A built-in Google Workspace feature became a Chinese espionage group’s favourite exfiltration tool

A China-linked espionage group spent more than a year inside North American medical, academic, and military research networks, stealing sensitive data and defence email. The attackers got in through a backdoor on REDCap research servers. The exfiltration method was the unusual part: they rewired the victims’ own Google Workspace rules to copy matching messages to an inbox they controlled.

Google’s Threat Intelligence Group laid out the campaign in a report published this week, attributing it with high confidence to a cluster it tracks as UNC6508. The victims span clinical providers, academic centres, military health institutions, advocacy groups, and health regulators across the United States and Canada. Google says it notified the affected organisations and disrupted the group’s infrastructure.

UNC6508 is not a new name. Google first surfaced the group in February in a broader report on state-backed attacks against the defence sector. What is new is the full picture of how the group operated once inside.

The entry point was REDCap, short for Research Electronic Data Capture, a web platform that hospitals and universities use to build and manage clinical study databases. UNC6508 compromised externally facing REDCap servers. Google has not identified the initial access vector, named a specific CVE, or listed affected versions, though it observed the group probing older, vulnerable installations.

About three months after the initial compromise, the group deployed custom malware that Google calls INFINITERED. The malware trojanises REDCap’s own system files and does three things: it hijacks the upgrade process so each new REDCap version reinjects the code instead of clearing it, it harvests usernames and passwords from the login page and stores them encrypted in local database tables, and it acts as a backdoor that takes commands through HTTP cookies on every page load.

The earliest known compromise dates to September 2023, with activity continuing through November 2025. Once on the server, UNC6508 ran internal reconnaissance and credential discovery, pulling database and service account credentials. Those logins enabled lateral movement into the internal network and eventually to a domain administrator account. Google does not describe the exact path to admin access.

With admin rights, the group set up an exfiltration method that required no additional malware. UNC6508 abused content compliance rules, a legitimate Google Workspace feature that scans email for keywords and can copy or forward matching messages. The group created a rule, misspelled “Patroit,” that watched for nearly 150 keywords, search terms, and email addresses. When a message matched, Workspace silently BCC’d it to an attacker-controlled Gmail address.

No malware on the mail server, no separate exfiltration tool, no unusual network traffic. Just a built-in administrative feature turned against the organisation that relied on it. Google has since disabled the Gmail address.

MITRE already catalogues email forwarding rule abuse as a known technique under T1114.003. What Google flags as novel is the use of domain-level content compliance rules to achieve the same result, a method it says it had not previously observed from a China-linked actor.

The rule’s keyword list mapped to UNC6508’s collection priorities: geo-strategic policy, military strategy and equipment, advanced technology including AI and uncrewed vehicles, offensive cyber programmes, and medical research. One term stood out for its specificity, chikungunya, the mosquito-borne virus behind a major 2025 outbreak in China’s Guangdong province that infected more than 16,000 people.

The campaign illustrates a broader pattern. ShinyHunters recently exploited an unpatched Oracle PeopleSoft zero-day to breach more than 100 organisations, two-thirds of them universities. In both cases, attackers targeted enterprise software that research institutions depend on, and the victims had limited visibility into the compromise until an external party disclosed it.

The Google Workspace technique is particularly concerning because it leaves almost no forensic trace on the mail system itself. When hackers breached the European Commission through a poisoned version of the security tool Trivy, the attack at least generated anomalous network traffic that eventually triggered alerts. UNC6508’s approach generated none, because the email copying was performed by a legitimate system feature operating exactly as designed.

Google’s recommendations are specific. Patch externally facing REDCap servers and remove old versions entirely, because REDCap allows legacy installations to run alongside current ones, enabling downgrade attacks. Review Google Workspace content compliance and mail forwarding rules for anything that BCCs or reroutes email to external addresses. Check admin audit logs for when rules changed, not just what they currently say. Hunt for INFINITERED using GTIG’s published indicators. And deploy phishing-resistant MFA on administrator accounts, since the entire email theft step depended on admin access.

Google still does not know how UNC6508 first reached the REDCap servers. That gap matters less than the broader lesson: once attackers hold admin access to a cloud email system, a built-in feature can quietly become an exfiltration channel. The REDCap backdoor got them in. The Google Workspace rule got the data out. Defenders need to audit both.