The attackers, tracked as “UNC6508,” did not write new malware to steal emails. They created an administrator rule inside Google Workspace, named it “Patroit” — misspelling the word — and let the platform silently forward every matching email to a Gmail address they controlled. The data left through the front door.
Google’s Threat Intelligence Group documented a sustained espionage campaign attributed with high confidence to UNC6508, a People’s Republic of China-nexus threat actor. The campaign targeted North American academic, medical, and military research institutions beginning in September 2023 and continuing through at least November 2025 — more than two years of activity, over a year of which went entirely undetected.
The Target: Research Institutions With Military Connections
UNC6508’s targets were not defense contractors or government agencies in the conventional sense. They were medical research institutions — world-renowned clinical providers, premier academic centers, North American military health institutions, professional advocacy groups, and health regulatory bodies whose combined research budget runs into the billions of dollars. The thread connecting them is that their research, and the people they correspond with, intersects with national security – military readiness, public health policy, and relationships with defense and government programs.
Also read: UNC6783 Turns BPO Providers into Cyberattack Gateways
UNC6508’s collection priorities — national security, Indo-Pacific command operations, artificial intelligence, uncrewed vehicle systems, cyber offensive programs, and medical research — are consistent with historic PRC state-sponsored espionage trends, GTIG assesses. The compliance rule the attackers eventually created included specific pathogen terms alongside defense keywords, including “Chikungunya” — a viral disease transmitted by mosquitoes that was responsible for an outbreak in China’s Guangdong province beginning in July 2025. That inclusion suggests UNC6508 was simultaneously collecting intelligence relevant to a domestic public health situation while pursuing defense and technology targets.
The Entry Point through REDCap
UNC6508 consistently targets REDCap — Research Electronic Data Capture — a web-based platform designed specifically for building and managing online databases and surveys in compliance with regulations for medical and scientific research. It is widely used across the North American medical research community.
GTIG could not confirm exactly how UNC6508 gained initial access to REDCap servers. However, the group was observed probing for vulnerable legacy REDCap versions on multiple target systems — exploiting a design feature of REDCap that allows administrators to run legacy software versions side-by-side with current versions. By targeting those older versions, UNC6508 effectively used the platform’s own administrative flexibility against its operators.
Once inside the REDCap server, the attacker performed internal reconnaissance and credential discovery, obtained database and service account credentials, and deployed a web shell named help.php for persistent access.
The Malware Dubbed INFINITERED
Three months after the initial September 2023 compromise, UNC6508 deployed a bespoke malware payload named INFINITERED — built specifically for REDCap environments and designed to survive the platform’s own software upgrades.
INFINITERED operates across three modular components. The first is a dropper that intercepts REDCap’s upgrade process itself, injecting the malware’s code into each new version as it installs — ensuring INFINITERED persists through software updates rather than being wiped by them.
The second is a credential harvester injected into REDCap’s authentication system file, capturing usernames and passwords submitted via POST requests during login, encrypting them using the environment’s own encryption routine, and hiding them inside a legitimate REDCap database table with the string “xc32038474a” prefixed to the session ID.
The third is a backdoor embedded in REDCap’s custom hooks system file, activating on every page load by checking for a specific HTTP cookie parameter named “REDCAP-TOKEN.” When triggered, it can execute arbitrary system commands, run raw SQL queries, upload and download files, and retrieve the stolen credential records. When no command payload is present, it beacons system details — OS, PHP version, directory, and database credentials — back to UNC6508.
INFINITERED persisted in this manner for more than a year, continuously harvesting credentials while evading detection.
A Compliance Rule Named “Patroit”
More than a year after the initial compromise, UNC6508 used credentials harvested from REDCap to access a domain administrator account. From there, it turned to a technique GTIG describes as novel and not previously observed among PRC-nexus threat actors: abusing enterprise email content compliance rules.
Content compliance rules are a legitimate administrative feature in cloud-based productivity suites including Google Workspace. Administrators create them to manage emails containing specific keywords or patterns; by default, the rules apply to every user in an organizational unit. UNC6508 created a rule named “Patroit” — the misspelling suggests the keyword list was manually maintained — configured using regular expressions to match keywords and email address patterns in sent and received emails. Matches were silently BCC-forwarded to a threat actor-controlled Gmail address, BebitaBarefoot774@gmail[.]com, providing a continuous and covert stream of exfiltrated intelligence. GTIG disabled the account upon discovery.
The technique requires no persistent malware after setup, generates no anomalous outbound connections at the endpoint level, and routes exfiltrated data through a platform that appears entirely legitimate in network traffic analysis. The only forensic artifact is the compliance rule itself — an item that lives in an administrative panel few organizations audit routinely.
Operations Security
UNC6508 used exclusively US-based obfuscation network IP addresses — routing traffic through compromised routers, residential proxies, and virtual private servers — when accessing both the exfiltration Gmail account and the compromised enterprise administrator account.
The attacker also obtained the Gmail account through a mass account creation service and dedicated it exclusively to email exfiltration, limiting the operational footprint of any single credential. Several spelling errors in the keyword list notwithstanding, the operational discipline UNC6508 maintained for over two years significantly complicated attribution and infrastructure mapping.
