China, India-Linked Hackers Hit Pakistani Police

Get the Geopolitics newsletter
Daily geopolitics — wars, elections, sanctions, the diplomatic moves that move markets. Free.
- SentinelOne SentinelLABS disclosed that China- and India-aligned threat actors conducted sustained cyber espionage against multiple Pakistani law enforcement organizations between February 2024 and April 2026, with researcher Aleksandar Milenkoski noting the convergence signals high target value.
- Balochistan Police suffered the deepest compromise — two network appliances, web servers tied to the Smart Police Station initiative, and a Fortinet FortiMail email gateway were breached between June 2, 2024, and April 9, 2026.
- The Complaint Management System (cms.balochistanpolice.gov[.]pk) was weaponized with two implants — a Rust stager and a .NET executable disguised as "360Safe.exe" — turning a citizen-facing portal into a malware delivery mechanism for both police staff and civilians.
- Four malware families were deployed: PlugX and ShadowPad (linked to China-nexus groups based on victimology spanning South, Southeast, and East Asia), Cobalt Strike (China-aligned based on C2 traffic to 142.171.183[.]8), and Remcos RAT (tied to India's Mysterious Elephant group, also known as APT-C-08).
- Other Pakistani agencies compromised include Khyber Pakhtunkhwa Police, Islamabad Police, and Punjab Safe Cities Authority, with attackers targeting servers hosting biometric records, criminal case files, hotel and tenant registrations, and personnel data.
- Attack lures included a decoy document purporting to contain an operational plan for repatriating Afghan Citizen Card holders, while broader victimology across the campaign chain reached Tibetan Buddhist organizations in Taiwan and government, telecom, and academic entities across multiple regions.
Why it matters: Pakistan's law enforcement databases hold biometric records, criminal files, and internal security intelligence — exactly the kind of cross-border intelligence asset that draws both a partner (China) and an adversary (India) to the same target. By injecting malware into a citizen-facing complaint portal, attackers weaponized a public accountability tool to reach both police and civilians, expanding the blast radius beyond the original network compromise.



