Cybersecurity researchers at SentinelOne Labs have disclosed details of a sustained, multi-actor cyberespionage campaign against Pakistani law enforcement spanning more than two years — featuring the rare convergence of China-nexus and India-nexus threat actors independently targeting the same victim infrastructure.
The findings, published July 9, 2026 by principal threat researcher Aleksandar Milenkoski, reveal that at least two distinct nation-state clusters compromised a public-facing police complaint portal and used it as a launchpad to deploy remote access trojans against both law enforcement personnel and civilian users of the portal.
One Target, Two Flags
The targeted organizations include:
- Balochistan Police (primary victim, compromised June 2, 2024 through April 9, 2026)
- Khyber Pakhtunkhwa Police
- Islamabad Police
- Punjab Safe Cities Authority (PSCA)
The compromised systems included network appliances, a FortiMail inbound email gateway, and web servers hosting a suite of sensitive law enforcement applications: a Complaint Management System (CMS), a First Information Report (FIR) system, a Criminal Records Management System (CRMS), a Human Resource Management Information System (HRMIS), an Anti-Vehicle Lifting System (AVLS), and HotelEye and Tenant Registration Systems.
China-Nexus Activity: PlugX, ShadowPad, and Cobalt Strike
The China-aligned cluster operated from February 2024 through December 2025, cycling through a toolkit of well-known Chinese state-associated malware families:
| Period | Malware | Notes |
|---|---|---|
| Feb–Sep 2024 | PlugX | Multiple C2 IPs in US-hosted ranges |
| Oct–Dec 2024 | Cobalt Strike | Broader South Asian victimology |
| Nov 2024 | ShadowPad | Successor to PlugX, commonly used by MSS-linked actors |
PDB paths recovered from samples contained Chinese-language pinyin terms, consistent with China-based development environments. SentinelOne noted the broader victimology — spanning South and Southeast Asian government, defense, NGO, and telecom targets — aligns with established Chinese APT patterns.
Suspected motive: China is believed to have independent intelligence requirements on Pakistani internal security dynamics following a series of deadly attacks against Chinese nationals working on China-Pakistan Economic Corridor (CPEC) infrastructure projects, perpetrated by the Balochistan Liberation Army (BLA). Attacks include the October 2024 Karachi airport attack and a March 2024 suicide bombing.
India-Nexus Activity: TAG-179 and Remcos RAT
The India-aligned cluster — tracked by SentinelOne as TAG-179 and overlapping with Mysterious Elephant (Kaspersky) and APT-C-08 / Bitter (Qihoo 360) — was active from January through April 2026. The group deployed Remcos RAT from a C2 at 89.31.121[.]220.
Decoy documents recovered from the campaign referenced Afghan Citizen Card repatriation operations targeting Pakistani interests, consistent with TAG-179's historical focus on Pakistani and Bangladeshi government targets.
Suspected motive: India's strategic rivalry with Pakistan and interest in gaining visibility into Baloch insurgency dynamics and Pakistani counterinsurgency operations. Pakistan has publicly accused India of supporting the BLA.
The Weaponized Portal: How Citizens Were Also Targeted
Both clusters abused the public-facing Complaint Management System (CMS) portal as a malware distribution point, uploading malicious files disguised as software updates. This approach targeted not just law enforcement personnel but also ordinary citizens submitting complaints through the portal.
The attack chain operated in two documented stages:
Stage 1 — Rust stager (cms_plugin.exe)
Displayed a convincing "Update Complete! Please refresh the page" message while silently downloading a second-stage payload from 193.42.25[.]65.
Stage 2 — .NET executable masquerading as 360Safe.exe
Impersonated the legitimate Qihoo 360 Total Security antivirus binary. Once executed, it reflectively loaded an AsyncRAT client establishing persistent C2 communication to 41.216.188[.]140.
Indicators of Compromise
PlugX C2: 172.111.233[.]36, 172.94.9[.]49, 45.74.6[.]17
ShadowPad C2: 45.125.32[.]218
Cobalt Strike C2: 142.171.183[.]8
Remcos RAT C2: 89.31.121[.]220
AsyncRAT C2: 41.216.188[.]140
Stage 1 payload delivery: 193.42.25[.]65
Broader Implications
The convergence of two rival nation-state actors on the same victim infrastructure illustrates how strategically valuable Pakistani law enforcement data has become. Both China and India have independent but complementary motivations for monitoring Balochistan security operations.
The use of a public-facing complaint portal as a malware distribution vector is particularly concerning: it extends the compromise surface beyond law enforcement personnel to any civilian who interacted with the portal, potentially exposing biometric records, citizen identity data, and device telemetry to hostile intelligence services.
The India-nexus TAG-179 campaign remained active as recently as April 2026, indicating ongoing operational interest.