Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Watchlists Beta Browse News Feed Stats About Contact

UNC6508 China-linked REDCap espionage campaign

Campaign
First reported
Last updated
Happening score
H score 40
1 unique sources, 1 articles

Summary

Hide ▲

UNC6508 ran a China-linked espionage campaign that targeted exposed REDCap servers to steal sensitive data from a North American medical institution. The operation stayed active from September 2023 through November 2025, giving the actor more than a year of undetected access. The operators used InfiniteRed, a custom malware set built for REDCap environments, and paired it with residential proxies, compromised routers, and VPS infrastructure. The campaign mattered because it combined credential theft and email-based exfiltration to move research data out of the victim network.

Related Happenings

Medical institution in North America hit by data theft breach

Incident
H score26 First: 15.06.2026 17:00 Last: 15.06.2026 17:00 Sources 1

How related: A China-linked espionage campaign targeted exposed REDCap servers to deploy the InfiniteRed malware and steal sensitive data from a medical institution in North America.

About this happening: A **North American medical institution** suffered a **REDCap breach** that enabled **InfiniteRed** deployment and sensitive-data theft, leaving the network compromised for more th...

Open Happening

SHADOW-EARTH-053 China-aligned espionage campaign against Asian government and defense targets

Campaign
H score55 First: 01.05.2026 17:02 Last: 01.05.2026 17:02 Sources 1

About this happening: **SHADOW-EARTH-053** is running an active **China-aligned espionage campaign** against **government and defense** targets across **South, East, and Southeast Asia** and **Poland**...

Open Happening

North Korean remote IT worker scam operation targeting American companies

Campaign
H score32 First: 16.04.2026 19:00 Last: 16.04.2026 19:00 Sources 1

About this happening: A long-running **North Korean remote IT worker scam operation** used **stolen identities** and fake placements to embed operators inside **more than 100 American companies**. The...

Open Happening

BlueNoroff spear-phishing campaign uses typosquatted Zoom, Teams, and Calendly lures against crypto firms

Campaign
H score39 First: 11.02.2026 00:17 Last: 11.02.2026 00:17 Sources 1

About this happening: **BlueNoroff**, a **North Korea-linked Lazarus Group** subgroup, ran a **large-scale spear-phishing campaign** against **100+ cryptocurrency organizations** in **20+ countries** b...

Open Happening

Timeline

  1. 15.06.2026 17:00 2 articles · 1h ago

    UNC6508 targets exposed REDCap servers to steal medical research data

    Initial Disclosure

    GTIG disclosed a China-linked espionage campaign in which UNC6508 targeted exposed REDCap servers at a North American medical institution, deployed the InfiniteRed malware, and stole sensitive research data. The investigation tied the compromise to September 2023, noted malicious activity continuing through November 2025, and observed email-based exfiltration through a legitimate content compliance rules feature.

    Show sources
    Open in new tab