MEDIUMApt
Global

Chinese Espionage Actor Abuses Email Rules to Steal Research Data

·Source: Bank Info Security

Updated:

Executive Summary

Threat Actor Silently Forwarded Sensitive Emails Matching Strategic Topics Google says Chinese espionage group UNC6508 compromised REDCap environments at North American research institutions, deployed cus

Analysis

Threat Actor Silently Forwarded Sensitive Emails Matching Strategic Topics Google says Chinese espionage group UNC6508 compromised REDCap environments at North American research institutions, deployed custom malware, stole credentials and covertly forwarded strategically relevant emails through abused compliance rules to support long-term intelligence collection.

Indicators of Compromise (2)

URL (1)
https://ismg-cdn.nyc3.cdn.digitaloceanspaces.com/articles/new-chinese-espionage-actor-abuses-email-rules-to-steal-research-data-image_small-9-a-31993.jpg
VirusTotalURLhaus
Domain (1)
ismg-cdn.nyc3.cdn.digitaloceanspaces.com
VirusTotalURLhaus
Source Attribution

Originally published by Bank Info Security on Jun 17, 2026.

Related Threats

MEDIUMAptNEW

The Citation Group acquires PayCaptain

The Citation Group, a leading international provider of compliance software and services for SMEs, has announced the acquisition of PayCaptain, the award-winning payroll software and managed services provider trusted by hundreds of UK employers.

Finextra
CRITICALApt

Rockwell Automation FLEX I/O EtherNet/IP Adapters

<p><a href="https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-167-05.json"><strong>View CSAF</strong></a></p> <h2>Summary</h2> <p><strong>Successful exploitation of these vulnerabilities could allow an attacker to gain unauthorized access, account takeover, and cause loss of availability.</strong></p> <p>The following versions of Rockwell Automation FLEX I/O EtherNet/IP

CVE-2026-0646CVE-2026-0647
CISA Advisories
LOWApt

China-linked hackers target US, Canada research using legacy REDCap exploits

Google is warning of a cyber espionage campaign linked to a China-nexus threat actor, UNC6508, that kept close tabs on valuable US and Canadian research environments for over a year. The campaign abused REDCap, a widely adopted platform for collecting and managing research data. Attackers, now disrupted, intercepted REDCap’s upgrade process to inject persistence malware. According to Google’s Thre

CSO Online