Last updated: July 5, 2026 at 9:01 AM UTC
All 557 Vulnerability 199 Breach 106 Threat 245 Defense 7
Tag: redcap (1 article)Clear

China-linked group hid in research networks, stealing email via Workspace rules

Google's Threat Intelligence Group has detailed a China-linked espionage cluster, tracked as UNC6508, that lurked inside North American medical, academic, and military research networks for more than a year. The attackers got in by planting a backdoor on victims' REDCap research-data servers to steal login credentials. The clever part was exfiltration: instead of using malware to ship data out, they quietly rewrote victims' own Google Workspace mail rules to auto-forward any message matching their target keywords to an attacker-controlled inbox, blending in with normal email behavior. The campaign focused on stealing sensitive research and defense-related communications, and went undetected for an unusually long time.

Check
Audit Google Workspace mail forwarding and filter rules for unauthorized auto-forwarding to external addresses, and review REDCap and other research servers for unexpected accounts, credential theft, or backdoor activity.
Affected
Medical, academic, and defense research organizations running REDCap servers and Google Workspace; long-dwell, low-noise espionage groups target their sensitive research and defense communications.
Fix
Remove malicious mail rules, reset exposed credentials, and enforce phishing-resistant MFA. Patch and monitor REDCap servers, restrict who can create auto-forwarding rules, and alert on new external forwarding.