Digital representation of a police badge with cyber threat indicators, symbolizing the cyber attack on Balochistan Police.
Uncategorized

Cyber Espionage Storms Pakistan: Balochistan Police Portal Weaponized by State-Backed Hackers

Share
Share
Pinterest Hidden

A sophisticated and prolonged cyber espionage campaign has targeted multiple Pakistani law enforcement agencies, with the Balochistan Police portal being weaponized by suspected state-aligned threat actors from both China and India. Cybersecurity researchers at SentinelOne SentinelLABS have unveiled the intricate details of this activity, which spanned from February 2024 to April 2026, highlighting a concerning convergence of geopolitical interests in the digital realm.

Deep Compromise: Balochistan Police at the Epicenter

The investigation revealed that the Balochistan Police suffered significant breaches, with compromised assets including servers that manage critical police and citizen data. This sensitive information encompasses criminal records, biometric data, hotel and tenant registrations linked to national identity, criminal case files, and personnel records. Aleksandar Milenkoski, principal threat researcher at SentinelOne SentinelLABS, emphasized the gravity of the situation, stating, “At Balochistan Police, the compromised assets included servers hosting web applications that manage police and citizen data, such as criminal and biometric records.”

Weaponizing Trust: The Complaint Management System Exploit

A key vector for the attacks was the Complaint Management System (CMS) — an application designed to serve both police staff and citizens. A China-nexus threat actor exploited this system, deploying a custom implant disguised as a routine portal update. This allowed attackers to infiltrate the network, effectively turning a tool meant for public service into a conduit for espionage.

Wider Net: Other Law Enforcement Agencies Targeted

The cyber onslaught wasn’t confined to Balochistan. SentinelOne’s findings indicate compromised infrastructure across several other Pakistani law enforcement organizations, including the Khyber Pakhtunkhwa Police, the Islamabad Police, and the Punjab Safe Cities Authority (PSCA). This broad targeting underscores the strategic importance of intelligence gathering from these institutions.

A Nexus of Threats: Multiple Malware Families and Actors

The research identified four distinct threat clusters, each employing a unique malware family, pointing to a multi-faceted and potentially collaborative or overlapping espionage landscape:

  • PlugX & ShadowPad: These malware families, with ShadowPad often considered a successor to PlugX, are traditionally linked to Chinese nation-state hacking groups. Their observed victimology, extending beyond Pakistani law enforcement to government, foreign affairs, defense, and research entities across South, Southeast, Central, and East Asia, the Arabian Peninsula, and Southeast Europe, strongly aligns with China-aligned intelligence collection objectives.
  • Remcos RAT: The use of Remcos RAT has been attributed to an India-nexus threat actor. This intrusion set exhibits infrastructure and tactical overlaps with the notorious hacking group Mysterious Elephant (also known as APT-C-08, APT-K-47, and TAG-179), which itself shares commonalities with other India-nexus adversaries like SideWinder, Confucius, and Bitter.
  • Cobalt Strike: This versatile penetration testing tool, often repurposed by state-sponsored groups, was also deployed. Its activity cluster shows ties to China-nexus actors, with traffic to attacker-controlled command-and-control (C2) servers extending to a broad range of entities across South, East, and Southeast Asia, the Middle East, and South America. Notably, Tibetan Buddhist organizations in Taiwan, long a target of Chinese cyber espionage, were also among the victims.

Deceptive Lures: Exploiting Current Events

Attack chains frequently employed lures crafted to appear relevant to Pakistani law enforcement operations. Decoy documents, purporting to detail an operational plan for the repatriation of illegal foreigners, including Afghan Citizen Card (ACC) holders, were used to trick targets into executing malicious payloads.

The Mechanics of Compromise: A Deeper Dive

Further analysis of the Balochistan Police breach revealed the compromise of specific assets between June 2, 2024, and April 9, 2026:

  • Two network appliances.
  • Web servers hosting several Balochistan Police web applications vital to the Smart Police Station digitalization initiative.
  • A Fortinet FortiMail appliance, which served as the agency’s primary inbound email gateway.

The Complaint Management System (cms.balochistanpolice.gov[.]pk) was specifically infected with two distinct variants of an implant named “cms_plugin.exe”:

  • A Rust stager designed to download and execute an additional, unknown payload from 193.42.25[.]65. This stager displayed a deceptive “Update Complete! Please refresh the page” message to mimic a legitimate update.
  • A .NET executable masquerading as “360Safe.exe” (a legitimate Qihoo 360 Total Security binary) to reflectively load an AsyncRAT client.

Geopolitical Chessboard: Why Pakistan?

The simultaneous targeting of Pakistani law enforcement by actors aligned with both China (a partner) and India (an adversary) highlights the nation’s critical geopolitical position. “When multiple cyberespionage actors operate against law enforcement institutions of a single state, the convergence itself is a signal of target value,” explained Milenkoski. The sensitive nature of police and citizen data makes these organizations prime targets for intelligence gathering, likely fueled by complex regional dynamics and strategic interests.

This ongoing cyber warfare underscores the urgent need for robust cybersecurity defenses within critical national infrastructure, especially in regions caught in the crosshairs of global and regional power plays.


For more details, visit our website.

Source: Link

Share

Leave a comment

Leave a Reply

Your email address will not be published. Required fields are marked *