China-Linked Hackers Abuse Google Workspace Rules to Steal Defense Emails

A China-linked espionage group tracked as UNC6508 maintained undetected access to North American medical, academic, and military research networks for over a year, quietly siphoning sensitive research and defense correspondence. Google's Threat Intelligence Group (GTIG) disclosed the campaign this week, attributing it with high confidence after analyzing the tradecraft used against clinical providers, academic centers, military health institutions, advocacy groups, and health regulators across the US and Canada. Google has since notified affected organizations and disrupted the actor's infrastructure.

The intrusion began with REDCap (Research Electronic Data Capture), a widely used web platform for managing clinical and research databases. UNC6508 compromised externally facing REDCap servers—though Google has not identified a specific CVE, version, or initial access vector—and roughly three months later deployed a custom backdoor dubbed INFINITERED. The malware trojanizes REDCap's own system files, achieving persistence by hijacking the upgrade process so every new version re-injects the malicious code. It also harvests usernames and passwords from the login page, storing them encrypted in local database tables, and operates as a backdoor accepting commands via HTTP cookies on every page load. The earliest known compromise dates back to September 2023, with activity continuing through November 2025.

The exfiltration method was particularly stealthy. After escalating to domain administrator privileges, UNC6508 abused Google Workspace's built-in content compliance rules—a legitimate admin feature designed to scan mail for keywords and copy or forward matching messages. The group created a rule, tellingly misspelled "Patroit," configured with nearly 150 keywords, search terms, and target email addresses. Any matching message was silently BCC'd to an attacker-controlled Gmail address, which Google has since disabled. No malware ever touched the mail servers themselves, making the theft invisible to most security tools. Organizations worried about credential exposure should run a password checker to verify whether harvested logins appear in known dumps.

Google first surfaced UNC6508 and the INFINITERED backdoor in February as part of a broader report on state-backed attacks against the defense sector. The campaign underscores how adversaries are increasingly weaponizing native cloud features rather than deploying traditional malware, turning trusted platforms into silent exfiltration pipelines. Defenders are advised to audit Google Workspace admin rules for unexpected BCC forwards, rotate any credentials that touched compromised REDCap instances, and confirm whether organizational mailboxes have surfaced in public leaks using an email breach checker.