Skip to content

China-linked Attackers Abused REDCap Vulnerabilities Against U.S. and Canadian Research Institutions

Bottom line: UNC6508 exploited the ability to run legacy REDCap versions in parallel with current installations to monitor research institutions in the USA and Canada for over a year using the INFINITERED framework.

The threat group UNC6508, linked to China-backed actors, infiltrated U.S. and Canadian research environments for over a year through exploits of outdated REDCap versions. Google’s Threat Intelligence Group disrupted the campaign and warns of the INFINITERED malware framework, which sneaks into REDCap upgrade processes.

The campaign targets academic institutions, medical research centers, healthcare service providers, military health networks, and defense-oriented research programs. UNC6508 abused REDCap — a widely-used platform for research data capture and management — by hijacking the upgrade process to inject persistence malware. The objectives were intelligence on national security, AI, cyber operations, and medical research.

The INFINITERED malware framework consists of three components: a dropper for upgrade interception, a credential harvester, and a backdoor with command-and-control capability. The upgrade interception reads outdated, already-compromised REDCap versions — REDCap allows administrators to run legacy versions in parallel with the current installation — and injects malicious code into the upgrade system files. In parallel, credential harvesting code is injected into the authentication file and backdoor code into the custom hooks configuration file. Additionally, UNC6508 placed a web shell named “help.php” to maintain persistence and as an uploader.

After gaining entry, the group conducted internal reconnaissance and collected database and service account credentials. The backdoor supports comprehensive remote commands for file management, shell command execution, system information gathering, and control over compromised REDCap servers.

Google recommends affected organizations check REDCap environments for unauthorized file modifications, unexpected web shells, and signs of credential harvesting activity — supported by Google-provided YARA rules. Additionally, vulnerable REDCap deployments should be updated, outdated versions running in parallel should be reviewed, and the integrity of application files should be validated before and after upgrades. Google further recommends phishing-resistant two-factor authentication, device-bound session credentials, and corresponding data leakage prevention rules.


Source: www.csoonline.com · Published June 16, 2026
Lumi AI News — AI-assisted curation pursuant to Art. 50 EU AI Act. Paraphrase and classification by Lumi News Pipeline v1.7.1.

Share on: