China-Linked Spies Lived Inside Medical Research Networks for Two Years

What Happened?

The group, tracked as UNC6508, first compromised a REDCap server at a North American medical research center back in September 2023. The activity ran all the way through November 2025 before anyone caught it.

REDCap is web-based software that hospitals and universities use to manage research surveys and store sensitive clinical data. Google could not pin down exactly how the attackers first got in, but it watched them probing older, unpatched versions of the platform. REDCap had pushed out critical fixes for remote code execution bugs back in 2023.

Once inside, the attackers waited about three months, then dropped custom malware called Infinitered. This is the clever part. The malware did not sit next to REDCap. It hid inside REDCap’s own files.

It had three jobs: hijack the software upgrade process so it survived every update, steal usernames and passwords as people logged in, and open a backdoor for remote control.

From there, the attackers grabbed a domain admin account. Then they did something Google had never seen a China-linked group do before. They rewrote the victims’ own Google Workspace compliance rules to silently forward any email matching a list of nearly 150 keywords to a Gmail account they controlled.

What’s the Impact?

This was not a smash and grab. It was patient, targeted spying.

The keyword list points straight at what they wanted: military strategy, foreign policy, advanced defense technology, AI, uncrewed vehicle systems, and medical research. One search target was Chikungunya, a mosquito-borne virus. That search lined up with a real outbreak in China’s Guangdong province in July 2025.

The scope worried investigators. Google noted the group tried to pull data across an unusually wide range of subjects from a single site, which is rare even for state-backed espionage.

The bigger lesson sits in the timeline. Two years of access from one exposed server running old software. The malware survived upgrades, so patching REDCap alone would not have kicked it out. The theft hid inside normal-looking email rules, so nothing screamed “breach.”

How to Avoid This

The entry point was an old, internet-facing server nobody was watching closely. That is where to start.

A few practical steps:

• Find every externally-facing server you run, especially research and legacy apps that drift off the radar.
• Patch REDCap and similar tools fast, and rip out old versions instead of leaving them parked online.
• Turn on 2-step verification everywhere, since stolen passwords were the pivot point here.
• Watch for new mail forwarding and compliance rules in Google Workspace or Microsoft 365. Quiet rule changes are a known exfiltration trick now.
• Hunt for odd domain admin logins and files that change after software upgrades.

The malware hid in plain sight for two years. The exposed server is what made all of it possible.

You can read more in our breakdowns of continuous attack surface management and China’s long-dwell Dell zero-day campaign.