Back to Intelligence

Active Espionage: China-Linked Actors Targeting REDCap for Medical Research Theft

SA
Security Arsenal Team
June 15, 2026
5 min read

Introduction

Security Arsenal is tracking an active espionage campaign targeting the healthcare and academic research sectors. A China-linked threat actor is actively scanning for and compromising exposed REDCap (Research Electronic Data Capture) servers. The objective of this campaign is the theft of sensitive medical research data from a North American medical institution.

Defenders in the healthcare vertical must immediately assess their REDCap instances. This is not a theoretical risk; active exploitation is underway, utilizing a malicious software implant identified as "InfiniteRed" to establish persistence and facilitate data exfiltration. Given the high value of intellectual property in medical research, the stakes are critical.

Technical Analysis

Affected Products & Platforms:

  • Product: REDCap (Research Electronic Data Capture)
  • Platform: Typically Linux-based web servers (Apache/Nginx/PHP), though Windows/IIS installations exist.
  • Scope: Exposed management interfaces and web-facing API endpoints.

Attack Chain & Vulnerability: While the specific CVE identifier is not disclosed in the current reporting, the attack vector relies on exposed REDCap servers. The actor likely leverages unpatched vulnerabilities, weak authentication, or configuration errors in the web application layer to gain initial access.

  1. Initial Access: The actor identifies exposed REDCap instances via scanning and exploits the web application to execute arbitrary code.
  2. Deployment: Once access is established, the actor deploys the "InfiniteRed" malicious software.
  3. Persistence & Exfiltration: InfiniteRed establishes a foothold on the host, likely functioning as a webshell or backdoor, allowing the actor to navigate the filesystem, escalate privileges, and exfiltrate medical research data.

Exploitation Status:

  • Status: Confirmed Active Exploitation.
  • Actor: China-linked espionage group.

Detection & Response

To identify compromises related to this campaign, security teams must hunt for anomalous process execution patterns originating from the web server context and the presence of the InfiniteRed implant. REDCap servers should rarely spawn interactive shells or make outbound network connections to non-infrastructure endpoints.

SIGMA Rules

YAML
---
title: REDCap Web Server Spawning Shell
id: 8a4b2c1d-5e6f-4a3b-8c9d-1e2f3a4b5c6d
status: experimental
description: Detects the web server user (e.g., www-data, apache) spawning a shell or common scripting interpreter, indicative of webshell activity or RCE.
references:
  - https://attack.mitre.org/techniques/T1059/
author: Security Arsenal
date: 2026/04/06
tags:
  - attack.execution
  - attack.t1059.004
logsource:
  category: process_creation
  product: linux
detection:
  selection_parent:
    ParentImage|endswith:
      - '/apache2'
      - '/httpd'
      - '/nginx'
      - '/php-fpm'
    ParentUser|contains:
      - 'www-data'
      - 'apache'
  selection_child:
    Image|endswith:
      - '/bash'
      - '/sh'
      - '/python'
      - '/perl'
      - '/php'
  condition: all of selection_*
falsepositives:
  - Legitimate administrative scripts run by the web server
level: high
---
title: InfiniteRed Suspicious File Creation
id: 9c5d3e2f-6a7b-4c5d-9e0f-2f3a4b5c6d7e
status: experimental
description: Detects the creation of suspicious PHP files within web directories often associated with webshells like InfiniteRed.
references:
  - https://attack.mitre.org/techniques/T1505/
author: Security Arsenal
date: 2026/04/06
tags:
  - attack.persistence
  - attack.t1505.003
logsource:
  product: linux
  category: file_create
detection:
  selection:
    TargetFilename|contains:
      - '/var/www/html'
      - '/public_html'
    TargetFilename|endswith:
      - '.php'
    Image|endswith:
      - '/apache2'
      - '/httpd'
  filter:
    TargetFilename|contains:
      - '/redcap/'
  condition: selection and not filter
falsepositives:
  - CMS updates or plugin installations
level: medium

KQL (Microsoft Sentinel)

The following query hunts for suspicious process execution on Linux endpoints ingested via Syslog or the Microsoft Defender for Endpoint Linux agent tables.

KQL — Microsoft Sentinel / Defender
// Hunt for web server processes spawning shells or interpreters
DeviceProcessEvents
| where Timestamp > ago(7d)
| where InitiatingProcessFileName in~ ("apache2", "httpd", "nginx", "php-fpm")
| where ProcessFileName in~ ("bash", "sh", "python", "python3", "perl", "php")
| project Timestamp, DeviceName, InitiatingProcessAccountName, InitiatingProcessCommandLine, ProcessCommandLine, ProcessFileName
| extend Advice = "Web server spawning shell - potential RCE or webshell"

Velociraptor VQL

Use this artifact to hunt for suspicious processes and recent PHP file modifications in common web roots.

VQL — Velociraptor
-- Hunt for suspicious processes and recent PHP file modifications
SELECT Pid, Name, CommandLine, Username, Exe
FROM pslist()
WHERE Name IN ('bash', 'sh', 'python', 'perl')
  AND Username IN ('www-data', 'apache')

-- Check for recently modified PHP files in web roots
SELECT FullPath, Size, Mtime, Mode
FROM glob(globs='/var/www/html/**/*.php')
WHERE Mtime > now() - 24h

Remediation Script (Bash)

Run this script on your REDCap servers to check for common webshell indicators and assess recent file changes.

Bash / Shell
#!/bin/bash

# REDCap Forensic Assessment Script
# Author: Security Arsenal

echo "[*] Checking for active webshell processes..."
# Check for web server user running shells
ps aux | grep -E '(www-data|apache)' | grep -E '(bash|sh|python|perl)' | grep -v grep

if [ $? -eq 0 ]; then
    echo "[!] ALERT: Suspicious processes detected."
else
    echo "[+] No suspicious processes found."
fi

echo "[*] Checking for recently created PHP files in web root..."
# Find PHP files modified in the last 24 hours
find /var/www/html -name "*.php" -mtime -1 -ls

echo "[*] Checking for network connections initiated by web server user..."
# Look for established outbound connections from apache/www-data (requires root)
ss -tulpen | grep -E '(www-data|apache)'

echo "[!] Review the output above for anomalies."

Remediation

Immediate action is required to secure exposed REDCap instances and potential victims.

  1. Isolate Affected Systems: If a compromise is detected, isolate the REDCap server from the network immediately to prevent further data exfiltration.

  2. Patch and Update: Ensure the REDCap application and the underlying OS (PHP, web server, database) are fully patched. Review the REDCap Security Advisories for the latest updates.

  3. Network Segmentation: REDCap administration interfaces should not be exposed directly to the public internet. Implement VPN access or Zero Trust Network Access (ZTNA) for administrative logins.

  4. Web Application Firewall (WAF): Deploy or tighten WAF rules to block known exploitation patterns and anomalous requests targeting REDCap endpoints.

  5. Credential Rotation: Assume credentials stored on the compromised server (database credentials, API keys) are breached. Rotate them immediately.

  6. Forensic Investigation: Engage your IR team to hunt for the InfiniteRed malware and determine the scope of data access. Focus on database logs for unauthorized queries or exports.

Related Resources

Security Arsenal Red Team Services AlertMonitor Platform Book a SOC Assessment pen-testing Intel Hub

penetration-testingred-teamoffensive-securityexploitvulnerability-researchredcapespionageinfinitered

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action