Cyber Espionage Campaign Targets Pakistani Law Enforcement, Compromising Critical Data from Balochistan Police and Others

Cyber Espionage Campaign Targets Pakistani Law Enforcement, Compromising Critical Data from Balochistan Police and Others

Cybersecurity researchers have revealed a significant cyber espionage campaign aimed at multiple law enforcement agencies in Pakistan, attributed to threat actors believed to be associated with China and India. This extensive operation, which occurred between February 2024 and April 2026, raises serious concerns regarding the security of sensitive governmental data and its implications for national security.

Targeting Law Enforcement Infrastructure

The Balochistan Police were particularly impacted, with critical assets compromised, including servers that manage essential web applications for police and citizen data, such as criminal and biometric records. Aleksandar Milenkoski, principal threat researcher at SentinelOne, emphasized the severity of the breach, noting that attackers gained access to infrastructure handling sensitive information related to criminal case files and personnel records.

The attackers exploited vulnerabilities in network appliances and servers, specifically targeting web applications that manage biometric records and national identity-linked registrations. One of the compromised applications, the Complaint Management System (CMS), serves both police personnel and citizens, effectively placing both user groups at risk.

SentinelOne’s analysis indicated that several other Pakistani law enforcement organizations, including the Khyber Pakhtunkhwa Police, Islamabad Police, and the Punjab Safe Cities Authority (PSCA), were also victims of this coordinated attack.

Diverse Malware Deployment

The investigation uncovered four distinct threat clusters, each utilizing different malware families: PlugX, ShadowPad, Cobalt Strike, and Remcos RAT. The Remcos RAT has been linked to a threat actor aligned with India, while the other malware families are associated with Chinese nation-state hacking groups. The deployment of PlugX and ShadowPad, the latter being a successor to PlugX, is particularly alarming due to their history of use in sophisticated cyber espionage operations.

SentinelOne noted that the victimology related to PlugX and ShadowPad extends beyond Pakistani law enforcement, affecting various entities across South, Southeast, Central, and East Asia, as well as the Arabian Peninsula and Southeast Europe. This pattern aligns with the intelligence-gathering objectives of China-aligned threat actors.

Implications for Regional Security

The Remcos-related intrusion set shares infrastructure and tactics with a group known as Mysterious Elephant, which has ties to other India-aligned adversaries. This overlap highlights the geopolitical dimensions of the cyber threats confronting Pakistan, as both allied and adversarial nations appear to be targeting the same institutions for intelligence purposes.

The attack chains employed by the hackers utilized lures related to Pakistani law enforcement, including decoy documents that purportedly outline operational plans for the repatriation of illegal foreigners, such as Afghan Citizen Card holders. This tactic not only showcases the attackers’ sophistication but also underscores the potential for misinformation and further destabilization within the region.

Compromised Assets and Malware Delivery Mechanisms

Further examination of the compromised assets belonging to the Balochistan Police revealed that between June 2, 2024, and April 9, 2026, two network appliances, web servers linked to the Smart Police Station digitalization initiative, and a Fortinet FortiMail appliance were breached. One of the infected applications, the CMS, plays a critical role in registering and resolving citizen complaints.

Two variants of an implant named “cms_plugin.exe” were discovered on the CMS platform. One variant is a Rust stager designed to download additional payloads, while the other disguises itself as a legitimate executable used by Qihoo 360 Total Security, enabling the attackers to implement an AsyncRAT client.

The implications of these breaches are significant. The convergence of multiple cyber espionage actors targeting a single institution indicates the high value placed on the data held by law enforcement agencies. Milenkoski pointed out that such institutions possess vital intelligence regarding internal security and threats, making them prime targets for foreign adversaries.

As reported by cyberwarriorsmiddleeast.com, the exploitation of the Complaint Management System by cyber adversaries not only jeopardizes the integrity of law enforcement operations in Pakistan but also transforms a tool intended to enhance public accountability into a vehicle for malware distribution.

Explore the latest digital editions of FAME Delivered in the Magazine section: https://famedelivered.com/magazine/

Published on 2026-07-12 05:12:00 • By FAME Delivered News Desk

Cyber Espionage Campaign Targets Pakistani Law Enforcement, Compromising Critical Data from Balochistan Police and Others

Cyber Espionage Campaign Targets Pakistani Law Enforcement, Compromising Critical Data from Balochistan Police and Others

Cybersecurity researchers have revealed a significant cyber espionage campaign aimed at multiple law enforcement agencies in Pakistan, attributed to threat actors believed to be associated with China and India. This extensive operation, which occurred between February 2024 and April 2026, raises serious concerns regarding the security of sensitive governmental data and its implications for national security.

Targeting Law Enforcement Infrastructure

The Balochistan Police were particularly impacted, with critical assets compromised, including servers that manage essential web applications for police and citizen data, such as criminal and biometric records. Aleksandar Milenkoski, principal threat researcher at SentinelOne, emphasized the severity of the breach, noting that attackers gained access to infrastructure handling sensitive information related to criminal case files and personnel records.

The attackers exploited vulnerabilities in network appliances and servers, specifically targeting web applications that manage biometric records and national identity-linked registrations. One of the compromised applications, the Complaint Management System (CMS), serves both police personnel and citizens, effectively placing both user groups at risk.

SentinelOne’s analysis indicated that several other Pakistani law enforcement organizations, including the Khyber Pakhtunkhwa Police, Islamabad Police, and the Punjab Safe Cities Authority (PSCA), were also victims of this coordinated attack.

Diverse Malware Deployment

The investigation uncovered four distinct threat clusters, each utilizing different malware families: PlugX, ShadowPad, Cobalt Strike, and Remcos RAT. The Remcos RAT has been linked to a threat actor aligned with India, while the other malware families are associated with Chinese nation-state hacking groups. The deployment of PlugX and ShadowPad, the latter being a successor to PlugX, is particularly alarming due to their history of use in sophisticated cyber espionage operations.

SentinelOne noted that the victimology related to PlugX and ShadowPad extends beyond Pakistani law enforcement, affecting various entities across South, Southeast, Central, and East Asia, as well as the Arabian Peninsula and Southeast Europe. This pattern aligns with the intelligence-gathering objectives of China-aligned threat actors.

Implications for Regional Security

The Remcos-related intrusion set shares infrastructure and tactics with a group known as Mysterious Elephant, which has ties to other India-aligned adversaries. This overlap highlights the geopolitical dimensions of the cyber threats confronting Pakistan, as both allied and adversarial nations appear to be targeting the same institutions for intelligence purposes.

The attack chains employed by the hackers utilized lures related to Pakistani law enforcement, including decoy documents that purportedly outline operational plans for the repatriation of illegal foreigners, such as Afghan Citizen Card holders. This tactic not only showcases the attackers’ sophistication but also underscores the potential for misinformation and further destabilization within the region.

Compromised Assets and Malware Delivery Mechanisms

Further examination of the compromised assets belonging to the Balochistan Police revealed that between June 2, 2024, and April 9, 2026, two network appliances, web servers linked to the Smart Police Station digitalization initiative, and a Fortinet FortiMail appliance were breached. One of the infected applications, the CMS, plays a critical role in registering and resolving citizen complaints.

Two variants of an implant named “cms_plugin.exe” were discovered on the CMS platform. One variant is a Rust stager designed to download additional payloads, while the other disguises itself as a legitimate executable used by Qihoo 360 Total Security, enabling the attackers to implement an AsyncRAT client.

The implications of these breaches are significant. The convergence of multiple cyber espionage actors targeting a single institution indicates the high value placed on the data held by law enforcement agencies. Milenkoski pointed out that such institutions possess vital intelligence regarding internal security and threats, making them prime targets for foreign adversaries.

As reported by cyberwarriorsmiddleeast.com, the exploitation of the Complaint Management System by cyber adversaries not only jeopardizes the integrity of law enforcement operations in Pakistan but also transforms a tool intended to enhance public accountability into a vehicle for malware distribution.

Explore the latest digital editions of FAME Delivered in the Magazine section: https://famedelivered.com/magazine/

Published on 2026-07-12 05:12:00 • By FAME Delivered News Desk

Latest Posts

Latest Posts

Don't Miss

Subscribe

To be updated with all the latest news, offers and special announcements.