Skip to content
Chimera readability score 81 out of 100, Specialist reading level.

Cybersecurity researchers have disclosed details of sustained cyber espionage activity against several Pakistani law enforcement organizations undertaken by suspected China- and India-aligned threat actors between February 2024 and April 2026.
"At Balochistan Police, the compromised assets included servers hosting web applications that manage police and citizen data, such as criminal and biometric records," Aleksandar Milenkoski, principal threat researcher at SentinelOne SentinelLABS, said in a report published this week.
The activity targeted network appliances and servers hosting web applications that manage biometric records, hotel and tenant registrations linked to national identity records, criminal case files, and personnel records.
The China-nexus threat actor is also said to have compromised one of these web applications to deploy a custom implant masquerading as a portal update. The application in question, named Complaint Management System (CMS), serves police staff and citizens, thereby putting both categories of users within the attacker's orbit.
SentinelOne said it detected compromised infrastructure associated with several other Pakistani law enforcement organizations, including the Khyber Pakhtunkhwa Police, the Islamabad Police, and the Punjab Safe Cities Authority (PSCA).
Four different threat clusters have been flagged, each deploying a unique malware family: PlugX, ShadowPad, Cobalt Strike, and Remcos RAT. The use of Remcos RAT has been linked to an India-nexus threat actor, while the PlugX, ShadowPad, and Cobalt Strike clusters are built on shared or commodity tooling and may each involve more than one operator.
That having said, the deployment of both PlugX and ShadowPad, the latter of which is considered a successor to PlugX, is traditionally associated with Chinese nation-state hacking groups.
"The victimology we observed for PlugX (between 27 February and 28 September 2024) and ShadowPad (between 3 August and 1 December 2024) reinforces this assessment," the cybersecurity company said.
"Beyond Pakistani law enforcement, victimology for PlugX and ShadowPad includes government, foreign affairs, defense, nongovernmental, and research entities across South, Southeast, Central, and East Asia, the Arabian Peninsula, and Southeast Europe, consistent with China-aligned collection."
The Remcos-related intrusion set is assessed to share infrastructure and tactical overlaps with a hacking group known as Mysterious Elephant (aka APT-C-08, APT-K-47, and TAG-179), which, in turn, has commonalities with India-nexus adversaries such as SideWinder, Confucius, and Bitter.
Attack chains have been found to employ lures related to Pakistani law enforcement, displaying a decoy document that purports to contain an operational plan for the repatriation of illegal foreigners, including Afghan Citizen Card (ACC) holders.
The Cobalt Strike activity cluster's ties to China-nexus threat actors is based on the fact that traffic to the attacker-controlled command-and-control (C2) server ("142.171.183[.]8") extends beyond Pakistani law enforcement to government, academic, telecommunications, and non-governmental entities across South, East, and Southeast Asia, the Middle East, and South America – a victimology profile consistent with China-aligned hackers.
Among those targeted are Tibetan Buddhist organizations in Taiwan, which have long been targeted by China for cyber espionage.
Further examination of the activity aimed at Balochistan Police has uncovered the compromise of the following assets that took place between June 2, 2024, and April 9, 2026 -
- Two network appliances
- Web servers hosting several Balochistan Police web applications associated with the Smart Police Station digitalization initiative
- A Fortinet FortiMail appliance that had served as the agency's primary inbound email gateway
One of the infected applications is the Complaint Management System ("cms.balochistanpolice.gov[.]pk"), which is used for registering, tracking, and resolving citizen complaints. Two distinct variants of an implant called "cms_plugin.exe" have been uploaded to the site in connection with the operation -
- A Rust stager that's designed to download an additional payload from "193.42.25[.]65" and execute it. The exact nature of the next stage is unknown, but the samples display a message "Update Complete! Please refresh the page" upon execution, mimicking a CMS portal update.
- A .NET executable that masquerades as "360Safe.exe," a legitimate binary used by Qihoo 360 Total Security, to reflectively load an assembly implementing an AsyncRAT client.
The activity is notable because it has drawn both a "partner and an adversary of Pakistan" to the same victim for intelligence gathering, likely fueled by geopolitical motives.
"When multiple cyberespionage actors operate against law enforcement institutions of a single state, the convergence itself is a signal of target value," Milenkoski explained. "What draws them is a particular kind of institution: one that holds the government’s internal security picture, what it knows about the threats inside its borders, and how it acts against them."
"The compromise of the Complaint Management System web application adds a second dimension to the activity against Balochistan Police, extending the threat actor's reach beyond the initially compromised environment. By hosting implants in a portal used by both citizens and law enforcement personnel, the threat actor turned a tool built to make policing in Pakistan more accessible and accountable to the public into a malware delivery mechanism."

Facts Only

* Activity spanned from February 2024 to April 2026.
* Compromised assets included servers hosting web applications managing police and citizen data, biometric records, hotel/tenant registrations, criminal case files, and personnel records at Balochistan Police.
* A China-nexus threat actor compromised a web application named Complaint Management System (CMS).
* The activity targeted network appliances and servers managing biometric records and identity information.
* Four threat clusters were flagged: PlugX, ShadowPad, Cobalt Strike, and Remcos RAT.
* Remcos RAT use was linked to an India-nexus threat actor.
* PlugX, ShadowPad, and Cobalt Strike clusters are associated with Chinese nation-state hacking groups.
* Activity also affected Khyber Pakhtunkhwa Police, Islamabad Police, and the Punjab Safe Cities Authority (PSCA).
* The Complaint Management System was used for registering and tracking citizen complaints.
* Two variants of the implant "cmsplugin.exe" were uploaded to the CMS site.
* One implant involved a Rust stager downloading a payload from 193.42.25[.]65.
* Cobalt Strike traffic to C2 server 142.171.183[.]8 extended to entities across South, East, Southeast Asia, the Middle East, and South America.
* Specific assets compromised at Balochistan Police between June 2, 2024, and April 9, 2026 included two network appliances and web servers related to the Smart Police Station digitalization initiative.

Executive Summary

Cyber espionage activity targeting Pakistani law enforcement organizations occurred between February 2024 and April 2026, allegedly conducted by actors aligned with China and India. Compromised assets included servers managing police and citizen data, biometric records, hotel registrations linked to national identity, criminal case files, and personnel records within Balochistan Police. The activity targeted network appliances and web applications, including the Complaint Management System (CMS), which served both police staff and citizens. One specific application was exploited to deploy custom implants, such as cmsplugin.exe, on the CMS portal. Different threat clusters were identified using distinct malware families: PlugX, ShadowPad, Cobalt Strike, and Remcos RAT. The Remcos RAT use was linked to an India-nexus actor, while PlugX, ShadowPad, and Cobalt Strike clusters are associated with Chinese nation-state hacking groups. The activity extended beyond Pakistani law enforcement to entities like the Khyber Pakhtunkhwa Police, Islamabad Police, and Punjab Safe Cities Authority (PSCA).

Full Take

The convergence of threat actors targeting multiple law enforcement entities within a single state suggests an aggregation strategy focused on maximizing intelligence yield from critical security infrastructure. The utilization of publicly accessible systems, specifically the Complaint Management System, as a vector for implant deployment demonstrates a strategic pivot: transforming public-facing administrative tools into malware delivery mechanisms. This action merges the operational environment of policing with the toolset required for sophisticated espionage against government and non-governmental entities.
The differentiation between threat clusters—Chinese nation-state links for PlugX/ShadowPad, India-nexus links for Remcos RAT, and broad extraterritorial reach via Cobalt Strike C2 traffic—reveals a complex, multi-layered operational structure rather than a monolithic attack. The presence of shared tooling across the Chinese-linked operations, coupled with the infiltration of civilian-facing systems by actors linked to other geopolitical interests, points toward an intelligence collection paradigm where law enforcement itself becomes a secondary target for information harvesting about internal security procedures and threat response capabilities.
The finding that this convergence signals high target value underscores the principle that infrastructure controlling internal security narratives is highly prized by adversaries. The subsequent exploitation of the CMS highlights how compromising systems that facilitate public accountability can be leveraged to extend operational reach, transforming a localized law enforcement breach into a broader intelligence operation concerning regional geopolitical dynamics. What remains to be interrogated are the specific decision-making thresholds within these adversary groups that trigger the synchronization across distinct malware families and actor affiliations.

Sentinel — Human

Confidence

The text reads like a high-level summary of a technical intelligence report, blending specific forensic findings with geopolitical pattern matching, which is consistent with specialized human analysis rather than pure machine generation.

Signals Detected
low severity: Moderate sentence length variance; reliance on technical nomenclature interspersed with narrative flow.
low severity: Logically structured progression from specific findings to broader geopolitical patterns; coherent, though dense.
low severity: Use of precise, attributed names (people, malware families, threat groups) suggests reliance on compiled reports, typical of specialized journalism.
medium severity: Specific technical details and attribution (IPs, malware names, dates) require external verification but are presented as factual findings from named researchers.
Human Indicators
The inclusion of a direct quote that shifts focus from raw data to interpretive analysis ('When multiple cyberespionage actors operate against law enforcement institutions...'), demonstrating synthesis beyond mere reporting.
The nuanced differentiation between threat clusters (PlugX/ShadowPad vs. Remcos) and their associated actor linkages suggests an analytical layering typical of human-driven investigation.