Skip to main content
Threat IntelligenceEmerging Threats

Chinese and Indian Spies Target Pakistani Police Systems

Police officers work at desks in a brightly-lit station with a large map of Balochistan on the wall.

“Between February 2024 and April 2026, suspected China- and India-nexus actors ran intrusion campaigns against several Pakistani law enforcement bodies,” SentinelLabs reported on July 9 — and the campaigns converged on a single, strategically valuable target: Balochistan Police.

SentinelLabs' timeline and scope

SentinelLabs, the research arm of SentinelOne, published an analysis on July 9 documenting intrusion activity that ran from February 2024 through April 2026. The activity targeted several Pakistani law enforcement bodies, concentrating on Balochistan Police, the province’s main force. Compromised assets included servers running applications that held biometric records, criminal case files and tenant registrations tied to national identity data. SentinelLabs reported that one China-nexus actor had implanted code in a portal used by both officers and citizens.

The Complaint Management System: a portal weaponized

The analysis highlights a single civilian-facing application as a standout compromise: the force’s Complaint Management System (CMS), used by officers and citizens to check complaints. SentinelLabs found two variants of an implant named cms_plugin.exe uploaded in late 2024 — one written in Rust and one in .NET. The Rust variant acted as a stager and, when executed, displayed the message “Update Complete! Please refresh the page,” mimicking a routine portal update. The .NET variant posed as a component of Chinese vendor Qihoo 360’s security software and loaded an AsyncRAT client. SentinelLabs noted shared code and Simplified Chinese strings in the .NET implant, which the researchers said pointed to a Chinese-speaking developer.

Malware clusters and the attribution signals SentinelLabs observed

SentinelLabs grouped observed command-and-control activity into four clusters. The presence of PlugX, ShadowPad and Cobalt Strike activity led the researchers to link three clusters to China-nexus operators. A separate cluster running Remcos was tied to a suspected India-nexus actor that Recorded Future tracks as TAG-179 — a group that Recorded Future said overlaps with a group other investigators call Bitter. The combined picture, SentinelLabs concluded, was of rival nation-state actors running parallel campaigns against the same policing infrastructure.

Why each rival reportedly targeted Balochistan Police

SentinelLabs set out likely motives tied to competing national interests. For China, the analysis said the driver was the safety of Chinese nationals connected to the China-Pakistan Economic Corridor (CPEC): those nationals “have reportedly faced repeated deadly attacks, some claimed by the Balochistan Liberation Army (BLA), a Baloch separatist group.” Access to police data, SentinelLabs said, would allow China to assess that threat independently. For India, SentinelLabs suggested the motive was bilateral rivalry: Balochistan is a recurring flashpoint, Islamabad has accused New Delhi of backing the insurgency (an accusation India denied), and Balochistan Police “holds the record of how Pakistan polices the province,” making their systems a high-value intelligence target.

What this means for Pakistani police, technologists, and foreign governments

  • Pakistani police and citizens: The compromised systems, SentinelLabs reported, put at risk police personnel and payroll records, criminal case files and fingerprint biometrics, stolen vehicle records, hotel check-ins tied to identity data, landlord and tenant registrations, and citizen complaints including misconduct reports.
  • Security teams and technologists: The CMS compromise demonstrates how a single civilian portal can be used as an access vector; implants mimicking vendor updates and legitimate security software components were part of the intrusion chain SentinelLabs documented.
  • Foreign governments and intelligence planners: SentinelLabs’ findings show rival operators converging on the same datasets — an operational overlap that concentrates intelligence value in centralized police IT systems and makes those systems attractive targets for any capable adversary.

The SentinelLabs record underscores a structural risk: systems that centralize records and services also concentrate intelligence value, the researchers wrote, “making police infrastructure intelligence terrain for any capable adversary.” The analysis leaves one practical question for Pakistani authorities and their partners: will the response prioritize segmentation and isolation of these high-value systems to reduce a single point of compromise, or will other priorities dictate a different path?

Read the original report at https://www.infosecurity-magazine.com/news/chinese-indian-espionage-pakistani/.