligence, autonomous vehicles, Indo-Pacific military strategy, medical research, and cyber offensive programs.
“Their research areas span a broad spectrum of modern medicine, from molecular discovery and clinical drug trials to state-level public health policy and military readiness. They employ thousands of people with a combined research budget in the billions of dollars,” GTIG stated.
Meanwhile, GTIG and Mandiant have disrupted the cyber infrastructure used by the Chinese hackers, notified the affected research facilities, and offered remediation assistance. They also shared indicators of compromise (IOCs) to help network defenders protect their organizations.
“GTIG discovered multiple organizations across the US and Canada compromised with INFINITERED. All of these organizations were promptly notified of the compromise upon detection and offered our assistance with remediation,” the threat intelligence firm stated.
While Google could not determine how the Chinese hackers gained initial access, it found them probing for legacy versions. In 2023, REDCap issued security fixes for various software vulnerabilities, suggesting that the exploited instances had not been patched. Google has also not named the affected research facilities.
“This campaign reflects a growing trend where nation-state actors target research institutions because they often hold the same strategic information as defense contractors but typically operate with fewer security controls,” said Ensar Seker, CISO at SOCRadar. “Universities, medical research centers, and AI labs have become high-value intelligence targets due to their work on emerging technologies, defense-related research, and scientific innovation.”
According to Seker, the threat actor prioritized stealth and persistence over disruption to remain undetected for over a year.
“Organizations should assume that sophisticated threat actors are willing to invest years, not days or weeks, to achieve intelligence objectives. Traditional perimeter-focused security is no longer sufficient against these adversaries,” Seker added.
Protecting research facilities from Chinese hackers
GTIG and partner organizations recommended securing administrator accounts and third-party vendors with phishing-resistant 2-step verification (2SV).
They also recommended preventing cookie theft for highly sensitive accounts to prevent session hijacking, monitoring audit logs, and implementing data loss prevention rules.
Organizations should also enforce data loss prevention rules, audit compliance rules, protect passwords, patch REDCap, and detect the presence of INFINITERED using YARA rules and the listed indicators of compromise.
“Research institutions should focus on continuous threat hunting, privileged access monitoring, identity security, and protection of intellectual property. The challenge is not simply preventing initial access but detecting subtle, long-term activity that blends into normal research and collaboration workflows,” Seker concluded.
