The attackers, tracked as "UNC6508," did not write new malware to steal emails. They created an administrator rule inside Google Workspace, named it "Patroit" — misspelling the word — and let the platform silently forward every matching email to a Gmail address they controlled. The data left through the front door.
Google's Threat Intelligence Group documented a sustained espionage campaign attributed with high confidence to UNC6508, a People's Republic of China-nexus threat actor. The campaign targeted North American academic, medical, and military research institutions beginning in September 2023 and continuing through at least November 2025 — more than two years of activity, over a year o...