INFINITERED
INFINITERED is custom malware used by the PRC-nexus threat actor UNC6508 in a long-running espionage campaign targeting North American academic, medical, and military research organizations. Google Threat Intelligence Group reported the malware on compromised REDCap servers at multiple organizations in the United States and Canada, with earliest known related compromises dating to September 2023. UNC6508 exploited externally facing REDCap servers, likely including vulnerable legacy versions, and in observed intrusions deployed INFINITERED about three months after the initial compromise.
The malware is designed specifically for REDCap environments and is implemented as three modular components hidden by trojanizing legitimate REDCap system files. Its capabilities include dropper and upgrade interception functionality, credential harvesting, backdoor access, and command-and-control. INFINITERED persists by intercepting REDCap upgrades and reinjecting malicious code into new versions, allowing it to survive software updates for more than a year. GTIG reported use of the GUID delimiter b49e334d-9c01-463e-9bc5-00a6920fb66e in this upgrade interception logic.
A credential-harvesting component injects into the REDCap authentication system and captures usernames and passwords submitted via POST during login. Stolen credentials are stored in a legitimate REDCap sessions database table, with records associated with the session ID prefix xc32038474a. A backdoor component is placed in the REDCap custom hooks system file and executes on every page load. It receives encrypted command payloads via the HTTP cookie parameter REDCAP-TOKEN and can execute shell commands, upload files, download arbitrary files, execute SQL queries, retrieve or delete stolen credentials, and return system, database, and configuration information.
INFINITERED enabled UNC6508 to harvest legitimate REDCap credentials, pivot into internal networks, and later access administrative accounts. The broader campaign targeted sensitive defense, national security, artificial intelligence, uncrewed systems, cyber, and medical research information. Reported associated artifacts and indicators include the web shell help.php on compromised REDCap servers, the cookie parameter REDCAP-TOKEN, the GUID b49e334d-9c01-463e-9bc5-00a6920fb66e, and the session ID prefix xc32038474a.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
The earliest known compromise occurred in September 2023, after which GTIG observed a consistent operational pattern. The threat actor exploited externally facing REDCap servers and deployed custom malware named INFINITERED to capture legitimate REDCap login credentials.
Techniques & procedures
21 distinct techniques documented for this family, organized by ATT&CK tactic.
Initial Access
2 techniques
Initial Access
Execution
3 techniques
Execution
Persistence
6 techniques
Persistence
Then, after remaining undetected for more than a year, UNC6508 used the captured credentials to access the victim’s internal network.
The first allows it to maintain persistent remote access by injecting its code into new REDCap versions after intercepting the upgrade process.
Executes arbitrary system commands using shell_exec. Uploads a file to the server... Retrieves stolen credentials... Executes arbitrary SQL queries against the database... Downloads an arbitrary file from the server.
InfiniteRed is a custom malware payload that provides dropper, upgrade interception, credential harvesting, backdoor, and command-and-control (C&C) capabilities.
INFINITERED implements its functionality across three distinct modular components by trojanizing legitimate REDCap system files... To maintain persistent remote access, INFINITERED injects its code into new REDCap versions by intercepting the upgrade process.
Privilege Escalation
2 techniques
Privilege Escalation
Stealth
3 techniques
Stealth
Defense Evasion T1027 Obfuscated Files or Information Use of Base64 encoding for malicious payloads within PHP files.
Defense Impairment
1 technique
Defense Impairment
Credential Access
6 techniques
Credential Access
The login harvester captures usernames and passwords submitted through REDCap login pages, then encrypts and stores them in local REDCap database tables for future retrieval.
The threat actor exploited externally facing REDCap servers and deployed custom malware named INFINITERED to capture legitimate REDCap login credentials.
INFINITERED injects a credential harvester into the authentication system file... captures usernames and passwords submitted via POST requests during the login process.
Upon establishing a foothold on the REDCap server, UNC6508 performed internal reconnaissance and credential discovery to obtain database and service account credentials... returning... database credentials including the hostname, username, password, and salt.
Discovery
1 technique
Discovery
Collection
4 techniques
Collection
The login harvester captures usernames and passwords submitted through REDCap login pages, then encrypts and stores them in local REDCap database tables for future retrieval.
The threat actor exploited externally facing REDCap servers and deployed custom malware named INFINITERED to capture legitimate REDCap login credentials.
Command and Control
2 techniques
Command and Control
INFINITERED looks for a specific HTTP Cookie parameter named "REDCAP-TOKEN"... decrypts the remaining payload... the threat actor can use to execute shell commands, run raw SQL queries, and transfer files... MITRE ATT&CK Mapping... C2 communication via HTTP Cookie parameters (REDCAP-TOKEN).
IOCs tracked for this family
8 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Recent activity
8 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Custom modular malware deployed on compromised REDCap servers. It trojanizes legitimate REDCap files to persist through upgrades, harvests usernames and passwords from login POST requests, stores stolen credentials in a legitimate sessions table, and provides backdoor access via specially crafted HTTP cookie values to execute commands, run SQL, and transfer files.
A custom malware payload used by UNC6508 that provides dropper functionality, upgrade interception, credential harvesting, backdoor access, and command-and-control capabilities.
Custom malware used against externally facing REDCap servers to maintain persistent remote access, inject itself into new REDCap versions during upgrades, harvest REDCap authentication credentials, and act as a backdoor executing on every REDCap page load.
Custom malware designed specifically for REDCap systems. It consists of a persistence/update module, a credential harvester that captures REDCap login usernames and passwords, and a backdoor that receives commands via HTTP cookies to execute shell commands, transfer files, run SQL queries, retrieve stolen credentials, delete records, and return system and database information.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.