Chinese APT UNC6508 Weaponized Google Workspace Compliance Rules to Exfiltrate Defense Research

A China-linked APT group maintained persistent access inside North American research and defense networks for more than a year, silently exfiltrating sensitive email by weaponizing a feature built into Google Workspace itself. Google's Threat Intelligence Group attributes the campaign with high confidence to UNC6508, a cluster it first disclosed in February 2026 as part of broader state-backed targeting of the defense sector.

The attackers compromised externally facing REDCap servers—a web platform used by hospitals and universities to manage research databases—deployed a custom backdoor called INFINITERED, escalated to domain administrator access, then created content compliance rules that silently BCC'd matching emails to attacker-controlled Gmail addresses. Victims spanned clinical providers, academic centers, military health institutions, advocacy groups, and health regulators across the US and Canada. Google notified affected organizations and disrupted UNC6508 infrastructure, but the campaign ran from at least September 2023 through November 2025.

INFINITERED: A Self-Reinstalling Backdoor

UNC6508 gained initial access by compromising externally facing REDCap servers. Google did not identify the specific CVE or affected versions, though the group was observed probing older, vulnerable instances. Approximately three months after initial compromise, the attackers deployed INFINITERED, a custom malware that trojanizes REDCap's own system files.

INFINITERED delivers three capabilities. First, it hijacks the REDCap upgrade process to reinject itself with each new version, ensuring persistence across patching cycles. Second, it harvests usernames and passwords from the login page and stores them encrypted in local database tables. Third, it functions as a backdoor, accepting commands via HTTP cookies and executing on every page load. This architecture makes INFINITERED difficult to remove without completely rebuilding the REDCap instance.

After establishing persistence, UNC6508 conducted internal reconnaissance and credential harvesting. The group pulled database and service account credentials from the compromised REDCap server, then pivoted into the internal network. Google's report does not detail the exact lateral movement path, but the attackers ultimately obtained domain administrator credentials—the key to the exfiltration operation.

Abusing Google Workspace Content Compliance Rules

With domain admin access in hand, UNC6508 executed the exfiltration phase using a built-in Google Workspace feature: content compliance rules. These rules, intended for data loss prevention and regulatory compliance, scan email content for specified keywords and can automatically copy, forward, or quarantine matching messages. The attackers created a misspelled rule named "Patroit" containing nearly 150 keywords, search terms, and email addresses. When any message matched the criteria, Workspace silently BCC'd a copy to an attacker-controlled Gmail address.

This technique required no malware on the mail server, no separate exfiltration tool, and generated no unusual network traffic patterns. The stolen emails simply appeared as legitimate internal copies. Google has since disabled the attacker Gmail accounts, but GTIG flags this abuse of domain-level content compliance rules as a novel technique it had not previously observed from China-linked actors. MITRE ATT&CK already catalogs email forwarding rule abuse as technique T1114.003, but the use of organization-wide compliance rules represents an evolution in TTPs.

Why This Matters for Defenders

The UNC6508 campaign highlights two critical blind spots in enterprise security architecture. First, legacy application versions create persistent vulnerabilities even when primary systems are patched. REDCap's side-by-side versioning model allowed attackers to target older, vulnerable code paths while defenders focused on keeping the main instance current. Second, legitimate cloud platform features can become exfiltration channels when attackers obtain administrative credentials. Content compliance rules, mail forwarding, and similar built-in capabilities operate at the platform level and often escape detection by traditional security monitoring.

Google still does not know how UNC6508 initially compromised the REDCap servers. The lack of a disclosed CVE means defenders cannot rely on a single patch to close the door. This opacity underscores the importance of reducing external attack surface: research platforms with user credentials should not be directly exposed to the internet without strong authentication controls and network segmentation.

Immediate Mitigation Steps

Organizations running REDCap or similar research platforms should take immediate action. Patch all externally facing instances to the latest version and remove legacy versions entirely—do not leave old releases running alongside current builds. Conduct forensic reviews of REDCap system files for trojanized code, and hunt for GTIG's published INFINITERED indicators across the environment.

On the email side, audit Google Workspace (or equivalent platform) content compliance rules and mail forwarding configurations. Look specifically for rules that BCC or forward mail to external addresses. Review admin audit logs to identify when rules were created or modified, not just their current state. Unauthorized rule creation is the smoking gun—check for admin account activity during the September 2023 to November 2025 window if your organization uses REDCap.

• Patch and remove all legacy REDCap versions; do not run them side-by-side
• Review Google Workspace content compliance and forwarding rules for external BCCs
• Hunt for INFINITERED indicators in REDCap system files and database tables
• Audit admin account activity logs from September 2023 through November 2025
• Enforce phishing-resistant MFA (FIDO2/WebAuthn) on all administrator accounts
• Segment research platforms from internal networks and enforce least-privilege access

The Admin Access Problem

The entire email exfiltration phase hinged on domain administrator access. UNC6508 could not have created organization-wide content compliance rules without those elevated credentials. Enforcing phishing-resistant multi-factor authentication on admin accounts—specifically FIDO2 or WebAuthn tokens that resist credential harvesting—would have blocked this attack path even if the REDCap server was compromised.

This is the second time Google has publicly attributed activity to UNC6508. The February disclosure described broader defense sector targeting but did not detail the email exfiltration technique. The expanded reporting this week suggests Google observed the group refining its TTPs over multiple campaigns. Defenders should expect continued evolution: the next iteration may target Office 365 transport rules, Proofpoint content filters, or other mail platform features with similar abuse potential.

Bottom Line

UNC6508 demonstrated that persistent access to research infrastructure combined with administrative credentials can turn native cloud features into invisible exfiltration channels. The REDCap backdoor was sophisticated, but the email theft was elegant—no malware required, just a misspelled compliance rule and 14 months of uninterrupted collection. Organizations that assume their cloud mail platform is monitoring outbound email need to audit the platform's own rules, because attackers with admin access are already inside that trust boundary.