Cybersecurity researchers have revealed details of sustained cyber espionage activity against multiple Pakistani law enforcement organizations by suspected China and India-aligned threat actors between February 2024 and April 2026.
“In Balochistan Police, the compromised assets included servers hosting web applications that manage police and civilian data such as criminal and biometric records,” Alexander Milenkoski, principal threat researcher at SentinelOne SentinelLabs, said in a report published this week.
The activity targeted network devices and servers hosting web applications that manage biometric records, hotel and tenant registrations linked to national identity records, criminal case files and personnel records.
It is also said that the China-Nexus threat actor compromised one of these web applications to deploy a custom implant in the form of a portal update. The application in question, called Complaint Management System (CMS), serves police personnel and citizens, putting both categories of users in the attacker’s orbit.
SentinelOne said it detected infrastructure linked to several other Pakistani law enforcement organizations, including Khyber Pakhtunkhwa Police, Islamabad Police and Punjab Safe Cities Authority (PSCA).
Four distinct threat groups have been identified, each deploying a unique malware family: PlugX, ShadowPad, Cobalt Strike, and Remcos RAT. The use of Remcos RAT has been linked to the India-Nexus threat actor, while PlugX, ShadowPad and Cobalt Strike clusters are built on shared or commodity tooling and each can include more than one operator.
Having said that, the deployment of both PlugX and ShadowPad, the latter of which is considered a successor to PlugX, has traditionally been linked to Chinese nation-state hacking groups.
“The victimology we observed for PlugX (between February 27 and September 28, 2024) and Shadowpad (between August 3 and December 1, 2024) reinforces this assessment,” the cybersecurity company said.
“Beyond Pakistani law enforcement, victim science for PlugX and Shadowpad includes government, foreign affairs, defense, nongovernmental, and research entities in South, Southeast, Central and East Asia, the Arabian Peninsula, and Southeast Europe, consistent with China-aligned collection.”
The REMCOS-related intrusion set is evaluated to share infrastructure and tactical overlap with a hacking group called Mysterious Elephant (aka APT-C-08, APT-K-47, and TAG-179), which, in turn, shares similarities with India-Nexus adversaries such as Sidewinder, Confucius, and Biter.
The attack chains have been found to employ decoys involving Pakistani law enforcement, displaying a fake document claiming to contain an operational plan for the repatriation of illegal foreigners, including Afghan Citizen Card (ACC) holders.
The Cobalt Strike activity cluster’s connection to China-Nexus threat actors is based on the fact that traffic to an attacker-controlled command-and-control (C2) server (“142.171.183[.]8”) extends beyond Pakistani law enforcement to government, academic, telecommunications and non-governmental entities in South, East and Southeast Asia, the Middle East and South America – a victim profile consistent with China-aligned hackers.
Those targeted also include Tibetan Buddhist organizations in Taiwan, which have long been China’s target for cyber espionage.
Further investigation into the activity aimed at Balochistan Police has revealed the settlement of the following assets that took place between June 2, 2024 and April 9, 2026 –
- two network devices
- Web servers hosting several Balochistan Police web applications linked to the Smart Police Station digitization initiative
- A Fortinet FortiMail appliance that served as the agency’s primary inbound email gateway
One of the infected applications is the Complaint Management System (“cms.balochistanpolice.gov[.]pk”), which is used to register, track and resolve citizen complaints. Two different variants of the implant named “cms_plugin.exe” have been uploaded to the site regarding the operation –
- A Rust stager designed to download an additional payload from “193.42.25”[.]65″ and execute it. The exact nature of the next step is unknown, but the samples display a message “Update Complete! Please refresh the page upon execution, mimicking the CMS portal update.
- A .NET executable disguised as “360Safe.exe” is a legitimate binary used by Qihoo 360 Total Security to reflectively load the assembly that implements the AsyncRAT client.
This activity is notable because it has attracted both “Pakistan’s partners and rivals” to the same hunt for intelligence gathering, possibly motivated by geopolitical motives.
“When multiple cyber espionage actors operate against the law enforcement institutions of the same state, convergence is itself a signal of target value,” Milenkoski explained. “What attracts them is a particular type of institution: one that has an internal security picture of a government, what it knows about threats inside its borders, and how it acts against them.”
“The compromise of the Complaint Management System web application adds a second dimension to the activity against Balochistan Police, extending the threat actor’s reach beyond the environment it was initially compromised in. By hosting the implant in a portal used by both citizens and law enforcement personnel, the threat actor transformed a tool designed to make policing in Pakistan more accessible and accountable to the public into a malware distribution mechanism.”