China-nexus group linked to multiyear campaign targeting US, Canadian medical research
China-nexus group linked to multiyear campaign targeting US, Canadian medical research
Publish Date: 2026-06-15 11:44:00
Source Domain: www.cybersecuritydive.com
Using an unordered list, summarize the following article with between 4 and 8 key points.
A China-nexus threat group is behind a multiyear espionage campaign targeting North American research centers, specifically related to medical, AI and military information, according to a report released Monday by Google Threat Intelligence Group (GTIG).
The threat cluster, tracked as UNC6508, has exploited vulnerable research electronic data capture (REDCap) servers, before installing custom malware to steal legitimate credentials.
“We know UNC6508 was attempting to gather information on a broad scope of objectives, including medical research, U.S. defense strategy and advanced technology, such as autonomous defense and uncrewed vehicle systems,” said Patrick Whitsell, senior security engineer at GTIG.
One of the espionage targets was research on Chikungunya, a virus spread by mosquitos, Whitsell said. Those specific searches correlated with a July 2025 outbreak of the virus in China’s Guangdong province, according to GTIG researchers.
Researchers traced the hacking campaign back to September 2023, when a REDCap server at a North American medical research center was compromised. Custom malware, called Infinitered, was installed after three months. Credentials were captured and targeted emails were forwarded to an account controlled by the hackers. The compromise continued until November 2025.
Vulnerable software
REDCap is a web-based software platform used widely in the medical research sector to build and manage online databases. Researchers were unable to figure out how the UNC6508 gained initial access, but they noted REDCap issued critical security fixes for remote code execution vulnerabilities in 2023.
Multiple organizations across the U.S. and Canada have been compromised through the hacking campaign. GTIG researchers have contacted these organizations and offered support.
Errol Weiss, chief security officer at the Health Information Sharing and Analysis Center, said medical research is a frequent target of hacking, and this particular campaign raises larger security concerns for healthcare organizations.
“Even when the apparent motive is espionage, the same access paths can be repurposed later for disruption or extortion, which in healthcare can quickly become a patient-safety issue if critical systems are impacted,” Weiss told Cybersecurity Dive.
GTIG said security teams should take several measures to protect their systems, including enacting two-step verification for administrator accounts, upgrading all REDCap installations with the latest software and monitoring audit logs.
