China-Nexus Actor Spied on US Researchers Undetected for a Year

Google discovered and disrupted the sprawling campaign, which stole RedCAP credentials to target numerous institutions and exfiltrate sensitive data.

June 15, 2026

An emerging China-nexus threat actor covertly spied on US academic, medical, and military research institutions for at least a year in a sweeping intelligence-gathering effort.

The campaign, uncovered by the Google Threat Intelligence Group (GTIG), relied on using custom malware to steal credentials from a Web application widely used by researchers, as well as a novel technique to stealthily transfer data out of an IT environment. GTIG, working with Google subsidiary Mandiant Consulting, discovered and subsequently disrupted the sprawling operation, which targeted the network of a single medical university with ties to the US military, but affected numerous organizations, according to a report published Monday.

Google attributed the campaign to a group tracked as UNC6508, a relatively new China-aligned threat actor aimed at pursuing intelligence objectives aligned with the strategic interests of the People's Republic of China (PRC) by targeting "a diverse set of national, state, and private medical entities," according to the report.