UNC6508 Uses REDCap Compromise and INFINITERED for Medical Research Espionage

Editorial Note

This entry uses only the ATT&CK mappings explicitly listed by Google Threat Intelligence Group. No additional techniques were inferred from adjacent campaign behavior.

How The Activity Unfolds In ATT&CK

UNC6508's activity starts with exploitation of exposed REDCap infrastructure, then moves into server-side persistence, credential capture, and cloud-based exfiltration. The sequence below follows the mapped ATT&CK techniques documented in the source.

1. Initial access through T1190 Exploit Public-Facing Application. The actor targets exposed REDCap survey management servers. In ATT&CK terms, this places the first observable behavior at the externally facing application boundary.
2. Server-side persistence through T1505.003 Web Shell. After access, the actor deploys INFINITERED and uploaders on compromised infrastructure, giving them an interactive foothold inside the web application environment.
3. Credential collection through T1056.003 Web Portal Capture. INFINITERED captures plaintext credentials from REDCap login requests, turning the compromised application into a credential collection point.
4. Data theft through T1567 Exfiltration Over Web Service. The actor uses Google Workspace compliance rules to forward selected email content to actor-controlled Gmail accounts.

Defender Readout

This activity is useful for detection engineering because it connects web exploitation, web shell persistence, application-layer credential capture, and SaaS exfiltration into a single operational chain. Reviewers should avoid adding adjacent techniques unless a source explicitly documents the behavior.