ERI International

Google Threat Intelligence (GTI) has identified a long-running, sophisticated espionage campaign attributed to a China-nexus threat actor dubbed UNC6508. The campaign has targeted North American academic, medical, and military research institutions to steal sensitive data related to national defense, artificial intelligence, and medical research. The following is a breakdown of this threat, structured by the key operational stages identified in the report: Campaign Scope and Targets The threat actor has engaged in a broad, undetected campaign since at least September 2023. The targets include world-renowned clinical providers, major academic centers, and military health institutions. The actor’s collection interests are aligned with PRC strategic priorities, specifically targeting research in AI, uncrewed vehicle systems, cyber offensive programs, and modern medical advancements, including studies on pathogens like Chikungunya. Initial Access and Malware (INFINITERED) UNC6508 consistently targets REDCap (Research Electronic Data Capture) servers, a platform widely used by medical and scientific researchers. The actor exploits vulnerable, legacy versions of this software to gain a foothold. Once inside, they deploy a custom, modular backdoor named INFINITERED. This malware is highly persistent; it trojanizes legitimate REDCap system files and intercepts software upgrades to re-inject its malicious code whenever the platform is updated. The Attack Lifecycle Persistence: The malware acts as a backdoor and credential harvester, remaining hidden for over a year by embedding itself within the application’s file structure. Credential Theft: INFINITERED captures usernames and passwords submitted via the login portal and hides them in a local database table, prefixed with a specific identifier to avoid notice. Lateral Movement and Exfiltration: After harvesting credentials, the actor pivots to administrative accounts to gain deeper network access. They utilize "silent" email forwarding rules (BCC-forwarding) to exfiltrate sensitive data covertly without alerting the original account owner. Sophisticated Operations Security (OpSec) The actor employs meticulous OpSec techniques to mask their presence. They rely on "Obfuscation (OBF) networks," routing all traffic through a chain of compromised routers, residential proxies, and virtual private servers, primarily using US-based IP addresses to blend in with legitimate traffic. Recommendations for Defenders GTI stresses the importance of a holistic security posture to mitigate such threats: Secure Administration: Enforce phishing-resistant 2-Step Verification (2SV) for all enterprise administrator accounts and utilize third-party Identity Providers. Software Hygiene: Ensure all REDCap installations are fully updated and, crucially, completely remove all legacy/older versions of the software to prevent downgrade attacks. Monitoring and Controls: Monitor for unauthorized modifications to content compliance rules and audit logs. Implement Data Loss Prevention (DLP) rules to restrict the external sharing of sensitive information. Detection: GTI has provided indicators of compromise (IOCs) and YARA rules to help organizations scan their REDCap servers for the INFINITERED malware. https://t.co/64to10n5nj

Taiwan's government launched a website on Sunday to encourage Chinese nationals to report intelligence tips. The platform offers a secure channel for a growing number of individuals who are dissatisfied with China's system and seeking change. The move comes amid a long history of mutual espionage between Taiwan and China, with Taipei noting a recent increase in Chinese spying cases. Taiwan's National Security Bureau highlighted that China's tightening political control and mounting economic challenges have fueled public discontent. The new website features an AI-generated promotional video depicting a Chinese civil servant watching colleagues mysteriously disappear under investigation. The video concludes with the official typing on a newly purchased mobile phone, declaring that "now is the time to change". Although the site is blocked in China, citizens can still access it using VPNs, which are commonly used to bypass state censorship. The bureau urged Chinese nationals at home and abroad to courageously share intelligence, adopting strategies used by agencies in the U.S., Britain, and Israel. China has previously employed comparable tactics, establishing an email address in 2024 to collect tipoffs regarding Taiwanese "separatists". Taiwan continues to reject Beijing's sovereignty claims, maintaining that only the island's people have the right to determine their future. https://t.co/aYeWhN8l5b

🚨We continue to monitor additional sources in the darknet. Here are some of the events that were added to our platform in the last week. 1⃣ Access to verified KYC data from over 160 countries is being offered, including sensitive documents like passports and ID cards. This poses a significant threat due to the potential for widespread exploitation. 2⃣ A leak of approximately 10 million records of U.S. citizens has been identified, involving sensitive personal and potentially financial data from a government-related source. The recency and sensitivity elevate the threat level. 3⃣ A large database of ~792,000 healthcare professionals' personal information has been leaked, posing significant risks to individuals and the healthcare industry. 🛡️Stay informed and protect your assets by visiting https://t.co/1TFlJ1IuL7 for the latest threat intelligence. #CyberSecurity #ThreatIntelligence #DataBreach

Two Chinese international students claiming to be casual tourists just got hit with espionage convictions after running a year-long drone surveillance operation over a nuclear-powered U.S. aircraft carrier. In a landmark legal move against foreign intelligence threats, the primary operator was sentenced to 18 months in prison for actively benefiting the enemy. Operating under the cover of academic study, the duo executed at least nine illegal aerial filming sessions targeting a major naval command. The operation culminated in a high-stakes security breach when they flew a commercial drone over the 100,000-ton USS Theodore Roosevelt right as the sitting South Korean president arrived to inspect the warship during sensitive joint military drills. Investigators ultimately seized nearly 12 gigabytes of restricted data, including hundreds of photos and videos of the classified base. The primary suspect had direct contacts linked to Chinese police on his phone and repeatedly shared the footage over messaging apps. Because the Chinese-made drone app automatically synced all captured media straight to servers based in China, the operation effectively handed Beijing a backdoor look into allied frontline maritime defenses. #Espionage #NationalSecurity #DroneWarfare #USNavy #MilitaryIntelligence #Geopolitics #SouthKorea

Chinese intelligence ran a sophisticated honeytrap campaign in 2009 that should worry anyone who thinks about corporate espionage and how foreign powers map Western power structures. This wasn't some crude blackmail scheme. We're talking about a systematic operation that exploited professional networking platforms and legitimate business relationships to get close to high-value Western executives. The targeting was surgical. Chinese operatives went after business leaders who had access to three key things: strategic corporate intelligence, technology transfer opportunities, and political influence networks. Think defense contractors, tech sector executives, people with government advisory roles. Here's how it worked: Attractive individuals with real professional credentials would initiate contact through legitimate business channels. Nothing suspicious at first — just normal professional networking. Then came the slow burn. These weren't quick honey traps. The operatives invested in building actual relationships over time, letting them evolve naturally from professional to personal to romantic. Only then would they create compromising situations designed to flip targets into long-term intelligence assets. The Aston Villa owner case gives us a window into just how methodical this was. Chinese intelligence wasn't just after corporate secrets — they were systematically mapping Western influence networks by compromising people at key nodes. Once they had someone, the intelligence haul was comprehensive: corporate strategic planning, M&A intelligence, government contract details, and most importantly, access to the target's entire network of political and business contacts. This reveals something important about Chinese intelligence methodology circa 2009. They weren't just collecting information — they were building a human infrastructure to understand how power flows through Western corporate and political circles. The sophistication here is worth noting. Multi-stage recruitment processes. Psychological profiling. Long-term relationship development. These operations required serious resources and patience. What makes this particularly concerning is how it exploited the interconnected nature of modern business networks. One compromised executive doesn't just give you their company's secrets — you get visibility into their entire professional ecosystem. This kind of systematic approach to mapping influence networks through human recruitment represents a different category of threat than traditional corporate espionage. It's strategic intelligence collection aimed at understanding how Western power structures actually function. The 2009 timeframe is also significant. This was happening during a period when Western businesses were rapidly expanding their China operations and Chinese companies were increasing their global investments. Perfect cover for developing these kinds of relationships. For anyone in senior corporate roles, especially those with government ties or access to sensitive technology, this case study should be required reading. The professional networking angle makes these approaches particularly hard to detect early on. The fact that we're learning about 2009 operations now also raises questions about what current operations might look like. If this was the sophistication level fifteen years ago, what capabilities exist today? https://t.co/cKWwx39US5 #foreigninterference #SexualEntrapment #ProfessionalNetworkRecruitment #AssetRecruitment #CorporateInfiltration

The FBI is warning of Chinese agents posing as fake employers on platforms like LinkedIn — targeting U.S. government workers with security clearances. They lure them with high-paying jobs in exchange for sensitive info. The FBI just seized 13 domains tied to the alleged scheme. But more are still out there. Meanwhile, the Treasury Department sanctioned 11 people and companies for helping Iran obtain weapons—9 of them based in China and Hong Kong. Washington is turning up the pressure on Beijing over both espionage and national security concerns. #ChinaThreat #FBI #NationalSecurity

The FBI’s Kinetic Cyber Range in Huntsville, Alabama, resembles a small town with everything a small town has. But despite its size, it plays a massive role in preparing the next generation of cyber investigators for real world situations and the real obstacles they will face in the field. Read more about the FBI’s Kinetic Cyber Range at https://t.co/r8Xjgr8kB3.

Chinese state-sponsored trolls were just caught using America's own ChatGPT to pose as ordinary suburban moms and local workers in a bizarre, viral scare campaign claiming AI infrastructure is skyrocketing household electricity bills. Revealed in OpenAI's June 2026 Threat Report, the covert "water army" accidentally exposed their entire psychological warfare operation because they used the AI to polish and edit their own internal corporate work reports. By uploading these secret playbooks directly into the chat history, the operators handed security analysts a front-row seat to exactly how Beijing handles public opinion manipulation and evades platform detection. Operating via hidden VPNs, the state-linked networks went to extreme lengths to blend seamlessly into American social media spaces on X and Facebook. Their prompts revealed highly calculated geopolitical messaging, including explicit instructions to generate political cartoons criticizing U.S. tariffs that must only depict President Trump while strictly forbidding any imagery or mention of Chinese leader Xi Jinping. When they weren't attempting to manufacture an artificial energy crisis or ordering bulk text to spread inflammatory anti-Jewish tropes, the network launched a synchronized, completely fabricated smear campaign using fresh accounts to claim ChatGPT had suffered a massive data breach that "ruined users' lives." While security teams successfully neutralized these accounts before they could gain authentic mainstream traction, the operation exposes an increasingly insidious strategy for foreign interference. Hostile adversaries are moving away from rigid, easily detectable propaganda and are instead using advanced generative AI to hijack legitimate domestic anxieties. By wrapping state influence in everyday concerns about inflation and utility costs, they are actively attempting to manipulate public policy and trick Americans into sabotaging their own technological and economic foundations. #CyberSecurity #ForeignInterference #ChineseSpies #ChatGPT #DataCenters #NationalSecurity #TechWar #PsychologicalWarfare #Geopolitics2026

A secret camera has been discovered in a sensitive 🇬🇧 Whitehall building, sparking fears of espionage. Security officials working at Marsham Street in Victoria, central London — a vast suite of offices that houses the Home Office and the Department for Housing, Communities and Local Government (MHCLG) — found a hidden camera in a ceiling panel, ministers have been informed. The discovery sparked alarm because officials in the building had been involved in the controversial planning application for China’s proposed new mega-embassy in London. The incident occurred in the last two months, and the Security Services had been informed. How the camera came to be placed in such a sensitive location, and how long it was there, remain unknown. Subsequent enquiries have sought to establish who placed the device. The electronic device had been discovered in a communal area of a shared building used by multiple civil servants, rather than in or near ministerial offices. One of the most high-profile decisions taken in the Marsham Street building in recent months was the approval of China’s plans for a huge new embassy in central London — despite opponents warning that the site could be used as a base for spying and posed security risks. The revelation will renew concerns about the security of UK Government buildings. Hackers linked to China and Russia have been connected with a series of cyber operations against UK Government systems in recent years, aimed at gathering political intelligence and accessing sensitive information. The threat posed by cyber attacks can be severe. The presence of a covert device in a Whitehall building, in proximity to key officials and ministers responsible for sensitive policy matters, will heighten fears over espionage tactics. There is no suggestion that Russia or China-linked actors are responsible for the device. The discovery left staff shocked, fearing that they were being watched or listened to — and speculating about how and why the camera had been placed there. The context was very different, but several civil servants said the discovery reminded them of the 2021 scandal when CCTV footage was leaked of former health secretary Matt Hancock kissing his mistress Gina Coladangelo in his office. The subsequent public outrage focused on Hancock’s hypocrisy, but in Whitehall there was also alarm that sensitive department meetings and conversations might be being monitored. “The discovery of a hidden camera inside a building that occupies the Home Office and other departments raises serious questions about the security of government departments and the actions of those seeking to undermine them.” “We urgently need to know who was responsible, how long this device was in place, and whether any sensitive or classified information has been compromised.” The Home Office and MHCLG were involved in the controversial planning decision to approve the new Chinese embassy earlier this year. It was revealed in Jan 2025 that the Royal Mint Court site sits close to fibre-optic cables carrying vast quantities of highly sensitive data from the City of London. The proximity sparked concern among Britain’s intelligence services that the cables could be vulnerable to attack, and used by Beijing to infiltrate the UK’s financial system. https://t.co/7r2qCmtSXO

China Steals AI Capabilities It Can’t Build, Cybersecurity Firm Says CrowdStrike’s 2026 Global Threat Report reveals that China-nexus cyber actors increased targeted intrusions by 38 percent in 2025. The cybersecurity firm states these groups are accelerating attacks on corporate systems to steal artificial intelligence (AI) capabilities the Chinese regime is unable to build itself. Adversaries frequently target internet-facing edge devices, such as VPNs and firewalls, to establish long-term intelligence collection operations. The report notes that 67 percent of the vulnerabilities exploited by these actors provided immediate system access, with 40 percent specifically targeting edge devices. Logistics, Telecom, Finance Targeted These targeting patterns directly align with the Chinese Communist Party’s strategic priorities of economic espionage, technology transfer, and telecommunications surveillance. Logistics organizations experienced the sharpest increase in attacks, surging by 85 percent to become the primary target for Chinese threat actors. Attacks against telecommunications and financial services also rose by 30 percent and 20 percent, respectively, as groups like OPERATOR PANDA focused on intercepting communications. Edge Devices Used for Access Multiple China-nexus groups heavily exploited remote code execution vulnerabilities in internet-facing systems to gain direct, external network access. These adversaries actively monitor vulnerability disclosures, often weaponizing newly published software flaws into intrusion tools within two to six days. This rapid weaponization takes advantage of the brief window before targeted organizations can apply necessary security patches. In one instance, the hacking group Warp Panda exploited a VPN appliance to maintain persistent access within a victim's network for 22 months. AI Enters the Tradecraft Attacks driven by AI-enabled adversaries surged by 89 percent in 2025, largely by accelerating existing cyber techniques. Threat actors leveraged AI for sophisticated social engineering, malware development, and generating highly convincing phishing campaigns. Chinese intelligence services specifically used AI to create fake consulting firms to target former U.S. government employees on job platforms. Hackers are also targeting AI systems directly, using malicious code to hijack local AI tools like Claude and Gemini for stealing cryptocurrency and authentication materials. Speed Narrows the Response Window The average "breakout time"—how long it takes an intruder to move laterally after initial access—plummeted from 48 minutes in 2024 to just 29 minutes in 2025. This rapid movement, with the fastest recorded breakout at just 27 seconds, leaves defenders with severely limited time to identify and stop breaches. Furthermore, 82 percent of CrowdStrike's 2025 detections were malware-free, with hackers using legitimate credentials to blend in with normal network behavior. US Agencies Warn About Similar Tactics U.S. allied agencies, including the National Security Agency, previously warned that Chinese state-sponsored actors are targeting global critical infrastructure. Microsoft’s 2025 Digital Defense Report similarly highlighted China’s broad espionage push using vulnerable edge devices to avoid detection. CrowdStrike recommends that organizations patch edge devices within 72 hours of a vulnerability disclosure, monitor perimeter systems, and segment their networks to restrict hacker movement. https://t.co/kgNue6bFeE

Today, the FBI is announcing Operation Riptide, an ongoing, coordinated law enforcement campaign targeting cybercriminal actors and the key services they rely on—their infrastructure, their tools and services, their communications platforms, and their money. Operation Riptide is a collective effort that implements the priorities set out in Executive Order 14390 and the National Cyber Strategy. In recent weeks, the FBI carried out a broad range of enforcement actions against cyber threat actors, serving search warrants, securing indictments, arresting suspects, and dismantling criminal infrastructure. This marks the beginning of a focused, sustained 60-day national effort. Cybercrime carries real-world consequences, and the FBI remains committed to disrupting malicious cyber activity and holding cybercriminals accountable.