UNC6508 Rewires Google Workspace Compliance Rules for Stealth Email Exfiltration After REDCap Server Compromises

The group first compromised REDCap servers used by US and Canadian medical research and defense entities. INFINITERED modified core system files to persist across upgrades, harvest credentials from the login page, and accept commands via HTTP cookies. Once inside, operators escalated to domain admin rights. Technical evidence consists of modified REDCap database tables containing stolen logins and the presence of the misspelled compliance rule named Patroit.

GTIG attributes the activity to a China-linked cluster with high confidence based on infrastructure overlap and targeting priorities that include uncrewed vehicles, offensive cyber tools, and chikungunya-related research. No specific CVE or initial access vector is named, and no independent technical attribution has been published. The method of using native Workspace content rules for exfiltration had not previously been observed from this actor.

This campaign fits an established pattern of state operators abusing legitimate cloud administration features rather than deploying custom mail malware. Similar rule-based forwarding has appeared in other suites, yet defenders rarely audit compliance configurations after initial setup. The persistence mechanism that survives REDCap upgrades highlights how legacy version coexistence creates downgrade opportunities.

Organizations should immediately audit all Workspace content compliance rules for unexpected BCC addresses and remove legacy REDCap installations. Continued monitoring of service account logins from research platforms is required; GTIG notifications have already disabled the attacker Gmail sink.