Executive Summary
- Google’s Threat Intelligence Group (GTIG) recently attributed a year-plus espionage campaign against North American academic, medical, and military research institutions to UNC6508, a PRC-nexus actor. The consistent initial access vector was an externally facing REDCap server: exploited, then backdoored with custom malware (dubbed “INFINITERED”) for over a year of data exfiltration. The initial access method is unconfirmed at the time of writing.
- REDCap (Research Electronic Data Capture) is a web application used by research institutions worldwide to build and manage study databases. It commonly holds clinical trial data, participant records, and other sensitive research information.
- As of June 16, 2026, Censys observed just over 8,500 REDCap instances globally, with concentrations in the U.S. (40%), the U.K (7.4%), Germany (4.8%), and Australia (3.9%).
- REDCap version 16.0.17 represents a third of all observations, followed by 16.1.4 at 4.93% and 16.0.15 at 3.34%. Based on Censys observations, 17.1.3 appears to be the latest version available, and just 1.18% of instances are on this patch version.
Introduction
REDCap is a browser-based platform for collecting and managing research data, developed and distributed by Vanderbilt University to a group of academic, healthcare, and non-profit organizations. By design, the software is often exposed to the Internet to facilitate collaboration and enable study participants to access the platform.
In a report published on June 15, 2026, Google Threat Intelligence Group (GTIG) attributed a “sophisticated” campaign targeting North American academic, medical, and military researchers to UNC6508, a People’s Republic of China (PRC)-nexus threat actor.
While the initial access method is currently unconfirmed, UNC6508 exploited a public-facing REDCap server to drop a webshell and deploy INFINTERED malware, a PHP backdoor. Using this method, the actor maintained access to sensitive environments for over a year and collected information from sensitive systems, abused administrative tools for data exfiltration, and deployed additional malware.
Patch management for this is likely complicated for academic users who maintain self-hosted installations of REDcap, where available versions and how they’re rolled out depend on your institution’s IT team. REDcap states that new long-term support releases are rolled out every 6 months.
Censys ARC Perspective
Geography
The U.S. dominates the exposure landscape of REDCap instances (40%), followed by the U.K. (7.4%), Germany (4.8%), and Australia (3.9%). While most instances are concentrated in the U.S. and Europe, there is a long tail of instances across more than 100 countries, including China (2.5%), India (2.4%), and South Africa (2.1). The global spread illustrates it’s a popular tool with wide adoption.
Networks
A plurality of REDCap instances are cloud deployments—primarily Amazon and Microsoft, though Alibaba Cloud, OVH, and Digital Ocean are also among the top autonomous systems where we observe REDCap instances.
Research institutions like the U.K’s Janet Network (Jisc), Germany’s National Research and Education Network (DFN), and Italy’s Research and Education Network (GARR) also host instances of REDCap on their dedicated networks.
Versions
We find that 16.0.17 is the most commonly observed version of REDCap deployed, representing just over 30% of all Internet-facing deployments. 16.1.4, the next largest concentration of versions, represents just 4.93%.
It’s unclear from REDCap’s website when each of these versions were released, but existence of 17.x.x releases suggest that 16.x.x versions may be somewhat outdated. 17.1.3 appears to be the latest version available, and only 1.18% of instances are running this patch version as of June 16, 2026.
| REDCap Version | Percent of Observations |
| 16.0.17 | 30.1% |
| 16.1.4 | 4.93% |
| 16.0.15 | 3.34% |
| 17.1.2 | 3.30% |
| 16.0.32 | 1.91% |
| 15.5.36 | 1.83% |
| 16.0.33 | 1.66% |
| 17.1.1 | 1.37% |
| 17.1.3 | 1.18% |
| 17.0.8 | 1.07% |
Mitigation: What Can Be Done?
- REDCap operators should assemble a comprehensive inventory of instances and ensure they are patched to the latest version available.
- As REDCap notes in their documentation on best practices, “much of the security surrounding REDCap has nothing to do with the REDCap software itself but rather is dependent upon the IT infrastructure and environment in which REDCap has been installed…Typical best practices are that the web server and database server be two separate servers and that the database server be located securely behind a firewall.”
- Enforce multi-factor authentication on administrator accounts at a minimum.
