A built-in feature of Google Workspace has emerged as a preferred exfiltration tool for a Chinese espionage group.

      TL;DR: China-linked UNC6508 compromised REDCap servers at research institutions in the US and Canada, utilizing Google Workspace mail rules to steal emails.

      An espionage group with ties to China operated within North American medical, academic, and military research networks for over a year, stealing sensitive data and defense-related emails. The attackers accessed systems through a backdoor on REDCap research servers, employing an atypical data exfiltration strategy: they manipulated the victims' existing Google Workspace rules to divert emails to an inbox they controlled.

      Google's Threat Intelligence Group detailed the campaign in a recently published report, confidently linking it to the group known as UNC6508. The affected organizations include clinical providers, academic institutions, military healthcare entities, advocacy groups, and health regulators across the US and Canada. Google reported notifying these organizations and disrupting the group's operations.

      The name UNC6508 is not new; Google first identified this group in February during a broader analysis of state-sponsored attacks affecting the defense sector. What’s new is the clarity on the group's operations once they gained access.

      The entry point was REDCap (Research Electronic Data Capture), a web platform used by hospitals and universities for clinical study database management. UNC6508 compromised publicly accessible REDCap servers. While Google has not identified how the breach occurred or specified any affected software versions, it noted the group was probing outdated vulnerable installations.

      Approximately three months after gaining access, the group deployed custom malware named INFINITERED, which infects REDCap's own system files and performs three main functions: it hijacks the upgrade process to reinject the malware with each new version, collects usernames and passwords from the login interface while storing them in encrypted local database tables, and serves as a backdoor that receives commands through HTTP cookies upon each page load.

      The earliest recorded compromise dates back to September 2023, with activities extending through November 2025. Once inside the server, UNC6508 conducted internal reconnaissance to gather database and service account credentials, enabling further movement into the internal network and access to a domain administrator account. Google does not specify the exact route to admin access.

      With administrative privileges, the group established a method for data exfiltration that did not require additional malware. UNC6508 exploited content compliance rules—a legitimate feature in Google Workspace that scans emails for specific keywords and can automatically copy or forward matching messages. They created a rule with a misspelled keyword “Patroit,” monitoring nearly 150 keywords, search terms, and email addresses. When a message matched, Workspace would discreetly BCC it to an attacker-controlled Gmail address.

      There was no malware on the mail server, no separate exfiltration tool, and no unusual network traffic—just a legitimate administrative feature misused by the attackers. Google has since disabled the compromised Gmail address.

      MITRE has already recognized the abuse of email forwarding rules as a known technique under T1114.003. Google points out that what's novel about this incident is the application of domain-level content compliance rules to achieve email exfiltration, a technique not previously observed from a China-related actor.

      The keywords in the rule corresponded to UNC6508’s collection priorities, which included geo-strategic policy, military strategy and equipment, advanced technology (including AI and unmanned vehicles), offensive cyber programs, and medical research. One particularly noteworthy term was “chikungunya,” referring to a mosquito-borne virus linked to a significant 2025 outbreak in China's Guangdong province that affected over 16,000 people.

      This operation reflects a broader trend. ShinyHunters also exploited an unpatched Oracle PeopleSoft zero-day to infiltrate over 100 organizations, two-thirds of which were universities. In both cases, attackers targeted enterprise software crucial for research institutions, and the victims lacked visibility into the breach until it was reported externally.

      The use of Google Workspace in this manner is particularly alarming as it leaves minimal forensic evidence on the email system. In contrast, a breach involving the European Commission via a compromised security tool generated unusual network activity that eventually raised alerts. UNC6508’s method, however, produced none, as the email copying function was executed by a legitimate feature that operated as intended.

      Google has provided specific recommendations: patch publicly accessible REDCap servers and completely remove outdated versions, as REDCap allows legacy installations to coexist with current ones, posing a risk of downgrade attacks. Review Google Workspace content compliance and mail forwarding rules for any instances that BCC or reroute emails to external addresses. Examine admin audit logs for any changes in rules, not just their current content. Search for INFINITERED using the indicators released by GTIG. Furthermore, implement phishing-resistant MFA on administrator accounts, as the entire email theft relied on admin access.

      Google still does not know how UNC6508 initially accessed the REDCap servers, but this detail is less significant than the fundamental lesson: once attackers gain admin access to a cloud email system, a built-in feature can silently serve as an exfiltration channel