Skip to main content
COSMICBYTEZLABS
NewsSecurityHOWTOsToolsTraining
StudyProjectsNewsletterHire MeAbout
Subscribe

Press Enter to search or Esc to close

News
Security
HOWTOs
Tools
Training
Study
Projects
Newsletter
Hire Me
About
RSS Feed
Reading List
Subscribe

Stay in the Loop

Get the latest security alerts, tutorials, and tech insights delivered to your inbox.

Subscribe NowFree forever. No spam.
COSMICBYTEZLABS

Your trusted source for IT intelligence, cybersecurity insights, and hands-on technical guides.

1845+ Articles
149+ Guides

CONTENT

  • Latest News
  • Security Alerts
  • HOWTOs
  • Checklists
  • Projects
  • Exam Prep

RESOURCES

  • Search
  • Browse Tags
  • Newsletter Archive
  • Reading List
  • RSS Feed

COMPANY

  • About Us
  • Contact
  • Privacy Policy
  • Terms of Service

© 2026 CosmicBytez Labs. All rights reserved.

System Status: Operational
  1. Home
  2. News
  3. Hackers Weaponize Balochistan Police Portal in Multi-Group Espionage Campaigns
Hackers Weaponize Balochistan Police Portal in Multi-Group Espionage Campaigns
NEWS

Hackers Weaponize Balochistan Police Portal in Multi-Group Espionage Campaigns

SentinelOne researchers have uncovered two years of sustained cyberespionage against Pakistani law enforcement — with China-nexus and India-nexus threat actors independently targeting the same infrastructure using PlugX, ShadowPad, and Remcos RAT.

Dylan H.

News Desk

July 11, 2026
4 min read

Cybersecurity researchers at SentinelOne Labs have disclosed details of a sustained, multi-actor cyberespionage campaign against Pakistani law enforcement spanning more than two years — featuring the rare convergence of China-nexus and India-nexus threat actors independently targeting the same victim infrastructure.

The findings, published July 9, 2026 by principal threat researcher Aleksandar Milenkoski, reveal that at least two distinct nation-state clusters compromised a public-facing police complaint portal and used it as a launchpad to deploy remote access trojans against both law enforcement personnel and civilian users of the portal.

One Target, Two Flags

The targeted organizations include:

  • Balochistan Police (primary victim, compromised June 2, 2024 through April 9, 2026)
  • Khyber Pakhtunkhwa Police
  • Islamabad Police
  • Punjab Safe Cities Authority (PSCA)

The compromised systems included network appliances, a FortiMail inbound email gateway, and web servers hosting a suite of sensitive law enforcement applications: a Complaint Management System (CMS), a First Information Report (FIR) system, a Criminal Records Management System (CRMS), a Human Resource Management Information System (HRMIS), an Anti-Vehicle Lifting System (AVLS), and HotelEye and Tenant Registration Systems.

China-Nexus Activity: PlugX, ShadowPad, and Cobalt Strike

The China-aligned cluster operated from February 2024 through December 2025, cycling through a toolkit of well-known Chinese state-associated malware families:

PeriodMalwareNotes
Feb–Sep 2024PlugXMultiple C2 IPs in US-hosted ranges
Oct–Dec 2024Cobalt StrikeBroader South Asian victimology
Nov 2024ShadowPadSuccessor to PlugX, commonly used by MSS-linked actors

PDB paths recovered from samples contained Chinese-language pinyin terms, consistent with China-based development environments. SentinelOne noted the broader victimology — spanning South and Southeast Asian government, defense, NGO, and telecom targets — aligns with established Chinese APT patterns.

Suspected motive: China is believed to have independent intelligence requirements on Pakistani internal security dynamics following a series of deadly attacks against Chinese nationals working on China-Pakistan Economic Corridor (CPEC) infrastructure projects, perpetrated by the Balochistan Liberation Army (BLA). Attacks include the October 2024 Karachi airport attack and a March 2024 suicide bombing.

India-Nexus Activity: TAG-179 and Remcos RAT

The India-aligned cluster — tracked by SentinelOne as TAG-179 and overlapping with Mysterious Elephant (Kaspersky) and APT-C-08 / Bitter (Qihoo 360) — was active from January through April 2026. The group deployed Remcos RAT from a C2 at 89.31.121[.]220.

Decoy documents recovered from the campaign referenced Afghan Citizen Card repatriation operations targeting Pakistani interests, consistent with TAG-179's historical focus on Pakistani and Bangladeshi government targets.

Suspected motive: India's strategic rivalry with Pakistan and interest in gaining visibility into Baloch insurgency dynamics and Pakistani counterinsurgency operations. Pakistan has publicly accused India of supporting the BLA.

The Weaponized Portal: How Citizens Were Also Targeted

Both clusters abused the public-facing Complaint Management System (CMS) portal as a malware distribution point, uploading malicious files disguised as software updates. This approach targeted not just law enforcement personnel but also ordinary citizens submitting complaints through the portal.

The attack chain operated in two documented stages:

Stage 1 — Rust stager (cms_plugin.exe)
Displayed a convincing "Update Complete! Please refresh the page" message while silently downloading a second-stage payload from 193.42.25[.]65.

Stage 2 — .NET executable masquerading as 360Safe.exe
Impersonated the legitimate Qihoo 360 Total Security antivirus binary. Once executed, it reflectively loaded an AsyncRAT client establishing persistent C2 communication to 41.216.188[.]140.

Indicators of Compromise

PlugX C2: 172.111.233[.]36, 172.94.9[.]49, 45.74.6[.]17
ShadowPad C2: 45.125.32[.]218
Cobalt Strike C2: 142.171.183[.]8
Remcos RAT C2: 89.31.121[.]220
AsyncRAT C2: 41.216.188[.]140
Stage 1 payload delivery: 193.42.25[.]65

Broader Implications

The convergence of two rival nation-state actors on the same victim infrastructure illustrates how strategically valuable Pakistani law enforcement data has become. Both China and India have independent but complementary motivations for monitoring Balochistan security operations.

The use of a public-facing complaint portal as a malware distribution vector is particularly concerning: it extends the compromise surface beyond law enforcement personnel to any civilian who interacted with the portal, potentially exposing biometric records, citizen identity data, and device telemetry to hostile intelligence services.

The India-nexus TAG-179 campaign remained active as recently as April 2026, indicating ongoing operational interest.

References

  • SentinelOne Labs — One Target, Two Flags
  • The Hacker News — Hackers Weaponize Balochistan Police Portal
  • The Record — China and India Ran Separate Spy Campaigns Against Same Police Force
#China#Threat Intelligence#Nation-State#APT#Pakistan#PlugX#ShadowPad#Remcos RAT#TAG-179#The Hacker News

Related Articles

China and India-Linked Hackers Both Targeted the Same Pakistani Police Force

SentinelOne researchers discovered that threat actors linked to both China and India independently targeted the Balochistan Police force in Pakistan for at least two years, illustrating how rival intelligence services can converge on the same target without coordination.

3 min read

Google Exposes China Espionage Group UNC6508 Lurking in Networks Since 2023

Google's Threat Intelligence Group has unmasked UNC6508, a China-linked espionage actor that silently maintained access to critical infrastructure and...

5 min read

China-Aligned Groups Ramp Up Attacks: Operation Dragon Weave Hits Czech Republic and Taiwan

Security researchers at Seqrite Labs have uncovered Operation Dragon Weave, a new China-aligned cyber espionage campaign targeting government, research…

6 min read
Back to all News