This threat involves a prolonged espionage campaign attributed to UNC6508, a China-linked threat actor, targeting North American academic, medical, and military research entities. The adversary exploited vulnerabilities in REDCap servers and deployed the custom INFINITERED malware to harvest credentials. Persistence was maintained through trojanized legitimate files that survived software upgrades. After over a year of stealth, the actor escalated to administrative privileges and abused content compliance rules to exfiltrate emails containing sensitive defense, AI, cyber, and medical research data. The campaign employed sophisticated operational security, including obfuscation networks routing through US infrastructure, compromised routers, and dedicated exfiltration accounts, indicating a strategic intelligence collection operation.

The campaign resulted in unauthorized access and exfiltration of highly sensitive information related to defense intelligence, Indo-Pacific command operations, artificial intelligence research, uncrewed vehicle systems, cyber programs, and medical research data from targeted institutions in the United States and Canada. The persistence of the threat actor and use of stealthy exfiltration methods increased the risk of prolonged data compromise and potential strategic intelligence losses.

No specific patch or remediation is indicated for this campaign. Organizations should review and secure REDCap server deployments, monitor for signs of INFINITERED malware, and audit content compliance rules for unauthorized changes. Given the advanced operational security of the threat actor, enhanced monitoring for unusual administrative activities and network traffic obfuscation is recommended. Patch status is not yet confirmed — check vendor advisories and threat intelligence sources for updates. There is no indication that this is a cloud service; remediation depends on local organizational controls.