Skip to main content
Solved

Custom Malware Named INFINITERED - YARA-L Rules to Detect UNC6508

  • June 16, 2026
  • 2 replies
  • 55 views
dnehoda
Staff
Forum|alt.badge.img+17

Google Threat Intelligence Group (GTIG) has identified a sophisticated campaign attributed to UNC6508, a People's Republic of China (PRC)-nexus threat actor, targeting institutions in the North American academic, medical, and military research community. While remaining undetected for over a year, the threat actor compromised externally facing web applications, deployed bespoke malware, pivoted to sensitive internal systems, and abused enterprise administrative tools for covert data exfiltration

 

https://cloud.google.com/blog/topics/threat-intelligence/prc-targets-us-medical-research?e=48754805

 

PRC-nexus actors spent 15 months inside US medical research networks. Here's what your SOC should hunt for tonight.

Google's threat intel team just published the UNC6508 campaign — and it's a masterclass in patient, quiet espionage against a sector most of us under-monitor: medical research, academic centers, and military health institutions across North America.

The tradecraft is the lesson here, not just the IOCs:

Initial access via REDCap** — they exploited legacy, unpatched versions of a clinical research platform. Public-facing app, downgrade attack, web shell (`help.php`). Your edge is your attack surace.

INFINITERED** — custom PHP malware that *trojanizes the application's own upgrade process* to survive patching. It harvests plaintext credentials straight from login POSTs and hides them inside the legitimate `redcap_sessions` table. Persistence that outlives your remediation is the scariest kind.

Living off Google Workspace — once they had domain admin, they didn't drop more malware. They created a silent content-compliance rule (charmingly misspelled "Patroit") that BCC-forwarded emails matching geopolitical/medical keywords to an attacker Gmail. No exfil binary. Just a feature, abused.

All-US obfuscation infrastructure — compromised routers, residential proxies, VPS. The login that mattered came from a hijacked ASUS router (23.169.65.49), not Beijing.

The takeaway for defenders: persistence is moving into your trusted platforms. A SIEM rule on file hashes is table stakes. The real coverage is detecting abuse of legitimate features — forwarding rules, compliance policies, the app's own update mechanism.

I converted the report's indicators and TTPs into ready-to-deploy Google SecOps (Chronicle) YARA-L 2.0 rules — file hashes, the `help.php` web shell, INFINITERED's C2 magic strings, the exfil indicators, and Workspace silent-forwarding abuse. Full ruleset + data tables in the comments. 

Patch your REDCap. Audit your Workspace compliance rules. Enroll admins in Advanced Protection.

Best answer by dnehoda

Create Data Tables First.  

unc6508_iocs

indicator,type,notes
23.169.65.49,ip,admin_login_source_compromised_asus_router
BebitaBarefoot774@gmail.com,email,exfiltration_account_silent_bcc_forwarding

 

infinitered_iocs

sha256,malware_role
ba6b73b0ca0dc7f86b3b397893ac32d729fd53f9df20643288f141f29d020af7,web_shell_help_php
db65c1b9f9e4cb4d729f45ad4b6fcf3e277caf9eb4c875425dec93fd883f9136,credential_harvester
c1ac43d23f89d41eb4ff131678ab562ab2cfed9aa334b13767ef141d303b0e5b,credential_harvester
8f0158855a656b629ca76ebca565f18bc25563ded34b65d6771632c20edb68ec,backdoor
51a57bfc9ed3eb6451c1c289607814d59e1698c666fb97ac5f694c398f23d045,backdoor
4efbef69eb3b09bacff892d6a55778d07c418e7f15eba3cf1245e8cdfd8dda0b,dropper
58bb25777e0aa86bcd2125101e0bca4e8732b03d91bd8d2f205b446a2a8d5c86,dropper
 

 

// 1. Known INFINITERED / UNC6508 file hashes
// Data table required: infinitered_iocs  (column: sha256, type STRING)
// Join makes this a multi-event rule -> match section required.
// =====================================================================
rule unc6508_infinitered_file_hashes {
  meta:
    author = "David Nehoda"
    description = "Detects known INFINITERED malware file hashes (UNC6508, PRC-nexus) on or transiting hosts"
    reference = "https://cloud.google.com/blog/topics/threat-intelligence/prc-targets-us-medical-research"
    malware = "INFINITERED"
    threat_actor = "UNC6508"
    mitre_attack = "T1505.003,T1554"
    severity = "CRITICAL"
    priority = "HIGH"
  events:
    (
      $e.target.file.sha256 = $sha256 or
      $e.principal.process.file.sha256 = $sha256 or
      $e.src.file.sha256 = $sha256
    )
    // data-table join (own line, AND-ed at top level)
    $sha256 = %infinitered_iocs.sha256
  match:
    $sha256 over 5m
  condition:
    $e
}

 

// =====================================================================
// 2. help.php web shell access / drop on a REDCap server
// =====================================================================
rule unc6508_redcap_webshell_help_php {
  meta:
    author = "David Nehoda"
    description = "Detects access to or creation of the INFINITERED help.php web shell"
    reference = "https://cloud.google.com/blog/topics/threat-intelligence/prc-targets-us-medical-research"
    threat_actor = "UNC6508"
    mitre_attack = "T1190,T1505.003"
    severity = "HIGH"
    priority = "HIGH"
  events:
    (
      // network access to the web shell
      ($e.metadata.event_type = "NETWORK_HTTP" and
        re.regex($e.target.url, `/help\.php(\?|$)`)) or
      // dropped on disk somewhere under a redcap path
      ($e.metadata.event_type = "FILE_CREATION" and
        re.regex($e.target.file.full_path, `(?i)redcap.*/help\.php$`)) or
      // strongest signal: the shell's known hash
      $e.target.file.sha256 = "ba6b73b0ca0dc7f86b3b397893ac32d729fd53f9df20643288f141f29d020af7"
    )
  condition:
    $e
}
 

// =====================================================================
// 3. INFINITERED C2 / credential-harvester magic strings over HTTP
//    Requires HTTP logs that capture URI/cookie/body (WAF, proxy, EDR).
// =====================================================================
rule unc6508_infinitered_c2_magic_strings {
  meta:
    author = "David Nehoda"
    description = "Detects INFINITERED backdoor magic strings, REDCAP-TOKEN C2 cookie, GUID upgrade-intercept marker, and stolen-credential session prefix"
    reference = "https://cloud.google.com/blog/topics/threat-intelligence/prc-targets-us-medical-research"
    malware = "INFINITERED"
    threat_actor = "UNC6508"
    mitre_attack = "T1071.001,T1056.003"
    severity = "CRITICAL"
    priority = "HIGH"
  events:
    $e.metadata.event_type = "NETWORK_HTTP"
    (
      // backdoor file-download magic flag
      re.regex($e.target.url, `ej671a16i7fd8202nu6ltfg5p6x7u`) or
      // upgrade-interception GUID delimiter
      re.regex($e.target.url, `b49e334d-9c01-463e-9bc5-00a6920fb66e`) or
      // stolen-credential session prefix
      re.regex($e.target.url, `xc32038474a`) or
      // C2 cookie name (if cookie/header captured into UDM)
      re.regex($e.network.http.user_agent, `REDCAP-TOKEN`) or
      re.regex($e.target.url, `REDCAP-TOKEN`)
    )
  condition:
    $e
}

 

// =====================================================================
// 4. UNC6508 network IOCs — exfil Gmail + compromised-router login IP
// Data table required: unc6508_iocs  (column: indicator, type STRING)
//   rows hold both the IP (23.169.65.49) and the email
//   (BebitaBarefoot774@gmail.com); IP rows simply never match email
//   fields and vice-versa.
// Join makes this a multi-event rule -> match section required.
// =====================================================================
rule unc6508_network_iocs {
  meta:
    author = "David Nehoda"
    description = "Detects UNC6508 attacker email (exfil account) and known login source IP (compromised ASUS router)"
    reference = "https://cloud.google.com/blog/topics/threat-intelligence/prc-targets-us-medical-research"
    threat_actor = "UNC6508"
    mitre_attack = "T1567,T1090.003"
    severity = "HIGH"
    priority = "HIGH"
  events:
    (
      $e.principal.ip = $ioc or
      $e.target.ip = $ioc or
      $e.src.ip = $ioc or
      $e.network.email.to = $ioc or
      $e.network.email.from = $ioc or
      $e.about.user.email_addresses = $ioc
    )
    // data-table join (own line, AND-ed at top level)
    $ioc = %unc6508_iocs.indicator
  match:
    $ioc over 5m
  condition:
    $e
}

 

// =====================================================================
// 5. Google Workspace silent email-forwarding / content-compliance abuse
//    (the "Patroit" rule technique used to BCC-exfiltrate mail)
//    NOTE: Workspace admin-audit field mapping varies by tenant.
//    Tune product_event_type and recipient fields to your schema.
// =====================================================================
rule unc6508_workspace_silent_forwarding_abuse {
  meta:
    author = "David Nehoda"
    description = "Detects creation/modification of Workspace content-compliance or forwarding rules pointing at an external Gmail (UNC6508 email-exfil TTP)"
    reference = "https://cloud.google.com/blog/topics/threat-intelligence/prc-targets-us-medical-research"
    threat_actor = "UNC6508"
    mitre_attack = "T1114.003,T1562.001,T1567"
    severity = "HIGH"
    priority = "HIGH"
  events:
    re.regex($e.metadata.product_name, `(?i)workspace|gsuite|google`)
    (
      re.regex($e.metadata.product_event_type, `(?i)compliance|content_compliance|email_setting|forwarding|routing`) or
      re.regex($e.security_result.summary, `(?i)compliance|forwarding`)
    )
    (
      // external Gmail recipient, or the exact known exfil address
      //re.regex($e.target.resource.name, `(?i)@gmail\.com`) or
      //re.regex($e.security_result.detection_fields.value, `(?i)@gmail\.com`) or
      $e.target.user.email_addresses in %unc6508_iocs.indicator
      //re.regex($e.metadata.description, `(?i)BebitaBarefoot774@gmail\.com|Patroit`)
    )
  condition:
    $e
}
 

    2 replies

    dnehoda
    Staff
    Forum|alt.badge.img+17
    • dnehoda
    • Author
    • Staff
    • June 16, 2026

    Deployment order

     

    1. Create the data tables first** (SecOps → Settings → Data Tables → import CSV).

    Rules 1 and 4 will fail to compile until the tables exist.

    - `infinitered_iocs` — set column **`sha256`** to type **STRING**.

    (`malware_role` is analyst context only; not joined.)

    - `unc6508_iocs` — set column **`indicator`** to type **STRING**.

    (`type` / `notes` are context only.)

    - **Verify column types after import** — CSV import can default a column to

    the wrong type, which breaks the join.

     

    2. Import the rules** (SecOps → Detection → Rules Editor). Suggested rollout:

    - Enable **rules 1, 2, 4** at HIGH priority immediately — high-fidelity

    exact matches (hash / path / IP / email).

    - Enable **rule 3** once you confirm HTTP logs carry URI/cookie/body

    (WAF, proxy, or EDR — the default NETWORK_HTTP parser often won't).

    - Enable **rule 5** in **alert/monitor mode first** — it can be noisy if your

    org legitimately uses external forwarding / content-compliance rules.

    Allowlist known-good recipients, then promote to alerting.

     

    ---

     

    Rule summary

     

    | Rule | Detects | MITRE | Data table |

    |------|---------|-------|------------|

    | unc6508_infinitered_file_hashes | Known INFINITERED SHA256s | T1505.003, T1554 | infinitered_iocs |

    | unc6508_redcap_webshell_help_php | `help.php` web shell access/drop | T1190, T1505.003 | — |

    | unc6508_infinitered_c2_magic_strings | C2 magic strings / `REDCAP-TOKEN` cookie / GUID / session prefix | T1071.001, T1056.003 | — |

    | unc6508_network_iocs | Exfil Gmail + compromised-router login IP | T1567, T1090.003 | unc6508_iocs |

    | unc6508_workspace_silent_forwarding_abuse | "Patroit" silent BCC-forwarding rule abuse | T1114.003, T1562.001, T1567 | — |

     

    ---

     

    Tuning caveats

     

    - **Rule 3 (C2 strings):** HTTP cookies/bodies only match if a WAF/proxy/EDR feeds

    them into UDM. The default SecOps `NETWORK_HTTP` parser frequently does not

    capture the `REDCAP-TOKEN` cookie or request body. Treat as a tuning template;

    validate against your own log sources before trusting it.

     

    - **Rule 5 (Workspace forwarding abuse):** Workspace admin-audit field mappings

    vary by tenant. Confirm `metadata.product_event_type` values and the recipient

    field (`target.resource.name` vs `security_result.detection_fields`) against

    *your* normalized data, and allowlist legitimate external forwarding before

    alerting.

     

    - **Data-table joins:** any rule that joins a data table is treated as multi-event

    and therefore requires a `match` section — rules 1 and 4 already include one

    (`match … over 5m`, keyed on the matched indicator).

     

    ---

     

    Note on YARA-L vs classic YARA

     

    The rule shipped *in* the GTIG article (`G_Backdoor_INFINITERED_1`) is a

    **classic file-scanning YARA** rule for on-disk detection. The rules here are

    **YARA-L 2.0** for Google SecOps, which run over UDM-normalized telemetry

    (network, file, Workspace audit logs) — a different language and a different

    detection surface. Use both: classic YARA to scan REDCap servers, YARA-L for

    SIEM-side telemetry detection.

      dnehoda
      Staff
      Forum|alt.badge.img+17
      • dnehoda
      • Author
      • Staff
      • Answer
      • June 16, 2026

      Create Data Tables First.  

      unc6508_iocs

      indicator,type,notes
      23.169.65.49,ip,admin_login_source_compromised_asus_router
      BebitaBarefoot774@gmail.com,email,exfiltration_account_silent_bcc_forwarding

       

      infinitered_iocs

      sha256,malware_role
      ba6b73b0ca0dc7f86b3b397893ac32d729fd53f9df20643288f141f29d020af7,web_shell_help_php
      db65c1b9f9e4cb4d729f45ad4b6fcf3e277caf9eb4c875425dec93fd883f9136,credential_harvester
      c1ac43d23f89d41eb4ff131678ab562ab2cfed9aa334b13767ef141d303b0e5b,credential_harvester
      8f0158855a656b629ca76ebca565f18bc25563ded34b65d6771632c20edb68ec,backdoor
      51a57bfc9ed3eb6451c1c289607814d59e1698c666fb97ac5f694c398f23d045,backdoor
      4efbef69eb3b09bacff892d6a55778d07c418e7f15eba3cf1245e8cdfd8dda0b,dropper
      58bb25777e0aa86bcd2125101e0bca4e8732b03d91bd8d2f205b446a2a8d5c86,dropper
       

       

      // 1. Known INFINITERED / UNC6508 file hashes
      // Data table required: infinitered_iocs  (column: sha256, type STRING)
      // Join makes this a multi-event rule -> match section required.
      // =====================================================================
      rule unc6508_infinitered_file_hashes {
        meta:
          author = "David Nehoda"
          description = "Detects known INFINITERED malware file hashes (UNC6508, PRC-nexus) on or transiting hosts"
          reference = "https://cloud.google.com/blog/topics/threat-intelligence/prc-targets-us-medical-research"
          malware = "INFINITERED"
          threat_actor = "UNC6508"
          mitre_attack = "T1505.003,T1554"
          severity = "CRITICAL"
          priority = "HIGH"
        events:
          (
            $e.target.file.sha256 = $sha256 or
            $e.principal.process.file.sha256 = $sha256 or
            $e.src.file.sha256 = $sha256
          )
          // data-table join (own line, AND-ed at top level)
          $sha256 = %infinitered_iocs.sha256
        match:
          $sha256 over 5m
        condition:
          $e
      }

       

      // =====================================================================
      // 2. help.php web shell access / drop on a REDCap server
      // =====================================================================
      rule unc6508_redcap_webshell_help_php {
        meta:
          author = "David Nehoda"
          description = "Detects access to or creation of the INFINITERED help.php web shell"
          reference = "https://cloud.google.com/blog/topics/threat-intelligence/prc-targets-us-medical-research"
          threat_actor = "UNC6508"
          mitre_attack = "T1190,T1505.003"
          severity = "HIGH"
          priority = "HIGH"
        events:
          (
            // network access to the web shell
            ($e.metadata.event_type = "NETWORK_HTTP" and
              re.regex($e.target.url, `/help\.php(\?|$)`)) or
            // dropped on disk somewhere under a redcap path
            ($e.metadata.event_type = "FILE_CREATION" and
              re.regex($e.target.file.full_path, `(?i)redcap.*/help\.php$`)) or
            // strongest signal: the shell's known hash
            $e.target.file.sha256 = "ba6b73b0ca0dc7f86b3b397893ac32d729fd53f9df20643288f141f29d020af7"
          )
        condition:
          $e
      }
       

      // =====================================================================
      // 3. INFINITERED C2 / credential-harvester magic strings over HTTP
      //    Requires HTTP logs that capture URI/cookie/body (WAF, proxy, EDR).
      // =====================================================================
      rule unc6508_infinitered_c2_magic_strings {
        meta:
          author = "David Nehoda"
          description = "Detects INFINITERED backdoor magic strings, REDCAP-TOKEN C2 cookie, GUID upgrade-intercept marker, and stolen-credential session prefix"
          reference = "https://cloud.google.com/blog/topics/threat-intelligence/prc-targets-us-medical-research"
          malware = "INFINITERED"
          threat_actor = "UNC6508"
          mitre_attack = "T1071.001,T1056.003"
          severity = "CRITICAL"
          priority = "HIGH"
        events:
          $e.metadata.event_type = "NETWORK_HTTP"
          (
            // backdoor file-download magic flag
            re.regex($e.target.url, `ej671a16i7fd8202nu6ltfg5p6x7u`) or
            // upgrade-interception GUID delimiter
            re.regex($e.target.url, `b49e334d-9c01-463e-9bc5-00a6920fb66e`) or
            // stolen-credential session prefix
            re.regex($e.target.url, `xc32038474a`) or
            // C2 cookie name (if cookie/header captured into UDM)
            re.regex($e.network.http.user_agent, `REDCAP-TOKEN`) or
            re.regex($e.target.url, `REDCAP-TOKEN`)
          )
        condition:
          $e
      }

       

      // =====================================================================
      // 4. UNC6508 network IOCs — exfil Gmail + compromised-router login IP
      // Data table required: unc6508_iocs  (column: indicator, type STRING)
      //   rows hold both the IP (23.169.65.49) and the email
      //   (BebitaBarefoot774@gmail.com); IP rows simply never match email
      //   fields and vice-versa.
      // Join makes this a multi-event rule -> match section required.
      // =====================================================================
      rule unc6508_network_iocs {
        meta:
          author = "David Nehoda"
          description = "Detects UNC6508 attacker email (exfil account) and known login source IP (compromised ASUS router)"
          reference = "https://cloud.google.com/blog/topics/threat-intelligence/prc-targets-us-medical-research"
          threat_actor = "UNC6508"
          mitre_attack = "T1567,T1090.003"
          severity = "HIGH"
          priority = "HIGH"
        events:
          (
            $e.principal.ip = $ioc or
            $e.target.ip = $ioc or
            $e.src.ip = $ioc or
            $e.network.email.to = $ioc or
            $e.network.email.from = $ioc or
            $e.about.user.email_addresses = $ioc
          )
          // data-table join (own line, AND-ed at top level)
          $ioc = %unc6508_iocs.indicator
        match:
          $ioc over 5m
        condition:
          $e
      }

       

      // =====================================================================
      // 5. Google Workspace silent email-forwarding / content-compliance abuse
      //    (the "Patroit" rule technique used to BCC-exfiltrate mail)
      //    NOTE: Workspace admin-audit field mapping varies by tenant.
      //    Tune product_event_type and recipient fields to your schema.
      // =====================================================================
      rule unc6508_workspace_silent_forwarding_abuse {
        meta:
          author = "David Nehoda"
          description = "Detects creation/modification of Workspace content-compliance or forwarding rules pointing at an external Gmail (UNC6508 email-exfil TTP)"
          reference = "https://cloud.google.com/blog/topics/threat-intelligence/prc-targets-us-medical-research"
          threat_actor = "UNC6508"
          mitre_attack = "T1114.003,T1562.001,T1567"
          severity = "HIGH"
          priority = "HIGH"
        events:
          re.regex($e.metadata.product_name, `(?i)workspace|gsuite|google`)
          (
            re.regex($e.metadata.product_event_type, `(?i)compliance|content_compliance|email_setting|forwarding|routing`) or
            re.regex($e.security_result.summary, `(?i)compliance|forwarding`)
          )
          (
            // external Gmail recipient, or the exact known exfil address
            //re.regex($e.target.resource.name, `(?i)@gmail\.com`) or
            //re.regex($e.security_result.detection_fields.value, `(?i)@gmail\.com`) or
            $e.target.user.email_addresses in %unc6508_iocs.indicator
            //re.regex($e.metadata.description, `(?i)BebitaBarefoot774@gmail\.com|Patroit`)
          )
        condition:
          $e
      }
       

        Terms & ConditionsAccessibility statement
        Privacy Policy Terms of Service Gen AI Policy Community Guidelines Cookie Settings

        © 2025 Google. All rights reserved.