The Google Threat Intelligence Group (GTIG) has published an analysis of the attacks carried out by a cyberespionage group linked to the Chinese government.
Tracked as UNC6508, the group is believed to have been active since at least 2023, but Google’s researchers started tracking it in early 2025. UNC6508 was mentioned by Google in a report published in February.
The UNC6508 campaign observed by GTIG was mainly aimed at North America, with the hackers targeting major medical, academic, and military research organizations.
“These organizations comprise world-renowned clinical providers, premier academic centers, North American military health institutions, professional advocacy groups, and health regulatory bodies,” Google’s researchers explained. “Their research areas span a broad spectrum of modern medicine, from molecular discovery and clinical drug trials to state-level public health policy and military readiness.”
According to GTIG, the cyberspies regularly target servers hosting REDCap, a web platform for building and managing clinical research databases and surveys in the medical field. Google said it’s unclear how the attackers gained access to REDCap servers, but evidence suggests they may be targeting vulnerable legacy versions.
In one of the intrusions investigated by the tech giant’s researchers, the hackers deployed a piece of malware named InfiniteRed three months after the initial intrusion.
InfiniteRed is a custom malware payload that provides dropper, upgrade interception, credential harvesting, backdoor, and command-and-control (C&C) capabilities. The malware was discovered on the systems of multiple organizations in the US and Canada.
Google’s analysis found that the hackers abused a legitimate feature named content compliance rules to exfiltrate emails related to specific topics. The attackers’ compliance rules indicated that they were targeting entities beyond those identified in the medical research community.
UNC6508 appears to have also been after valuable intelligence related to national security, AI, drones, cyber offensive research, defense technology, naval assets, diplomatic and government entities, and military command units.
The hackers leveraged obfuscation networks, bulk-sourced accounts, legitimate credentials, and operation-specific infrastructure to hide their activities from defenders.
Google said it disrupted the threat actor’s infrastructure and notified the identified victims.
The company has released technical details and indicators of compromise (IoCs) to help defenders.
Related: Five Eyes: Chinese Spies Target Government, Military Staff With Fake Job Opportunities
Related: Chinese Cybercrime Group in Spotlight for Record Campaign Pace
Related: Chinese APTs Expand Targets, Update Backdoors in Recent Campaigns
