Introduction to UNC6508
Google threat hunters have identified a Chinese state-sponsored espionage group, UNC6508, which has been lurking in networks undetected since 2023. The group, discovered by Google's Threat Intelligence Group in late 2025, targeted organizations in the United States and Canada, stealing data across various sectors including academia, medicine, military, cybersecurity, and foreign policy.
The revelation highlights an alarming pattern of Chinese espionage groups dropping backdoors into critical infrastructure to pre-position for potential sabotage, intercept research, and steal data with national security implications. These groups, working at the behest of China's government, including UNC6508, operated in stealth for years before authorities or researchers discovered their activity.
Discovery and Impact
According to Patrick Whitsell, senior security engineer at Google's Threat Intelligence Group, “We don’t know the full extent or impact of the campaign”. Researchers found that the threat group intruded a medical research university in September 2023, stole credentials and communications, and remained active on the institution's systems through November 2025 when it was discovered.
Google confirmed multiple victims compromised with INFINITERED, a custom backdoor the threat group deployed on targeted networks to steal administrative credentials after it exploited externally facing REDCap (Research Electronic Data Capture) servers. However, researchers still don't know how UNC6508 gained initial access to the REDCap servers.
REDCap Servers and Vulnerabilities
The survey and database software, REDCap, which was created at Vanderbilt University and issued multiple patches for critical remote-code execution vulnerabilities throughout 2023, is widely used across the medical research community. This highlights the potential for further exploitation of similar vulnerabilities in the future.
Whitsell said, “Given the breadth of the threat actor’s intelligence collection criteria and their ability to remain undetected within compromised networks for more than a year, we assess the known victims likely represent only a fraction of a larger campaign”. He also noted that “We also assess that this highly capable threat actor will remain active and continue to be a threat to the defense, technology and medical industries for the foreseeable future”.
Tactics and Techniques
The campaign targeted clinical providers, academic medical centers, and U.S. military health institutions, demonstrating advanced capabilities from a threat group that doesn't currently overlap with any other publicly known groups. The threat group abused domain compliance rules to steal data, a technique that doesn't rely on malware or living-off-the-land tools, and routed traffic through U.S.-based IPs to blend in with legitimate traffic.
Whitsell noted that “We have some evidence to suggest this is a large threat group with multiple sub-teams, but this is not confirmed”. Like other previously identified China state-sponsored espionage groups, UNC6508 remains active.
Response and Remediation
Google disrupted some of UNC6508's known infrastructure by disabling a Gmail account it used to exfiltrate data, notified the affected organizations, and helped remediate compromises before publishing research on UNC6508's activities. Whitsell said several unconfirmed instances of compromise remain under investigation.
- Google's Threat Intelligence Group discovered UNC6508 in late 2025.
- The group has been active since at least September 2023.
- UNC6508 targeted organizations in the United States and Canada.
- The group stole data across various sectors, including academia, medicine, military, cybersecurity, and foreign policy.
Source: CyberScoop