UNC6508UNC6508

UNC6508 is a PRC-nexus threat actor targeting North American academic, medical, and military research institutions, employing tactics such as exploiting REDCap servers and deploying custom malware named INFINITERED. The actor utilized credential harvesting, internal reconnaissance, and a web shell named "help.php" for persistence. They also manipulated content compliance rules for covert data exfiltration, forwarding sensitive email communications to a threat actor-controlled Gmail address. GTIG attributes this espionage activity to UNC6508 with high confidence, based on infrastructure overlaps and specific targeting of defense and medical research sectors.