UNC6508

UNC6508 is a PRC-nexus, China-linked cyber espionage threat actor tracked by Google Threat Intelligence Group (GTIG), with activity observed since at least 2023. GTIG attributes to UNC6508 a long-running campaign targeting North American academic, medical, and military research organizations, including clinical providers, academic centers, military health institutions, advocacy groups, and health regulatory bodies in the United States and Canada. Reported intelligence interests included defense and national security information, Indo-Pacific operations, artificial intelligence, uncrewed systems, cyber offensive programs, advanced technology, military readiness, geo-strategic policy, and medical research. GTIG reported that UNC6508 regularly targeted externally facing REDCap servers, likely including vulnerable legacy versions, although the exact initial access method was not confirmed. In documented intrusions, the actor deployed a web shell named help.php and later installed custom malware called INFINITERED. INFINITERED was tailored for REDCap environments and consisted of modular persistence, credential-harvesting, and backdoor components. It trojanized legitimate REDCap system files, intercepted REDCap upgrades to reinject malicious code and maintain persistence, harvested usernames and passwords submitted through REDCap login pages, stored stolen credentials in REDCap database tables, and accepted encrypted commands via the REDCAP-TOKEN HTTP cookie. Reported backdoor capabilities included shell command execution, file upload and download, SQL query execution, retrieval and deletion of stolen credentials, and collection of system and database information. UNC6508 used harvested credentials to access internal networks and administrator accounts and, in at least one case, remained undetected for more than a year. GTIG also described a novel exfiltration technique in which UNC6508 abused enterprise content compliance rules after obtaining administrative access. The actor created a rule named "Patroit" that matched targeted keywords and patterns and silently BCC-forwarded matching emails to the actor-controlled Gmail account BebitaBarefoot774@gmail.com. GTIG reported that UNC6508 used strong operational security, including US-based obfuscation network IPs, compromised routers, residential proxies, VPS infrastructure, legitimate credentials, bulk-sourced accounts, and operation-specific infrastructure. Additional reporting cited UNC6508 in broader China-linked targeting of defense-related entities and noted use of operational relay box (ORB) networks. The only alias directly provided in the content is UNC6508.