A Beijing-linked cyberespionage group spent more than a year infiltrating research institutions across North America before being detected, according to a new report from Google.
In a report published on June 15, the Google Threat Intelligence Group said the hacking campaign, which ran from September 2023 through November 2025, primarily targeted academic, medical, and military research organizations in the United States and Canada.
According to the report, the attackers sought information from medical research to defense intelligence, military strategy in the Indo-Pacific, artificial intelligence, unmanned vehicles, and cyber warfare.
The hacker group, which Google tracks as UNC6508, is believed to have been active since at least 2023. Google’s cybersecurity experts began monitoring the threat actor in early 2025 and referenced it in a report released in February.
The Google team did not identify the affected institutions but described them as a “diverse set of national, state, and private medical entities” that collectively employ thousands of people and oversee research budgets worth billions of dollars. It said it disrupted the attackers’ infrastructure and notified each of the identified victims.
“These organizations comprise world-renowned clinical providers, premier academic centers, North American military health institutions, professional advocacy groups, and health regulatory bodies,” the Google Threat Intelligence Group wrote. “Their research areas span a broad spectrum of modern medicine, from molecular discovery and clinical drug trials to state-level public health policy and military readiness.”
According to group, the earliest known activity associated with the campaign dates back to September 2023, when the attackers exploited servers running REDCap, a widely used web platform for managing clinical research databases and surveys.
The Google Threat Intelligence Group said it remains unclear exactly how the hackers initially gained access to the REDCap servers, but evidence suggests they may have targeted organizations running vulnerable legacy versions of the application.
In one intrusion investigated by group, the attackers deployed a custom malware tool dubbed InfiniteRed, which harvested legitimate REDCap credentials and enabled access to targeted networks. Once inside, the hackers established an automated system that forwarded emails containing any of nearly 150 predefined keywords and search terms to a Gmail account under their control.
The group’s information-extraction priorities appear to be “aligned with the strategic interests” of the Chinese regime, according to the report.
While most of the search terms related to defense, geopolitical affairs, and emerging technologies, Google researchers noted that one term in particular—“chikungunya”—stood out.
Chikungunya is a mosquito-borne viral disease. It was at the center of an outbreak in China’s southern Guangdong Province beginning in July 2025.
In August 2025, Chinese public health authorities imposed a series of COVID-19-style control measures after designating six provinces as high-risk regions for chikungunya prevention and containment. Around the same time, the U.S. Centers for Disease Control and Prevention issued a travel advisory for parts of China because of the outbreak. The alert has since been lifted.
Google gave no reason why the group showed interest in chikungunya-related information.
Friends Read Free
Copy
Facebook
Tweet
