In an alarming demonstration of sophisticated cyber espionage, a China-linked threat actor has leveraged legitimate cloud infrastructure to exfiltrate sensitive research data from North American institutions. The campaign, which operated undetected for over a year, highlights how attackers are evolving beyond traditional malware methods to exploit the very tools designed to improve organizational productivity and collaboration.

The espionage campaign targeted medical, academic, and military research networks across North America. Initial compromise occurred through a backdoor installed on REDCap research servers—web-based applications widely used in academic institutions for collecting and managing research data. Once inside, the attackers quietly harvested login credentials that provided access to email systems. What sets this attack apart, however, was the exfiltration method. Rather than deploying suspicious malware or connecting to obvious command-and-control servers, the hackers manipulated the victims' own Google Workspace rules to automatically copy and forward messages containing sensitive research and defense information. By abusing legitimate functionality, the attackers effectively disguised their