Researchers at SentinelOne Labs published findings on July 9, 2026, revealing that hacking groups linked to both China and India independently conducted espionage campaigns against Pakistani law enforcement — simultaneously, without apparent coordination, and targeting many of the same systems.
What Was Targeted
The primary target was the Balochistan Police, the force responsible for Pakistan's volatile southwestern province, which has been a hotspot for insurgency activity and recent deadly attacks on Chinese nationals. Secondary targets included the Khyber Pakhtunkhwa Police, the Islamabad Police, and the Punjab Safe Cities Authority.
Compromised data included:
- Criminal records and case files
- Biometric and fingerprint data
- Personnel records and HR files
- Hotel and tenant registration databases
- National identity records
- Citizen complaint submissions
China-Linked Actor TTP
The China-linked threat group exploited the Balochistan Police Complaint Management System (CMS), planting malicious files disguised as legitimate software updates. The payloads deployed:
- AsyncRAT — disguised as Qihoo 360 security software, a well-known Chinese antivirus product, likely chosen to evade suspicion
- A Rust-based loader that fetched additional payloads from remote infrastructure
SentinelOne assessed that China's interest is tied to protecting the safety of Chinese nationals working on Pakistan's China-Pakistan Economic Corridor (CPEC) infrastructure projects, following a string of deadly attacks in the region.
India-Linked Activity
The India-linked campaign was assessed as still active as of April 2026 at the time of discovery. Researchers attributed the activity to India's broader strategic rivalry with Pakistan and alleged Indian backing of elements connected to the Baloch insurgency.
The overlapping targeting of the same police databases by two separate nation-state actors demonstrates what security researchers sometimes call "watering hole convergence" — when geopolitically motivated actors independently identify the same high-value target.
Official Responses
- KPK Police denied that any core operational systems were breached but acknowledged a rise in attempted cyber activity coinciding with heightened India-Pakistan tensions
- The Chinese Embassy denied any involvement
- The Indian Embassy did not respond to requests for comment
Implications
The campaign highlights the increasing risk to law enforcement data in geopolitically sensitive regions. Biometric databases and criminal records held by police forces represent high-value intelligence targets — compromising them enables long-term tracking of individuals and provides adversaries with information about human networks.
Security teams operating in regions with CPEC projects or India-Pakistan flashpoints should audit access to law enforcement-adjacent systems and monitor for AsyncRAT indicators of compromise.