Timeline of C2 traffic to Pakistani law enforcement organizations | Image: SentinelLABS
At a Glance
| Actors | Suspected China-nexus (PlugX, ShadowPad, Cobalt Strike) and India-nexus (Remcos; TAG-179) groups |
|---|---|
| Activity type | State-nexus cyberespionage; C2 intrusions; malware implanted in a police web portal |
| Targets | Balochistan Police (primary), Khyber Pakhtunkhwa Police, Islamabad Police, Punjab Safe Cities Authority |
| Scale | February 2024 to April 2026; four tooling clusters; criminal, biometric, and citizen records exposed |
| Status | Research disclosure; no arrests; suspected state-nexus attribution |
| Source | SentinelLABS (SentinelOne) |
TL;DR
SentinelLABS says suspected China- and India-linked spies both targeted Pakistani law enforcement from 2024 to 2026. Separate operations converged on Balochistan Police, hitting servers that hold criminal and biometric records. One China-nexus actor even planted malware inside a police complaint portal used by ordinary citizens.
What Happened
Between February 2024 and April 2026, SentinelLABS tracked intrusions into several Pakistani law enforcement bodies. Its analysis of command-and-control netflow data revealed four tooling clusters converging on this victim class: PlugX, ShadowPad, Cobalt Strike, and Remcos.
The heaviest activity hit Balochistan Police, the main force in Pakistan’s southwestern province. Affected assets included network appliances and web servers. Those servers host applications for biometric records, criminal case files, personnel data, and hotel and tenant registrations tied to national identity records. A Fortinet FortiMail email appliance was also compromised.
The clusters ran at different times. PlugX appeared first in early 2024, while the India-linked Remcos traffic ran into April 2026. Many of these apps belong to the EU-supported “Smart Police Station” digitalization drive. Other victims included the Khyber Pakhtunkhwa Police, the Islamabad Police, and the Punjab Safe Cities Authority.
The complaint portal compromise
One intrusion stood out. The Complaint Management System (CMS) at Balochistan Police serves both officers and citizens. A suspected China-nexus actor uploaded implants named cms_plugin.exe into the portal, disguised as an update.
The .NET variant posed as a Qihoo 360 security component and loaded an AsyncRAT client. On launch, it showed a fake prompt, “Update Complete! Please refresh the page.” SentinelLABS says the actor was “weaponizing a tool of Pakistan’s police digitalization against its users.” Police staff and complaining citizens alike fell within reach.
Who Is Behind It
Attribution stays cautious. SentinelLABS clusters activity by tooling, not by named actor. PlugX and ShadowPad are backdoors shared among Chinese cyberespionage groups. The firm attributes both Cobalt Strike servers to China-nexus actors with medium confidence.
Code offers a further clue. Researchers traced the CMS implants to a Chinese-speaking developer, citing a shared build path, pinyin terms, and simplified-Chinese log messages.
The Remcos cluster points elsewhere. SentinelLABS links it to a suspected India-nexus actor that Recorded Future tracks as TAG-179. That group overlaps with the actor Kaspersky calls Mysterious Elephant and Qihoo 360 calls Bitter. One India-nexus lure posed as a plan to repatriate Afghan nationals, a theme fitting Pakistani police targets.
Motives differ by side. For China, the likely driver is the safety of its nationals, who are tied to the China-Pakistan Economic Corridor and have faced deadly attacks claimed by the Balochistan Liberation Army. For India, the pull is its rivalry with Pakistan over the same province.
Responses
Governments pushed back. A Chinese Embassy spokesperson said Beijing “firmly opposes and combats all forms of cyberattacks.” The Indian Embassy did not respond. The Khyber Pakhtunkhwa Police said there is “no evidence that any core KP police system… has been successfully compromised,” though it noted a rise in attempted activity during India-Pakistan tensions.
Impact and Scale
The potential haul is broad. If the actors reached the backing data stores, they could pull personnel files, criminal records, biometric data, vehicle records, hotel logs, tenant registrations, and citizen complaints. Together, that paints a full picture of Balochistan Police operations.
The portal implant widened the damage. For an infected officer, it could open a path into internal police networks. For an infected citizen, it could enable surveillance of who filed a complaint. SentinelLABS has not put a number on affected users.
What Comes Next
The multi-actor convergence on Pakistani law enforcement points to a structural risk in digital policing. Centralizing records and public services also centralizes intelligence value. As SentinelLABS puts it, such infrastructure is “no longer just the digital backbone of policing but intelligence terrain.”
Defenders should act on that lesson. Segment public-facing portals from restricted police systems. Monitor web directories for unauthorized uploads, and treat surprise “update” prompts as suspect. Retire stale appliances like that FortiMail gateway, and rotate any credentials exposed in infostealer logs. For the full analysis and indicators, read SentinelLABS’ report on the campaign.
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.