GoKawiilA China-linked espionage campaign targeted exposed REDCap servers to deploy the InfiniteRed malware and steal sensitive data from a medical institution in North America.
Google Threat Intelligence Group (GTIG) researchers attribute the attacks to a threat actor tracked as UNC6508, who remained undetected for more than a year in the victim network.
The REDCap platform is widely used in medical and scientific research to build and manage databases and surveys that comply with regulations for medical and scientific research.
Although the researchers couldn’t determine the exact initial compromise vector, they observed UNC6508 probing older, vulnerable versions of REDCap.
Based on the investigation, the compromise of the medical research organization occurred in September 2023, and the malicious activity continued for more than a year through November 2025.
GTIG says that three months after the initial compromise, the attackers deployed the 'Infinitered' custom malware designed specifically for REDCap systems, and hid its components by trojanizing the server’s system files.
Infinitered consists of three components: a persistence/update module, a credential harvester, and a backdoor.
Infinitered components
Source: Google
The login harvester captures usernames and passwords submitted through REDCap login pages, then encrypts and stores them in local REDCap database tables for future retrieval.
... continue reading