Skip to main content
Emerging ThreatsMalware & Ransomware

China, India-Aligned Hackers Target Pakistani Law Enforcement in Espionage Campaigns

Brightly-lit server room in a Pakistani law enforcement office with generic computer equipment and network devices.

"At Balochistan Police, the compromised assets included servers hosting web applications that manage police and citizen data, such as criminal and biometric records," Aleksandar Milenkoski, principal threat researcher at SentinelOne SentinelLABS, said in a report published this week.

SentinelOne SentinelLABS: scope and timeline

Cybersecurity researchers at SentinelOne reported sustained cyber espionage against several Pakistani law enforcement organizations between February 2024 and April 2026. The activity targeted network appliances and servers hosting web applications that manage biometric records, hotel and tenant registrations linked to national identity records, criminal case files, and personnel records. SentinelOne said it detected compromised infrastructure associated with Balochistan Police as well as the Khyber Pakhtunkhwa Police, the Islamabad Police, and the Punjab Safe Cities Authority (PSCA).

Compromises inside Balochistan Police infrastructure

Examination of the operations affecting Balochistan Police found compromises spanning June 2, 2024, to April 9, 2026. Affected assets included two network appliances, multiple web servers hosting applications connected to the Smart Police Station digitalization initiative, and a Fortinet FortiMail appliance that had served as the agency's primary inbound email gateway. One publicly reachable application identified by SentinelOne is the Complaint Management System at cms.balochistanpolice.gov[.]pk, used for registering, tracking, and resolving citizen complaints.

Four malware clusters and contested attribution

SentinelOne flagged four distinct threat clusters, each deploying a different malware family: PlugX, ShadowPad, Cobalt Strike, and Remcos RAT. The report links the use of Remcos RAT to an India-nexus threat actor. By contrast, the deployment of PlugX and ShadowPad is described as "traditionally associated with Chinese nation-state hacking groups." SentinelOne provides operational date ranges for those families: PlugX activity was observed between 27 February and 28 September 2024, while ShadowPad activity was observed between 3 August and 1 December 2024.

The Cobalt Strike cluster is tied to a command-and-control server at 142.171.183[.]8; SentinelOne notes that traffic to that C2 extends beyond Pakistani law enforcement to government, academic, telecommunications, and non-governmental entities across South, East, and Southeast Asia, the Middle East, and South America. Among the Cobalt Strike victims called out are Tibetan Buddhist organizations in Taiwan. The Remcos-related intrusion set is assessed to share infrastructure and tactical overlaps with a group known as Mysterious Elephant (aka APT-C-08, APT-K-47, and TAG-179) and to have commonalities with India-nexus adversaries such as SideWinder, Confucius, and Bitter.

Complaint Management System: implants, lures, and a public-facing delivery vector

SentinelOne found two distinct variants of an implant named "cms_plugin.exe" uploaded to the CMS portal. One variant is a Rust stager designed to download an additional payload from 193.42.25[.]65 and execute it; samples of that stager display the message "Update Complete! Please refresh the page" upon execution, mimicking a portal update. The second variant is a .NET executable that masquerades as "360Safe.exe" — a legitimate Qihoo 360 Total Security binary — and reflectively loads an assembly implementing an AsyncRAT client.

Attack chains included decoy documents that purported to contain an operational plan for the repatriation of illegal foreigners, including Afghan Citizen Card (ACC) holders. SentinelOne emphasized the operational significance of hosting implants in a portal used by both citizens and police staff, noting that it "turned a tool built to make policing in Pakistan more accessible and accountable to the public into a malware delivery mechanism."

What this means for technologists, policymakers, and citizens

  • Technologists and security teams: prioritize forensic review of the Smart Police Station web applications, network appliances, and the FortiMail gateway identified in the report; catalog and mitigate any cms_plugin.exe artifacts and C2 connections such as 193.42.25[.]65 and 142.171.183[.]8.
  • Policymakers and law enforcement procurement leaders: the report highlights that both "a partner and an adversary of Pakistan" targeted the same institutions — a convergence SentinelOne says signals the intelligence value of law enforcement holdings — and will need to factor that risk into procurement, vendor oversight, and interagency information-sharing.
  • Citizens and civil-society organizations: portals designed for complaints and identity-linked services can become distribution points; documents tied to sensitive operations such as repatriation of ACC holders were used as lures, raising exposure risks for people engaging with affected services.

SentinelOne's record of compromises through April 9, 2026, shows multiple operators using a mix of commodity tooling and bespoke implants against the same state institutions. As the company put it, "When multiple cyberespionage actors operate against law enforcement institutions of a single state, the convergence itself is a signal of target value." For Balochistan Police, the challenge is now concrete: account for implanted binaries, sever identified C2 links, and restore public-facing portals that previously served both citizens and officers.

Original story