Chinese and Indian State-Linked Hackers Target Pakistani Police Networks in Multi-Year Cyber Espionage Campaign

Chinese and Indian State-Linked Hackers Target Pakistani Police Networks in Multi-Year Cyber Espionage Campaign

Suspected state-linked hackers from China and India separately targeted Pakistani police networks between 2024 and 2026, infiltrating Balochistan Police systems, planting malware in a citizen complaint portal, and accessing critical digital infrastructure, according to a SentinelLABS cybersecurity investigation.

Suspected state-linked hackers from China and India separately infiltrated the networks of the same Pakistani police force over a period of more than two years, with one campaign reportedly planting malware inside a public-facing portal used by citizens to submit complaints against police, according to a report released by cybersecurity firm SentinelLABS.

SentinelLABS tracked four separate cyber espionage campaigns targeting Pakistani law enforcement agencies between February 2024 and April 2026. All four campaigns reached Balochistan Police, the law enforcement force responsible for Pakistan’s largest province by area and a region affected by a long-running separatist insurgency.

The attacks also targeted three other agencies, including Khyber Pakhtunkhwa Police, Islamabad Police, and the Punjab Safe Cities Authority, an autonomous organisation operating command, control, and communication systems for police departments in major cities across Punjab.

Researchers stated that the overlap between multiple cyber espionage operations targeting the same law enforcement network represents a significant indicator of the strategic value of the target. The report noted that when several intelligence-gathering groups linked to different states focus on one country’s police infrastructure, the convergence itself highlights the importance of the information available within those systems.

Read More Maharashtra FDA Issues Public Warning Against Three Cosmetic Products After Dangerous Mercury and Lead Levels Detected

The intrusions reached four different layers of Balochistan Police’s digital infrastructure, although researchers said the certainty of findings decreased as the attackers moved deeper into the network.

Read More IMD Issues Multi-State Weather Alert as Active Monsoon Triggers Heavy Rain, Thunderstorms and Strong Winds Across India

At the outermost level, hackers established confirmed contact with two network appliances and an email gateway, a system responsible for filtering and routing incoming and outgoing electronic communications. Although the email gateway was no longer the primary system receiving incoming messages at the time of the intrusion, it remained connected and may have continued handling internal or outgoing email traffic.

Read More Modi Receives Grand Melbourne Welcome After Landmark India-Australia Agreements

At a deeper level, attackers accessed servers hosting seven applications developed under a European Union-supported programme designed to digitise policing operations in Balochistan. These systems included personnel records, stolen vehicle tracking, hotel guest registration linked with national identity records, fingerprint-based criminal records, landlord and tenant registration, case filing systems known as First Information Reports, and a citizen complaint platform.

For six of the seven applications, excluding the citizen complaint system, SentinelLABS found evidence only of server access. The researchers said that access could have exposed sensitive information, including police personnel files, criminal case records, biometric information, stolen vehicle databases, hotel registrations, and tenant records. Together, these systems could have provided extensive visibility into the operations, capabilities, and intelligence holdings of Balochistan Police. However, researchers found no confirmed evidence that the information was accessed or removed.

The most advanced compromise occurred within the Complaint Management System, a separate platform from the First Information Report system that allows citizens to register complaints ranging from criminal incidents and lost documents to allegations against police personnel.

Hackers obtained write access to a live folder within the complaint portal and uploaded two malware files disguised as routine software updates. One of the files displayed the message, “Update Complete! Please refresh the page,” after execution, imitating the appearance of a legitimate portal update.

The malware was designed to infect anyone accessing the portal, including police employees and citizens submitting complaints. Researchers said the implants could have provided attackers with a pathway into police networks through infected staff devices or allowed compromise of citizens’ devices after they interacted with the complaint system.

Separately, stolen login credentials for the staff-side interface of the portal were discovered in infostealer logs, collections of stolen passwords gathered by malware-infected devices and later sold or leaked through underground cybercrime networks. The credentials followed a consistent naming pattern based on police stations, indicating which personnel used the system, although researchers found no direct connection between those credentials and the malware deployment.

SentinelLABS described the complaint system intrusion as the deepest confirmed access achieved across the four campaigns. However, researchers were unable to determine the final objective of one malware component. One of the files was identified as a stager, a small first-stage programme written in the Rust programming language that downloads a second-stage payload containing the actual malicious software. Researchers were unable to retrieve the next stage during analysis, and no confirmed case of infection or data theft was documented.

The investigation was based on analysis of command-and-control traffic, which records communication between compromised systems and remote servers controlled by attackers. While the data identified infrastructure that interacted with Pakistani police networks and the timing of those interactions, linking the activity to specific groups relied on evidence of varying confidence levels.

Researchers identified malware families including PlugX and ShadowPad, which are backdoors designed to provide attackers with persistent hidden access to infected systems. These tools have been associated with multiple suspected China-linked groups. The presence of such malware indicated a connection to a broader China-linked cyber espionage ecosystem rather than a single confirmed operator.

Several malware samples contained Chinese words written in Roman characters, while one included simplified Chinese language log messages. Researchers said these indicators pointed toward a Chinese-speaking developer involved in creating the tools.

SentinelLABS also compared its findings with research from other cybersecurity companies, which often track similar operations under different names, to determine whether separate investigations were identifying the same threat actors.

The cybersecurity firm did not publicly identify specific hacking groups but classified the operations into four clusters based on malware families and assessed their possible state affiliations with different confidence levels.

Three clusters involving PlugX, ShadowPad, and Cobalt Strike were assessed as China-linked. While PlugX and ShadowPad findings were mainly based on malware characteristics, the Cobalt Strike assessment was more complex. Cobalt Strike is a legitimate commercial security testing tool originally created for organisations to evaluate their own defences but is frequently misused by malicious actors.

The Cobalt Strike-linked campaign, which included the Complaint Management System breach, was assigned a medium-confidence assessment. Researchers cited previous targeting patterns, including attacks against Tibetan Buddhist organisations in Taiwan, which have historically been targeted by Chinese cyber espionage operations. One of the cluster’s command servers had previously communicated with such targets.

However, the server linked directly to the Balochistan Police complaint system communicated only with Balochistan Police. Researchers said the attribution was based on the server’s connection to the wider cluster and developer-related indicators rather than direct evidence from previous Tibet-related activity.

The fourth cluster, involving Remcos malware, was assessed as India-linked and associated with a group tracked by cybersecurity company Recorded Future as TAG-179. SentinelLABS said the group’s methods showed varying levels of overlap with groups identified by other security firms, including Kaspersky’s Mysterious Elephant and Qihoo 360’s APT-C-08, also known as Bitter. Researchers said the similarities represented partial overlap rather than confirmation that all three names referred to the same group.

Researchers identified several possible reasons why Balochistan Police became a target for multiple cyber operations. For China-linked activity, SentinelLABS highlighted concerns over the security of Chinese citizens involved in Belt and Road Initiative projects, particularly the China-Pakistan Economic Corridor.

The report referred to previous attacks against Chinese nationals in Pakistan, including the October 2024 bombing at Karachi airport and a March 2024 suicide bombing in northwestern Pakistan. It noted that China’s ambassador to Pakistan described attacks against Chinese citizens as unacceptable and warned that security challenges remained a major obstacle to China-Pakistan economic cooperation.

For the India-linked campaign, researchers pointed to the strategic importance of Balochistan’s security environment. Pakistan has previously accused India of supporting separatist groups operating in the province, a claim India denies. The report stated that Islamabad has not publicly substantiated these allegations.

Reuters reported that the Indian embassy in Washington and Balochistan Police authorities did not respond to requests for comments regarding the SentinelLABS findings.

Several key questions remain unanswered, including the final payload intended to be delivered by the Rust-based malware stager. Researchers also stated that the suspected India-linked campaign remained active as of April 2026, the latest period covered in the report.

A January 2026 agreement between Chinese and Pakistani security officials to expand counterterrorism cooperation did not publicly mention the cyber intrusions identified in the SentinelLABS investigation.

The findings reveal the growing strategic importance of law enforcement networks as targets for international cyber espionage campaigns. The infiltration attempts against Balochistan Police demonstrate how police databases, citizen service platforms, and operational systems have become valuable intelligence targets for state-linked cyber actors seeking access to sensitive security information.

Tags:

About The Author

Post Comment

Comment List

Latest News

Live Cricket Score

Advertisement

Science & Tech

Kia India Launches New Top-Spec Seltos GTX (O) and X-Line (O) Variants with Advanced ADAS F+ Technology Kia India Launches New Top-Spec Seltos GTX (O) and X-Line (O) Variants with Advanced ADAS F+ Technology
Kia India has introduced the new top-spec Seltos GTX (O) and X-Line (O) variants at a starting price of Rs...
Skoda Auto India Set to Launch Limited-Edition Kodiaq RS in Early July; First Batch Already Sold Out

Health

Coffee-Based Home Remedies Gain Ground as Dermatologists Highlight Natural Skincare Benefits Coffee-Based Home Remedies Gain Ground as Dermatologists Highlight Natural Skincare Benefits
A growing number of dermatologists are endorsing coffee-based home remedies as natural, affordable alternatives to commercial skincare. From face scrubs...
Moringa’s Rise as a Global Superfood Gains Momentum Amid New Research

Lifestyle

 Food Pharmer Sparks Nationwide Debate Over Cheeslings Ingredients, Raises Questions on Food Safety Standards Food Pharmer Sparks Nationwide Debate Over Cheeslings Ingredients, Raises Questions on Food Safety Standards
Food influencer Revant Himatsingka, known as Food Pharmer, has sparked nationwide debate after revealing Cheeslings’ low cheese content and high...
From Gym Floor to City Streets: The Unexpected Revival of the Lopifit Treadmill-Bike
crossorigin="anonymous">