{ "name": "Public and Private Medical Community Targeted by Threat Actor Pursuing Artificial Intelligence, Cyber, Medical, and National Defense Research", "slug": "public-and-private-medical-community-targeted-by-threat-actor-pursuing-artificial-intelligence-cyber-medical-and-national-defense-research", "description": "A sophisticated espionage campaign attributed to UNC6508, a China-nexus threat actor, targeted North American academic, medical, and military research institutions for over a year. The adversary exploited REDCap servers, deployed custom INFINITERED malware to harvest credentials, and maintained persistent access through trojanized legitimate files that survived software upgrades. After remaining undetected for more than a year, the threat actor pivoted to administrative accounts and created malicious content compliance rules to silently exfiltrate emails containing defense intelligence, Indo-Pacific command operations, artificial intelligence research, uncrewed vehicle systems, cyber programs, and medical research data. The operation employed sophisticated techniques including obfuscation networks routing through US-based infrastructure, compromised routers, and dedicated exfiltration accounts, demonstrating advanced operational security aligned with strategic intelligence collection requirements.", "published": "2026-06-15T17:33:11+00:00", "created_at": "2026-06-15T17:33:11+00:00", "modified_at": "2026-06-16T09:48:51+00:00", "created_at_opencti": "2026-06-15T17:33:11+00:00", "author": "", "confidence": null, "report_types": [], "labels": [], "tags": [ "2026-06-15", "china-nexus", "content compliance abuse", "credential harvesting", "email-exfiltration", "infinitered", "medical research targeting", "redcap exploitation", "unc6508" ], "related_entities": { "observables": [ { "id": "", "name": "23.169.65.49" }, { "id": "", "name": "ba6b73b0ca0dc7f86b3b397893ac32d729fd53f9df20643288f141f29d020af7" }, { "id": "", "name": "4efbef69eb3b09bacff892d6a55778d07c418e7f15eba3cf1245e8cdfd8dda0b" }, { "id": "", "name": "51a57bfc9ed3eb6451c1c289607814d59e1698c666fb97ac5f694c398f23d045" }, { "id": "", "name": "8f0158855a656b629ca76ebca565f18bc25563ded34b65d6771632c20edb68ec" }, { "id": "", "name": "58bb25777e0aa86bcd2125101e0bca4e8732b03d91bd8d2f205b446a2a8d5c86" }, { "id": "", "name": "c1ac43d23f89d41eb4ff131678ab562ab2cfed9aa334b13767ef141d303b0e5b" }, { "id": "", "name": "db65c1b9f9e4cb4d729f45ad4b6fcf3e277caf9eb4c875425dec93fd883f9136" } ], "malware": [ { "id": "a129a65d-f692-4c14-a136-5cb0b7ec6f47", "name": "INFINITERED", "slug": "infinitered" } ], "intrusion_sets": [ { "id": "889111e1-7dca-4e64-873d-a5a4ecb6a621", "name": "UNC6508", "slug": "unc6508" } ], "attack_patterns": [ { "id": "e73b317e-ea92-49b4-a45d-051f7279aced", "name": "T1213" }, { "id": "3b98bf45-b0e0-4070-90d0-686cbe0cd8d3", "name": "T1090.003" }, { "id": "c9ee9b30-ba84-4c24-95e9-e8242d42af3f", "name": "T1071.001" }, { "id": "a72b6e11-a5d5-4f5a-8f0d-8861e90c34f7", "name": "T1555" }, { "id": "beaa4978-0309-438b-a45e-ec566b643811", "name": "T1505.003" }, { "id": "96df92ce-da3e-4c6d-8250-cb250c9ed619", "name": "T1554" }, { "id": "0c836307-129e-4ff7-a532-180c633cacba", "name": "T1027" }, { "id": "6c8f8a40-2746-4a37-86bd-81e82afa6e62", "name": "T1190" }, { "id": "fd46e79d-2083-4ed0-ab30-337b09551f7c", "name": "T1114.003" }, { "id": "7364ca96-72bf-4b7f-afef-ce2583b1ed58", "name": "T1562.001" }, { "id": "e263a16c-ab5b-4196-8194-1906be1fabc4", "name": "T1056.003" }, { "id": "232fbdfa-94c6-443d-b575-373e75b4f4c2", "name": "T1567" } ], "others": [ { "id": "", "name": "Canada" }, { "id": "", "name": "United States of America" }, { "id": "", "name": "Education" }, { "id": "", "name": "Defense" }, { "id": "", "name": "Healthcare" }, { "id": "", "name": "Government" } ] }, "external_refs": [ "https://otx.alienvault.com/pulse/6a305377d29f8bfdadc72786", "https://cloud.google.com/blog/topics/threat-intelligence/prc-targets-us-medical-research" ] }