Cyber Threat Brief — June 16 2026
⚠️ This report is AI-generated. Always validate findings.
1. UNC6508 Espionage via REDCap Servers & Google Workspace Rules
TL;DR: China-nexus UNC6508 compromised REDCap medical research servers, deployed INFINITERED credential-harvesting malware, then abused Google Workspace content compliance rules to silently exfiltrate emails matching defense/AI/military keywords — undetected for 14+ months.
What’s New:
- GTIG disclosed June 15; campaign ran September 2023 – November 2025 across US/Canadian research institutions
- Custom INFINITERED malware trojanizes REDCap system files with upgrade-surviving dropper, credential harvester, and HTTP cookie-based backdoor
- Google Workspace “Patroit” [sic] compliance rule forwarded keyword-matched emails to attacker-controlled Gmail — nearly zero forensic trace
- YARA rules and IOCs published by GTIG; malicious infrastructure disrupted
- Targeted collection: geo-strategic policy, military strategy, AI, uncrewed vehicles, offensive cyber, medical research
Actionable Intel
| Artifact | Type | ATT&CK | Log Source | Action |
|---|---|---|---|---|
| INFINITERED dropper (trojanized REDCap PHP) | Malware | T1505.003 | Web server filesystem | Scan REDCap installs with GTIG YARA rules |
help.php webshell in REDCap app dir | Webshell | T1505.003 | Web server access logs | Hunt for help.php requests in REDCap paths |
| ”Patroit” content compliance rule | Persistence | T1114.003 | Google Workspace Admin audit logs | Audit content compliance rules for unknown forwarding addresses |
| Credential harvesting via REDCap sessions table | Credential Access | T1056.003 | Database logs | Query sessions table for anomalous credential entries |
| Backdoor commands via HTTP cookies | C2 | T1071.001 | Web proxy/WAF logs | Inspect oversized or encoded cookie values to REDCap endpoints |
Detection
| Source | Rule | Gap |
|---|---|---|
| Splunk ESCU | None | No REDCap-specific detection; need webshell + PHP trojan rules for REDCap paths |
| Elastic | Web Shell Detection: Script Process Child of Common Web Processes (generic) | No Google Workspace compliance rule abuse detection |
| Sigma | None specific | Need Google Workspace content compliance rule creation/modification alert |
Sources: Help Net Security, The Hacker News, Dark Reading
2. Awesome Motive CDN Supply Chain — OptinMonster / TrustPulse / PushEngage
TL;DR: Attacker compromised Awesome Motive’s marketing server via UpdraftPlus vuln, stole a CDN API key, and injected rogue-admin-creating JavaScript into CDN-hosted SDKs serving 1.2M+ WordPress sites. Backdoor plugins installed via the admin’s own authenticated session.
What’s New:
- Patchstack detailed writeup June 15; exposure window June 12–14
- C2 domain
tidio.cc(84.201.6[.]54) registered April 28 — campaign pre-staged - Injected JS creates admin accounts (
developer_api1/ randomizeddev_xxxxxx) via 4 fallback methods (REST, form, AJAX, iframe) - Self-hiding backdoor plugins (“Content Delivery Helper”, “Database Optimizer”) with webshell and eval endpoints
- 271 exploitation attempts blocked across 13 sites from 81 residential IPs (admin browsers executing payload)
Actionable Intel
| Artifact | Type | ATT&CK | Log Source | Action |
|---|---|---|---|---|
tidio.cc / 84.201.6[.]54 (AS214036) | C2 Domain/IP | T1071.001 | DNS/proxy logs | Block at DNS and firewall |
developer_api1 / [email protected] | Rogue account | T1136.001 | WordPress user table | Delete and audit all admin accounts |
dev_xxxxxx / [email protected] pattern | Rogue account | T1136.001 | WordPress user table | Query wp_users for dev_ prefix accounts |
?developer_api1_fm / developer_api1_eval params | Webshell | T1505.003 | WAF/access logs | Hunt for these query parameters |
XOR key jX9kM2nP4qR6sT8v | Malware signature | T1027 | File content scan | Grep wp-content for this string |
Plugins: content-delivery-helper, database-optimizer | Backdoor | T1505.003 | Filesystem | Check wp-content/plugins/ directly (hidden from WP admin UI) |
Tampered CDN: a.omappapi.com, a.opmnstr.com, a.optnmstr.com, a.trstplse.com, clientcdn.pushengage.com | Supply chain | T1195.002 | CSP/SRI logs | Verify script integrity; implement SRI hashes |
Detection
| Source | Rule | Gap |
|---|---|---|
| Splunk ESCU | None | No WordPress rogue admin creation via REST API detection |
| Elastic | None specific | No CDN supply chain script tampering detection |
| Sigma | None specific | Need rule for WordPress /wp-json/wp/v2/users admin creation from unexpected sources |
Sources: Patchstack, Sansec, BleepingComputer
Status Updates
- CVE-2026-50751 (Check Point VPN): WatchTowr released full PoC and technical analysis June 12. Qilin ransomware exploitation ongoing since May 7. CISA KEV deadline passed June 11. Patch immediately. WatchTowr PoC
- CVE-2026-10520 (Ivanti Sentry): CISA KEV federal deadline passed June 14. Shadowserver confirms post-patch exploitation attempts ongoing. 2 of 19 vulnerable instances confirmed backdoored. Original brief.
- CVE-2026-47281 (RoguePlanet / Windows Defender): Still UNPATCHED zero-day. No fix expected until next Patch Tuesday (July 8). Original brief.