A newly disclosed espionage campaign shows a PRC-linked group living undetected inside a medical research network for more than a year, harvesting credentials from a widely used research data tool and quietly forwarding sensitive emails to an attacker-controlled inbox, a wake-up call for any Texas institution running REDCap.
Somewhere on a U.S. medical research campus, a graduate student logged into REDCap — the online survey and database tool nearly every clinical trial and public health study in the country runs on — to update a dataset. Nothing looked unusual. But behind that login screen, malware had quietly recorded every username and password typed there for more than a year, stashing them in a hidden corner of the university's own database. By the time anyone noticed, the intruders had reached a domain administrator account and arranged for strategically interesting emails to be copied to an inbox they controlled. It took Google's Threat Intelligence Group, working with Mandiant, to pull back the curtain.
What happened
Google's Threat Intelligence Group (GTIG) and Mandiant Consulting disclosed in mid-June that a China-aligned group tracked as UNC6508 breached a U.S. medical research university and remained inside its network from September 2023 through November 2025 — more than 14 months of sustained, undetected access. The intrusion began with the group exploiting the university's public-facing REDCap servers, a platform used across North America to manage research databases and surveys.
Three months after gaining access, UNC6508 deployed a custom toolkit called INFINITERED, built to run inside REDCap. One component hijacks REDCap's own update process to reinstall itself with every upgrade; another silently captures login credentials; a backdoor lets attackers run commands and pull data at will.
The most striking part came more than a year in. Using stolen credentials, the attackers reached a domain administrator account and abused a legitimate email feature — a content-compliance rule normally used to enforce policies like blocking profanity — to quietly forward emails matching strategic keywords to a Gmail account they controlled. GTIG says this method was novel because it required no malware and mimicked ordinary IT administration, making it extraordinarily hard to detect. Stolen material spanned medical research, defense topics and infectious-disease data. Google has since disrupted the infrastructure, notified affected organizations, and shared indicators of compromise with defenders.
Why it matters for Texas institutions
Texas is home to some of the nation's largest medical and research enterprises — UT Southwestern, UT Health Science Centers, Texas A&M Health Science Center, MD Anderson, Baylor College of Medicine, and many university clinical trial programs — nearly all reliant on REDCap for grant-funded research. Any Texas institution running an externally accessible REDCap instance, especially one tied to federally funded, defense-adjacent or public health research, sits squarely in the collection priorities GTIG described. State agencies and community colleges that partner on public health studies or host shared research cores are exposed by extension, since one compromised server can become a pivot point into a broader campus network.
What your institution should do
Start by inventorying every REDCap instance on your network, including ones research groups stood up independently of central IT, and confirm none run outdated versions exposed to the internet. The single most effective step any campus can take, per GTIG's own researchers, is enforcing phishing-resistant multifactor authentication everywhere it's supported, since this campaign hinged on reused, stolen credentials rather than a software exploit. Security teams should also audit mail-flow and content-compliance rules across Exchange or Google Workspace, since a malicious forwarding rule can hide in plain sight for months. Finally, enable data-loss-prevention alerts tied to sensitive research keywords and keep server logs centralized long enough to catch an intrusion that, here, went unnoticed for over a year.
None of this requires abandoning research tools your faculty depend on — it requires closing the visibility gaps that let a well-resourced adversary operate quietly for over a year. RSOC exists to help Texas higher education and state government close those gaps, whether through a REDCap security review, sharing indicators of compromise, or serving as a sounding board during incident response. Reach out to RSOC at rsoc.utexas.edu with questions about your research computing environment.