China Spent Over a Year Inside U.S. Medical Research Networks — And Used Google’s Own Email Rules to Steal Data
ID: 4a8ea398-bb35-5f12-8657-45db0c3c42e7
STIX ID: report--4a8ea398-bb35-5f12-8657-45db0c3c42e7
Feed Name: The Cyber Express
UNC6508, a PRC‑nexus threat actor, ran a multi-year espionage campaign (Sep 2023–Nov 2025+) against North American medical, academic, and military‑linked research organizations by exploiting legacy REDCap instances, deploying bespoke malware named INFINITERED to persist through upgrades and harvest credentials, and ultimately abusing Google Workspace content compliance rules (a rule named “Patroit”) to silently forward matched emails to an attacker-controlled Gmail account, enabling broad, covert exfiltration of sensitive research and national-security‑relevant communications.
Your team is not currently subscribed to this feed. You must subscribe to it in order to see this post.
