Chinese Hackers Abused Google Workspace Rules to Steal Research and Security Emails

A Chinese-linked spy group hid inside medical, academic, and military research networks in North America for more than a year, quietly stealing sensitive research and defense email.

The way in was a backdoor for them REDCap Research servers have stolen login information. The release was a bit unusual: the attackers reassigned victims’ Google Workspace rules to copy any message matching their keywords into an inbox they control.

Google’s Threat Intelligence Group (GTIG) presented the campaign in a report published this week and places it with high confidence in the cluster it follows as UNC6508.

Actor and its REDCap backdoor are not new names; Google first revealed both in February, in a comprehensive report on government-based attacks against the security sector. It did not name the victims, describing them as multiple organizations across the US and Canada: clinical providers, educational institutions, military health centers, advocacy groups, and health regulators.

Google says it notified them and disrupted the group’s infrastructure.

How did they get in?

The entry point was REDCap (Research Electronic Data Capture), a web platform used by hospitals and universities to create and manage research data. UNC6508 compromised external-facing REDCap servers.

Google hasn’t pinpointed the initial access vector, which is called a specific CVE, or listed the affected versions, though it has seen the team test older, vulnerable ones.

About three months after infiltration, the group sent custom GTIG calls for the malware INFINITEREDwhich tampers with the REDCap system files and does three things.

• First, it hacks the development process so that each version of REDCap rewrites the code instead of erasing it.
• Second, it harvests usernames and passwords from the login page and stores them, encrypted, in local database tables.
• Third, it works as a backdoor, taking commands via HTTP cookies and running on every page load.

The earliest known dates of the compromise are September 2023, and the work continues until November 2025. Once on the server, UNC6508 conducted an internal investigation and data recovery, pulling database and service account information, and then used that login to log into the internal network and forward to the domain administrator’s account.

Google does not specify the exact path to that administrator account. With administrative rights, the group stopped the release.

How did they steal the email

The release is on top of an existing feature. UNC6508 abused content compliance, a formal Google Workspace administrator feature that scans email for keywords and can copy or forward similar messages.

Similar features exist in other mail cloud suites. The group created the rule, misspelled “Patroit,” which looked at nearly 150 keywords, search terms, and email addresses. If the message matched, Workspace silently forwarded it to a Gmail address controlled by the attacker, which Google has since blocked. No malware on the mail server, no different filtering tool, no unusual network traffic. It’s just a built-in mail feature, which is meant to copy the organization’s secrets into the inbox of an attacker who owns it.

MITER already catalogs email forwarding violations as a known method. What GTIG flags as new here is the use of domain content compliance rules to do it, an approach it says it hasn’t seen from a China-linked actor before.

The key terms of this law are mapped to the priorities of the UNC6508 cluster: geo-strategic policy, military strategy and equipment, advanced technologies including AI and autonomous vehicles, offensive cyber systems, and medical research. One term stood out for its nature, chikungunyamosquito-borne virus after a 2025 outbreak in China’s Guangdong province.

What to do

Get started with REDCap. Stick servers facing out and remove old versions directly, not just next to the current build. REDCap allows legacy versions to work side-by-side, and is what enables downgrade attacks, where an attacker forces software to revert to a known vulnerable release.

Then check the mail side. Review the Workplace, or equivalent, content compliance and email forwarding rules for anything that BCCs or redirects email to external addresses. Check the administrator’s logs to see when the rules have changed, not just what they say now. Pull the published GTIG clues and hunt for INFINITERED. Also install phishing-resistant MFA on administrator accounts, as the entire email theft process depends on administrator access.

Google still doesn’t know how UNC6508 got to REDCap’s servers in the first place. The part to watch is the postal law. If attackers hold administrator access, the built-in cloud feature can be a silent filtering mechanism, and that’s what defenders need to check for, not just the REDCap backdoor.