Skip to content
Chimera readability score 77 out of 100, Expert reading level.

New research from SentinelOne shows that cyberespionage groups linked to both China and India spent more than two years quietly breaking into Pakistani law enforcement networks, with Balochistan Police getting hit from both sides of the region’s rivalries.
According to the security firm’s SentinelLabs threat intelligence unit, the intrusions ran from February 2024 through April 2026 and targeted several Pakistani police organizations, with Balochistan Police absorbing the bulk of the activity. The attackers reached servers tied to biometric databases, criminal case files, personnel records, and citizen-facing systems.
The researchers grouped the intrusions into four clusters based on the malware and infrastructure involved: PlugX, ShadowPad, Cobalt Strike, and Remcos. They cautioned that clusters built on shared or commodity malware — unlike the Remcos activity, tied to a single tracked actor — may each involve more than one operator.
What stands out is the presence of China-linked cyberspies inside a police force belonging to one of Beijing’s closest regional partners. SentinelLabs frames the likely motive as self-interest.
Specifically, Chinese nationals working on Belt and Road projects in Pakistan have been repeatedly targeted in attacks tied to Baloch separatist militants, and Chinese officials have openly criticized Islamabad’s ability to protect them. Gaining direct access to Pakistani police data would allow Beijing to evaluate the threat on its own.
On the other hand, the India-linked activity aligns with a dispute that Islamabad and New Delhi have had for years. Pakistan has long accused India of backing Baloch militants, which India has denied, and New Delhi has its own interest in whatever Balochistan Police’s networks reveal about Islamabad’s handling of that insurgency.
The researchers also found malicious files disguised as software updates planted directly on Balochistan Police’s public Complaint Management System, the portal residents use to file and track complaints. The fake update prompt would have hit anyone using the site, including officers and ordinary citizens.
SentinelLabs linked the intrusion to a Chinese-speaking developer based on shared code patterns and artifacts found in related malware samples.
Related: RATs in the Machine: Inside a Pakistan-Linked Three-Pronged Cyber Assault on India
Related: Armored Likho APT Targeting Government, Electric Power Entities
Related: China-Linked APT Expands Arsenal With New ‘Leash’ Backdoors

Facts Only

* Intrusions occurred from February 2024 through April 2026.
* The targets included several Pakistani police organizations, with Balochistan Police absorbing the bulk of the activity.
* Intrusion activities reached servers containing biometric databases, criminal case files, personnel records, and citizen-facing systems.
* Four intrusion clusters were identified: PlugX, ShadowPad, Cobalt Strike, and Remcos.
* Chinese nationals working on Belt and Road projects in Pakistan were repeatedly targeted in attacks linked to Baloch separatist militants.
* Malicious files disguised as software updates were planted on the Balochistan Police Complaint Management System.
* The intrusion was linked via shared code patterns to a Chinese-speaking developer.

Executive Summary

Cyberespionage groups linked to China and India conducted intrusions targeting Pakistani law enforcement networks between February 2024 and April 2026, with Balochistan Police absorbing the majority of this activity. These intrusions accessed servers containing biometric databases, criminal case files, personnel records, and citizen-facing systems. The research identified four clusters of intrusions based on malware and infrastructure: PlugX, ShadowPad, Cobalt Strike, and Remcos. A key finding involved Chinese nationals working on Belt and Road projects in Pakistan being targeted, suggesting a potential motive related to Beijing's interest in Pakistani law enforcement data. Furthermore, malicious files disguised as software updates were planted on the Balochistan Police Complaint Management System, affecting both officers and citizens. The researchers noted that intrusions linked to shared or commodity malware may involve multiple operators, while activity tied to a single actor showed different patterns.

Full Take

The intersection of geopolitical rivalry and technical exploitation reveals a complex threat landscape driven by strategic self-interest rather than purely criminal gain. The targeting of Pakistani law enforcement infrastructure suggests an effort to gain intelligence that directly impacts the strategic interests of major regional powers, specifically Beijing and New Delhi, regarding the Baloch insurgency. This pattern highlights how state-level competition is weaponized through asymmetric cyber capabilities, blurring the lines between statecraft and criminality. The observation that Chinese nationals working on Belt and Road projects are specifically targeted suggests an effort to obtain operational intelligence directly relevant to Beijing's strategic goals within Pakistan, which functions as a proxy arena for regional influence. The presence of multiple malware clusters involving shared tooling implies a sophisticated, adaptable actor base rather than a monolithic group, suggesting broader state sponsorship or complex compartmentalization of responsibility. Furthermore, the method of deployment—using plausible front operations like disguised software updates on public systems—demonstrates an understanding of social engineering that targets both official and civilian trust simultaneously. This forces an examination of who bears the ultimate cost of these data breaches and how international accountability can be established when actions are framed as self-interested state competition.

Sentinel — Human

Confidence

The text reads like an analytical summary of specialized threat research, effectively weaving technical findings with complex geopolitical rivalries to establish potential motives for cyberespionage.

Signals Detected
low severity: Moderate sentence length variance; uses specific domain terminology effectively.
low severity: Strong narrative flow connecting disparate geopolitical threads, suggesting internal sourcing.
low severity: Clear delineation of evidence clusters (PlugX, ShadowPad, etc.) and linkage to specific geopolitical motivations.
low severity: Specific entity names (SentinelOne, SentinelLabs, Balochistan Police) and timeframes suggest real sourcing, despite the nature of the claims.
Human Indicators
The integration of specific malware clusters (PlugX, ShadowPad, Cobalt Strike) with named geopolitical actors demonstrates a level of contextual synthesis that is typical of expert threat intelligence reporting.
The framing avoids sweeping conclusions and relies on conditional language ('may each involve more than one operator'), which suggests an analytical filter rather than raw data dumping.
China, India-Linked Hackers Both Targeted Same Pakistani Police Force — Arc Codex