Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Watchlists Beta Browse News Feed Stats About Contact

INFINITERED REDCap backdoor and credential harvester

Malware Activity
First reported
Last updated
Happening score
H score 26
1 unique sources, 1 articles

Summary

Hide ▲

The INFINITERED malware was deployed on REDCap servers to preserve access, steal credentials, and operate as a backdoor inside compromised research environments. It trojanized REDCap system files, hijacked the upgrade process so reinfected code would survive updates, and harvested usernames and passwords from the login page. The malware also accepted commands through HTTP cookies and ran on every page load, extending persistence through November 2025.

Related Happenings

UNC6508 China-linked REDCap espionage campaign

Campaign
H score39 First: 15.06.2026 17:00 Last: 15.06.2026 17:00 Sources 1

How related: A China-linked espionage group hid inside North American medical, academic, and military research networks for more than a year, quietly stealing sensitive research and defense email.

About this happening: **UNC6508** ran a **China-linked espionage campaign** against **exposed REDCap servers** used by **North American medical, academic, and military research networks**. The operatio...

Open Happening

Medical institution in North America hit by data theft breach

Incident
H score26 First: 15.06.2026 17:00 Last: 15.06.2026 17:00 Sources 1

About this happening: A **North American medical institution** suffered a **REDCap breach** that enabled **InfiniteRed** deployment and sensitive-data theft, leaving the network compromised for more th...

Open Happening

GammaWorm NTFS Alternate Data Streams propagation and backdoor activity

Malware Activity
H score40 First: 01.06.2026 14:00 Last: 01.06.2026 14:00 Sources 1

About this happening: The **GammaWorm** malware activity now shows a more covert stage that hides modules in **NTFS Alternate Data Streams**, helping it spread across **Ukrainian networks** while leavi...

Open Happening

EtherRAT Node.js backdoor with Ethereum smart-contract C2

Malware Activity
H score40 First: 26.03.2026 17:00 Last: 26.03.2026 17:00 Sources 1

About this happening: The **EtherRAT** malware activity centers on a **Node.js-based backdoor** that uses **Ethereum smart contracts** to hide and rotate C2 infrastructure. In a **React2Shell** attack,...

Open Happening

EtherRAT remote access trojan with blockchain-based C2

Malware Activity
H score43 First: 09.12.2025 19:15 Last: 09.12.2025 19:15 Sources 1

About this happening: **EtherRAT** is now a live **Linux RAT** threat because it combines **Ethereum smart contracts** for C2 with multiple persistence layers, making blocked infrastructure less effect...

Open Happening

Timeline

  1. 15.06.2026 22:44 2 articles · 3h ago

    GTIG attributes INFINITERED to UNC6508 on compromised REDCap servers

    Technical Analysis Update

    GTIG attributed the INFINITERED malware to UNC6508 and described it as a trojanized backdoor on externally facing REDCap servers. The malware modified REDCap system files, hijacked the upgrade process so reinfected code would persist across versions, harvested usernames and passwords from the login page, and accepted commands through HTTP cookies. GTIG also said the campaign began with the earliest known compromise in September 2023 and continued through November 2025.

    Show sources
    Open in new tab