Article Banner

UNC6508 and the INFINITERED Backdoor Targeting Medical Research

A China-linked hacking group known as UNC6508 spent more than a year quietly stealing sensitive information from North American medical research organizations. The group broke into widely used research database software, then planted a hidden tool called INFINITERED that survived even when the software was updated. What makes this campaign stand out is patience: the group waited, watched, and collected data without tripping alarms.

Think of INFINITERED as a counterfeit key copied into the factory that makes the locks. Every time an organization installed a fresh update, the fake key was rebuilt right along with it. Because the tool hid inside trusted software, security teams relying on standard defenses had little reason to look for it.

The stolen data included medical research, artificial intelligence work, and national defense information tied to some of the largest research institutions in the US and Canada. Once inside, the group harvested login credentials and used a hidden email forwarding trick to secretly copy sensitive messages to accounts it controlled. Organizations hit by this campaign face theft of research worth billions, exposure of protected data, and long recovery efforts to rotate credentials and rebuild trust in their systems.

Hunting Controls & Observations

Organizations can detect this campaign through multiple telemetry sources spanning the web application tier, cloud email platform, network, and identity systems:

  • Endpoint & Server Controls: Web server access and error logs, file integrity monitoring on REDCap application directories, and process telemetry (Sysmon Event 1, Defender for Endpoint) on the hosts running the research database platform.
  • Network Controls: Inbound HTTP inspection for anomalous authentication cookies, and egress monitoring for administrative sessions arriving from residential proxy, VPS, or compromised router addresses.
  • Identity & Access Controls: Windows Security logon events (Event ID 4624), domain administrator credential use, and database session table activity that stores captured credentials.
  • Cloud & SaaS Controls: Google Workspace admin audit logs, content compliance and mail routing rule changes, and email forwarding rules that direct mail to external webmail accounts.

Behavioral Indicators of Attack

The following observable behaviors distinguish this campaign from routine activity:

  • Modification of REDCap application files (help.php, Upgrade.php, database connection files) outside of an approved vendor upgrade window.
  • The same backdoor code reappearing after a REDCap upgrade or patch, indicating persistence embedded in the upgrade process itself.
  • Web application worker processes spawning system shells to execute arbitrary commands.
  • Inbound web requests carrying an unusual authentication cookie with long encrypted values used as a command channel.
  • Login pages capturing plaintext credentials and writing them, encrypted, into the database session table with an anomalous session identifier prefix.
  • Creation of Google Workspace content compliance rules that silently blind-copy matched email to an external free webmail address.
  • Administrator or domain administrator logons sourced from IP addresses geographically inconsistent with the user, frequently US-based proxy ranges.
  • Bulk keyword and regular-expression rules referencing sensitive research topics such as defense, artificial intelligence, and specific pathogens.

MITRE Enterprise ATT&CK Tactics and Techniques

The campaign maps to the following MITRE ATT&CK techniques, sorted by kill chain sequence:

Controls' Observables

Detection opportunities organized by control category, each linked to the relevant MITRE ATT&CK techniques and a realistic detection difficulty rating.

Endpoint & Server Controls

  • Unauthorized REDCap file modification: Changes to help.php, Upgrade.php, or database connection files outside an approved change window.
    Related MITRE Techniques: T1505.003, T1554
    Detection Difficulty: MEDIUM
  • Web worker spawning a shell: Web application processes launching command interpreters to run arbitrary commands.
    Related MITRE Techniques: T1505.003, T1071.001
    Detection Difficulty: MEDIUM
  • Backdoor surviving upgrades: The same malicious code reappearing immediately after a legitimate REDCap upgrade.
    Related MITRE Techniques: T1554
    Detection Difficulty: HIGH

Network Controls

  • Anomalous authentication cookie: Inbound HTTP requests bearing an unexpected cookie with long encrypted values, used as a covert command channel.
    Related MITRE Techniques: T1071.001
    Detection Difficulty: MEDIUM
  • Administrative access from proxy infrastructure: Privileged sessions sourced from residential proxies, VPS providers, or compromised consumer routers.
    Related MITRE Techniques: T1090.003
    Detection Difficulty: HIGH

Identity & Access Controls

  • Geographically inconsistent admin logon: Administrator or domain administrator logons from IP addresses that do not match the user's normal location.
    Related MITRE Techniques: T1090.003, T1555
    Detection Difficulty: MEDIUM
  • Captured credential reuse: Plaintext credentials captured at the web login later used to authenticate to internal enterprise systems.
    Related MITRE Techniques: T1056.003, T1555
    Detection Difficulty: HIGH

Cloud & SaaS Controls

  • Malicious compliance or forwarding rule: Creation or modification of Google Workspace content compliance rules that blind-copy mail to an external address.
    Related MITRE Techniques: T1114.003, T1562.001
    Detection Difficulty: LOW
  • Mail routed to external webmail: New mail flow directed to free webmail accounts not associated with the organization.
    Related MITRE Techniques: T1567, T1114.003
    Detection Difficulty: MEDIUM
  • Sensitive keyword rules: Bulk keyword or regular-expression rules referencing defense, AI, and medical research topics.
    Related MITRE Techniques: T1213, T1114.003
    Detection Difficulty: MEDIUM

Insights and Recommendation

Organizations compromised by UNC6508 face theft of high-value research data across artificial intelligence, national defense, and medical fields, exposure of credentials that enable pivoting to domain administrator access, and a continuous covert stream of email exfiltration that can persist for over a year. Because the group maintained access from the initial 2023 compromise through late 2025, the stolen intellectual property spans institutions with a combined research budget measured in the billions of dollars. Recovery requires full credential rotation, rebuilding or reimaging affected REDCap servers, and auditing every mail routing rule.

Security teams should fully update REDCap installations and completely remove legacy versions running side-by-side (T1190), then scan servers with the INFINITERED YARA rule and published indicators to confirm the backdoor is gone. Enable and monitor Google Workspace admin audit logs for content compliance and email forwarding rule changes (T1114.003, T1562.001), and alert on any rule that blind-copies mail to an external webmail domain. Deploy file integrity monitoring on REDCap application directories to catch out-of-band changes (T1505.003, T1554), enforce phishing-resistant multi-factor authentication with Context-Aware Access on administrator accounts, and treat any administrative logon from residential or VPS proxy ranges as suspicious (T1090.003).

Source and Credits

This summary is based on Google Threat Intelligence Group's research article "PRC-Nexus Actor UNC6508 Targets US Medical Research" published on June 15, 2026. All threat intelligence, indicators, and the INFINITERED YARA rule are credited to the researchers at Google Threat Intelligence Group (GTIG).

Threat Hunting IOCs & Queries

Known Indicators of Compromise

  • File Hashes (SHA256):
    ba6b73b0ca0dc7f86b3b397893ac32d729fd53f9df20643288f141f29d020af7 (help.php web shell / persistence)
    db65c1b9f9e4cb4d729f45ad4b6fcf3e277caf9eb4c875425dec93fd883f9136 (credential harvester)
    c1ac43d23f89d41eb4ff131678ab562ab2cfed9aa334b13767ef141d303b0e5b (credential harvester)
    8f0158855a656b629ca76ebca565f18bc25563ded34b65d6771632c20edb68ec (backdoor)
    51a57bfc9ed3eb6451c1c289607814d59e1698c666fb97ac5f694c398f23d045 (backdoor)
    4efbef69eb3b09bacff892d6a55778d07c418e7f15eba3cf1245e8cdfd8dda0b (dropper)
    58bb25777e0aa86bcd2125101e0bca4e8732b03d91bd8d2f205b446a6a8d5c86 (dropper)
  • Email Address: BebitaBarefoot774@gmail.com (email exfiltration account)
  • IP Address: 23.169.65.49 (administrator login source, compromised ASUS router)
  • Host Artifacts: b49e334d-9c01-463e-9bc5-00a6920fb66e (GUID delimiter); YjQ5ZTMzNGQtOWMwMS00NjNlLTliYzUtMDBhNjkyMGZiNjZl (Base64-encoded GUID delimiter); xc32038474a (database session ID prefix for stored credentials); ej671a16i7fd8202nu6ltfg5p6x7u (file download command tag)
  • Filenames: help.php (web shell); Upgrade.php (injected upgrade file)

IOCs current as of the source publication date (June 15, 2026). Threat actors frequently rotate infrastructure and accounts, so prioritize the behavioral queries below for durable detection.

Malicious Email Forwarding and Compliance Rule Abuse

Behavior Targeted: Creation or modification of Google Workspace content compliance or routing rules that silently blind-copy mail to an external webmail account.
MITRE ATT&CK: T1114.003, T1562.001, T1567
Expected Results: Admin audit events showing a new compliance or forwarding rule whose destination is an external Gmail or non-organizational domain.
False Positive Likelihood: MEDIUM
Tuning Guidance: Allowlist sanctioned archiving and DLP connectors that legitimately forward mail, and confirm the destination domain is not organization-owned.

Splunk SPL Query

index=gws sourcetype="gws:reports:admin"
    earliest=-90d
    (event_name="CREATE_APPLICATION_SETTING" OR event_name="CHANGE_APPLICATION_SETTING")
    (SETTING_NAME="*compliance*" OR SETTING_NAME="*routing*" OR SETTING_NAME="*Email Content Compliance*")
| eval rule_target=coalesce(NEW_VALUE, DESCRIPTION)
| search rule_target="*@gmail.com*" OR rule_target="*bcc*" OR rule_target="*forward*"
| stats count min(_time) as first_seen max(_time) as last_seen values(rule_target) as rule_detail by user, event_name
| sort - last_seen

// TUNING: Adjust the -90d lookback to cover the suspected dwell time (this campaign persisted for over a year).
// TUNING: Add known-good administrators and org-owned destination domains to an allowlist to reduce noise.
// FALSE POSITIVES: Legitimate DLP or archiving rules may forward mail; verify the destination domain is organization-owned.

Microsoft KQL Query (Defender/Sentinel)

// Requires Google Workspace connected to Microsoft Defender for Cloud Apps
CloudAppEvents
| where Timestamp > ago(90d)
| where Application has "Google Workspace" or Application has "Gmail"
| where ActionType in~ ("CREATE_APPLICATION_SETTING", "CHANGE_APPLICATION_SETTING", "CreateForwardingRule")
| extend Raw = tostring(RawEventData)
| where Raw has "compliance" or Raw has "routing" or Raw has "forward" or Raw has "bcc"
| where Raw has "@gmail.com" or Raw has "@googlemail.com"
| summarize Count = count(), FirstSeen = min(Timestamp), LastSeen = max(Timestamp) by AccountDisplayName, ActionType, Raw
| order by LastSeen desc

// TUNING: Extend ago(90d) to match suspected dwell time; this campaign persisted for over a year.
// TUNING: Allowlist sanctioned archiving or DLP connectors that legitimately forward mail.
// FALSE POSITIVES: Confirm the destination is an external, non-org webmail address before escalating.

Note: These queries were generated with AI assistance. Test thoroughly in your environment before production use.

Web Server Process Spawning a Shell (Web Shell Activity)

Behavior Targeted: A web application worker process (IIS, Apache, PHP) launching a command interpreter, a strong signal of web shell command execution.
MITRE ATT&CK: T1505.003, T1071.001
Expected Results: Process creation events where the parent is a web server binary and the child is a shell such as cmd.exe, powershell.exe, sh, or bash.
False Positive Likelihood: LOW
Tuning Guidance: Baseline any legitimate maintenance scripts that shell out from the web tier and allowlist them; investigate all remaining hits.

Splunk SPL Query

index=windows sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1
    earliest=-30d
    (ParentImage="*\\w3wp.exe" OR ParentImage="*\\php-cgi.exe" OR ParentImage="*\\httpd.exe" OR ParentImage="*\\php-fpm*")
    (Image="*\\cmd.exe" OR Image="*\\powershell.exe" OR Image="*/sh" OR Image="*/bash")
| stats count min(_time) as first_seen max(_time) as last_seen values(CommandLine) as commands by ComputerName, ParentImage, Image, User
| sort - count

// TUNING: On Linux REDCap hosts, use the Sysmon-for-Linux or auditd equivalent and match ParentImage to httpd, nginx, or php-fpm.
// TUNING: Baseline legitimate web-app shell usage (backup jobs, cron helpers) and allowlist it.
// FALSE POSITIVES: LOW. Web servers rarely spawn interactive shells; investigate every hit.

Microsoft KQL Query (Defender/Sentinel)

DeviceProcessEvents
| where Timestamp > ago(30d)
| where InitiatingProcessFileName in~ ("w3wp.exe", "php-cgi.exe", "php-fpm", "httpd", "httpd.exe", "nginx", "apache2")
| where FileName in~ ("cmd.exe", "powershell.exe", "sh", "bash", "dash")
| summarize Count = count(), FirstSeen = min(Timestamp), LastSeen = max(Timestamp)
    by DeviceName, InitiatingProcessFileName, FileName, ProcessCommandLine, AccountName
| order by Count desc

// TUNING: Add your REDCap and web hostnames as a filter to focus the hunt.
// TUNING: Allowlist known maintenance scripts that legitimately shell out from the web tier.
// FALSE POSITIVES: LOW. A web worker launching a shell is high-signal; treat as suspicious.

Note: These queries were generated with AI assistance. Test thoroughly in your environment before production use.

Unauthorized Modification of REDCap Application Files

Behavior Targeted: Creation or modification of REDCap PHP files, particularly help.php, Upgrade.php, and database connection files, outside an approved upgrade window.
MITRE ATT&CK: T1554, T1505.003
Expected Results: File events touching sensitive REDCap PHP files, especially when they occur outside a scheduled maintenance window.
False Positive Likelihood: MEDIUM
Tuning Guidance: Exclude approved upgrade windows; the tell is a modification to these files when no sanctioned change is in progress.

Splunk SPL Query

index=windows sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=11
    earliest=-30d
    TargetFilename="*\\redcap\\*"
    TargetFilename="*.php"
| eval susp_name=if(match(TargetFilename, "(?i)(help\.php|Upgrade\.php|redcap_connect\.php)"), "yes", "no")
| stats count min(_time) as first_seen max(_time) as last_seen values(TargetFilename) as files by ComputerName, Image, User, susp_name
| sort - last_seen

// TUNING: Set the TargetFilename path to your actual REDCap web root.
// TUNING: Correlate with your patch and upgrade change window; modifications outside that window are suspicious.
// FALSE POSITIVES: Legitimate REDCap upgrades modify .php files; exclude approved maintenance windows.

Microsoft KQL Query (Defender/Sentinel)

DeviceFileEvents
| where Timestamp > ago(30d)
| where FolderPath has "redcap"
| where FileName endswith ".php"
| where ActionType in ("FileCreated", "FileModified")
| extend Suspicious = iff(FileName in~ ("help.php", "Upgrade.php", "redcap_connect.php"), "yes", "no")
| summarize Count = count(), FirstSeen = min(Timestamp), LastSeen = max(Timestamp)
    by DeviceName, FolderPath, FileName, InitiatingProcessFileName, Suspicious
| order by LastSeen desc

// TUNING: Replace "redcap" with your deployment path and scope to the web root for precision.
// TUNING: Exclude approved upgrade windows to cut legitimate .php changes.
// FALSE POSITIVES: MEDIUM. Genuine upgrades touch these files; the tell is modification outside a change window.

Note: These queries were generated with AI assistance. Test thoroughly in your environment before production use.

Administrative Logon From Anonymizing Proxy or VPS Infrastructure

Behavior Targeted: Privileged account logons sourced from external IP addresses associated with residential proxies, VPS providers, or compromised consumer routers.
MITRE ATT&CK: T1090.003, T1555
Expected Results: Interactive or network logons for administrator accounts from non-corporate, geographically inconsistent source IP addresses.
False Positive Likelihood: MEDIUM
Tuning Guidance: Enrich source IPs against a hosting, VPS, and residential-proxy intelligence list, and baseline known corporate egress ranges before alerting.

Splunk SPL Query

index=windows sourcetype="WinEventLog:Security" EventCode=4624
    earliest=-30d
    (Logon_Type=10 OR Logon_Type=3)
    (Account_Name="*admin*" OR Account_Name="Administrator")
| iplocation Ip_Address
| search Ip_Address!="10.0.0.0/8" Ip_Address!="192.168.0.0/16" Ip_Address!="172.16.0.0/12"
| stats count values(Ip_Address) as source_ips values(Country) as countries dc(Ip_Address) as distinct_ips by ComputerName, Account_Name
| sort - count

// TUNING: Enrich Ip_Address against a hosting, VPS, or residential-proxy threat list and alert on matches.
// TUNING: Restrict the Account_Name filter to your privileged and admin naming convention.
// FALSE POSITIVES: MEDIUM. Remote admins use VPNs; correlate with known corporate egress IPs and geolocation.

Microsoft KQL Query (Defender/Sentinel)

// For cloud identities, run the same logic against SigninLogs (IPAddress, UserPrincipalName)
SecurityEvent
| where TimeGenerated > ago(30d)
| where EventID == 4624
| where LogonType in (3, 10)
| where Account has "admin" or Account endswith "Administrator"
| where IpAddress !startswith "10." and IpAddress !startswith "192.168." and IpAddress !startswith "172.16."
| summarize Count = count(), DistinctIPs = dcount(IpAddress), IPs = make_set(IpAddress, 25), FirstSeen = min(TimeGenerated), LastSeen = max(TimeGenerated)
    by Computer, Account
| order by Count desc

// TUNING: Join IpAddress to a VPS or residential-proxy intelligence list to surface anonymized access.
// TUNING: Baseline corporate egress ranges first to reduce VPN-related noise.
// FALSE POSITIVES: MEDIUM. Legitimate remote admins use VPNs; validate against known-good ranges.

Note: These queries were generated with AI assistance. Test thoroughly in your environment before production use.

Back to Hunting off the Red