Google says PRC-linked UNC6508 used InfiniteRed malware and a “Patroit” email rule

Google Threat Intelligence Group says PRC-linked intruders tracked as UNC6508 hid in the networks of multiple North American medical and military research organizations for more than a year. The path of compromise is the part that should keep CISOs and boards up: the attackers first exploited externally facing REDCap servers, then moved to custom malware called InfiniteRed, and finally used a Gmail content compliance rule named “Patroit” to BCC-forward targeted emails to an attacker-controlled account.

This was not generic “spray and pray” spying. Google says the intruders scanned Gmail inboxes and used credential access to reach admin accounts and internal networks, with search terms that ranged from defense platform systems to medical research facilities and a specific pathogen: “Chikungunya.” Google won’t say how many organizations were compromised, but it did tell The Register that incident responders notified all victims they identified, and “we suspect there’s probably even more.”

Google Threat Intelligence Group’s Luke McNamara, deputy chief analyst at Google Threat Intelligence Group, described the attackers’ activity as unusually specific. He said many of the terms were defense-heavy, including emails tied to defense platform systems or defense companies, and some that looked like they were designed to catch emails involving certain “@” patterns tied to a defense name. He also noted the presence of medical-related targeting, including searches involving institutions and “Chikungunya,” the viral disease transmitted to humans from mosquitoes that was responsible for an outbreak in China’s Guangdong province in July 2025.

If you are thinking, “Okay, so it’s espionage. Why should we care about how they searched?” the answer is in the operational sequencing. Google says incident responders detected the campaign in early 2025, but told The Register it dates back to at least 2023. The earliest known intrusion happened in September 2023, when UNC6508 compromised a REDCap server belonging to a North American medical research institution. Google adds that all of the intrusions followed the same pattern, which matters because it implies a repeatable playbook rather than one-off luck.

After the attackers were in place, the campaign stayed quiet. McNamara told The Register that after three months, the snoops silently deployed custom malware named InfiniteRed to capture legitimate REDCap login credentials. InfiniteRed had three modular components. One maintained persistent remote access by injecting code into new REDCap versions after intercepting the upgrade process. Another injected a credential harvester into the authentication system file to compromise user accounts. The third acted as a backdoor with custom hooks that executed on every REDCap page load.

Google’s threat intelligence team identified “multiple” US and Canada-based organizations infected with InfiniteRed, and it offered assistance removing the malware. But persistence was only the middle step. After remaining undetected for more than a year, Google says UNC6508 used the stolen credentials to access admin accounts and the victims’ internal network. At that point, they were positioned to do the final stage of data theft: configuring data routing and exfiltration behavior inside a cloud productivity environment.

That last move is where the campaign’s stealth really shows. Google says UNC6508 added domain content compliance rules for data theft. In cloud-based enterprise productivity suites, including Google Workspace, administrators can create compliance rules to manage messages containing predefined sets of words or phrases across an organizational unit. Google says UNC6508 created a compliance rule named “Patroit” (spelled that way, not “Patriot”), designed to match keywords and email address patterns in sent or received emails. Then the matching messages were silently BCC-forwarded to an attacker-controlled Gmail address: BebitaBarefoot774[@]gmail[.]com.

Google also disabled the Gmail account to prevent further data exfiltration. The underlying message for leaders is not just “malware happened.” It is that attackers can stitch together a full intrusion chain using tools that are normal in business workflows: clinical data platforms like REDCap, cloud email search and routing, and administrative access gained through credential theft.

McNamara offered a theory about the “why” behind the subject matter focus. He said internal questions revolved around why UNC6508 showed up primarily at medical research institutions and why they would search for unmanned drones and unmanned vehicles. One possibility, he said, is that the threat group was tasked with collecting data across categories of national-security-related terms, potentially copy-and-pasting the same query set across multiple victims, including ones outside medical research. He also suggested some targeted institutions likely worked on research connected to military or government agencies, creating correspondence where those terms appeared, with attackers casting a wide net.

For executives and boards, this is a governance problem as much as a security problem. When compromise paths involve externally facing research systems, credential persistence across upgrades, and internal email compliance automation, the risk touches IT operations, security engineering, incident response maturity, and even procurement decisions for clinical research tooling. The strategic stakes are simple: organizations that run REDCap servers, coordinate cross-sector medical research, and rely on enterprise cloud suites need to assume that “legitimate” productivity features can be weaponized after credentials are stolen. In 2026, the winning defense is not only detecting malware, it is detecting the moment the attacker turns normal admin controls into an exfiltration pipeline.