Balochistan Police Portal Compromised by Multiple Hacker Groups in Coordinated Espionage Campaign

0
8

Key Takeaways

  • Between February 2024 and April 2026, suspected China‑ and India‑aligned threat actors conducted a sustained cyber‑espionage campaign against multiple Pakistani law‑enforcement agencies.
  • The operation focused on network appliances and web servers that store sensitive data such as biometric records, criminal case files, personnel files, and hotel/tenant registrations linked to national identity documents.
  • A custom implant was deployed via the Complaint Management System (CMS) web application, masquerading as a portal update to infect both police staff and citizens who use the portal.
  • Four distinct malware families were observed—PlugX, ShadowPad, Cobalt Strike, and Remcos RAT—each forming a separate threat cluster with different attribution clues.
  • PlugX and ShadowPad activity aligns with known Chinese nation‑state groups, while the Remcos‑related intrusions share infrastructure and tactics with the India‑nexus group Mysterious Elephant (also tied to SideWinder, Confucius, and Bitter).
  • Lure documents posed as operational plans for the repatriation of illegal foreigners, including Afghan Citizen Card holders, to trick victims into executing malicious payloads.
  • Command‑and‑control traffic extended beyond Pakistani law‑enforcement to government, academic, telecom, and NGO targets across South, Southeast, Central, and East Asia, the Middle East, and South America, reinforcing a China‑aligned victimology pattern.
  • Technical analysis revealed two implant variants in the CMS: a Rust stager that downloads a second‑stage payload and a .NET executable disguised as Qihoo 360’s “360Safe.exe” that reflectively loads an AsyncRAT client.
  • The compromise of a public‑facing police portal turned a tool intended to improve transparency and accountability into a conduit for espionage, highlighting the high intelligence value of law‑enforcement data to both regional partners and adversaries.

Overview of the Espionage Campaign
From February 2024 through April 2026, cybersecurity researchers at SentinelOne SentinelLABS uncovered a prolonged espionage operation targeting several Pakistani law‑enforcement organizations. The activity is attributed to suspected threat actors with ties to both China and India, reflecting a convergence of interests in Pakistan’s internal security apparatus. The campaign persisted for over two years, indicating a deliberate and resourced effort to harvest intelligence from institutions that manage criminal investigations, biometric identification, and public‑safety data.

Compromised Assets in Balochistan Police
The primary focus of the reporting was the Balochistan Police, where attackers gained control of critical infrastructure. Compromised assets included two network appliances, web servers hosting multiple Balochistan Police web applications tied to the Smart Police Station digitalization initiative, and a Fortinet FortiMail appliance serving as the agency’s primary inbound email gateway. These systems collectively stored and processed biometric records, criminal case files, personnel data, and hotel/tenant registrations linked to national identity cards, providing a rich trove of strategic information.

Exploitation of the Complaint Management System
A notable facet of the intrusion was the compromise of the Complaint Management System (CMS) web application, accessible at cms.balochistanpolice.gov[.]pk. The CMS is used by both police officers and citizens to register, track, and resolve complaints, making it a high‑traffic portal. Threat actors uploaded two distinct variants of an implant named cms_plugin.exe to the site. One variant is a Rust‑based stager designed to download and execute a secondary payload from the IP address 193.42.25[.]65, displaying a deceptive “Update Complete! Please refresh the page” message upon execution. The second variant is a .NET executable masquerading as the legitimate Qihoo 360 Total Security binary “360Safe.exe,” which reflectively loads an assembly implementing an AsyncRAT client. By hiding malicious code behind a purported portal update, the attackers turned a transparency tool into a malware distribution channel.

Extension to Other Pakistani Law Enforcement Entities
Beyond Balochistan Police, SentinelOne identified compromised infrastructure linked to the Khyber Pakhtunkhwa Police, the Islamabad Police, and the Punjab Safe Cities Authority (PSCA). These entities also operate web‑based applications that manage similar categories of sensitive data, suggesting a broad, coordinated effort to infiltrate Pakistan’s law‑enforcement ecosystem at multiple jurisdictional levels. The uniformity of targeting across these agencies points to a strategic interest in aggregating nationwide security intelligence rather than isolated, opportunistic breaches.

Malware Families and Threat Clusters
The campaign employed four distinct malware families, each constituting a separate threat cluster: PlugX, ShadowPad, Cobalt Strike, and Remcos RAT. PlugX and ShadowPad are closely related, with ShadowPad regarded as a successor to PlugX; both are historically associated with Chinese nation‑state hacking groups. Cobalt Strike, a legitimate penetration‑testing tool often abused by adversaries, was observed in a cluster whose command‑and‑control (C2) infrastructure reached beyond Pakistani law‑enforcement to a wider set of targets. Remcos RAT, a commercial remote‑access trojan, formed the fourth cluster and showed tactical overlaps with an India‑nexus actor group.

Links to China‑Aligned Actors and Broader Victimology
Analysis of the PlugX and ShadowPad activity reinforced their attribution to China‑aligned actors. The observed victimology for these clusters—spanning government, foreign affairs, defense, NGO, and research entities across South, Southeast, Central, and East Asia, the Arabian Peninsula, and Southeast Europe—matches known collection priorities of Chinese cyber‑espionage operations. Notably, the Cobalt Strike C2 server at IP 142.171.183[.]8 communicated with targets such as Tibetan Buddhist organizations in Taiwan, which have long been subjected to Chinese‑directed cyber surveillance, further bolstering the China‑nexus assessment.

India‑Nexus Remcos Activity and Associated Groups
The Remcos‑related intrusion set displayed infrastructure and tactical similarities with the hacking group known as Mysterious Elephant (also tracked as APT‑C‑08, APT‑K‑47, and TAG‑179). Mysterious Elephant shares characteristics with other India‑aligned threat actors such as SideWinder, Confucius, and Bitter. This linkage suggests that the Remcos component of the campaign may be driven by an India‑nexus actor seeking intelligence on Pakistani law‑enforcement capabilities, possibly to counterbalance regional security dynamics.

Infrastructure, Lures, and Command‑and‑Control Patterns
Attack chains frequently employed decoy documents purporting to contain operational plans for the repatriation of illegal foreigners, including Afghan Citizen Card (ACC) holders. These lures were designed to entice recipients into opening malicious attachments or clicking links that delivered the implant payloads. The C2 infrastructure exhibited a broad reach: traffic to the attacker‑controlled servers extended to government, academic, telecommunications, and NGO entities across South, East, and Southeast Asia, the Middle East, and South America. Such a geographic spread aligns with the typical victimology of China‑aligned espionage campaigns, which often harvest data from multiple sectors to build a comprehensive intelligence picture.

Specific Timeline and Asset Compromise in Balochistan Police (June 2024‑April 2026)
Detailed forensic timelines revealed that the compromise of Balochistan Police assets occurred between June 2, 2024, and April 9, 2026. During this window, the attackers maintained persistent access to two network appliances, the web servers supporting the Smart Police Station applications, and the Fortinet FortiMail email gateway. The prolonged presence allowed the exfiltration of biometric databases, criminal records, and internal communications, underscoring the campaign’s focus on sustained intelligence gathering rather than hit‑and‑run tactics.

Technical Details of the CMS Implants
The two CMS implant variants exhibited distinct technical characteristics. The Rust stager functioned as a lightweight downloader, retrieving an unspecified second‑stage payload from the external IP 193.42.25[.]65 and executing it in memory, thereby reducing forensic footprints. Its user‑facing message mimicked a legitimate portal update, increasing the likelihood of user interaction. The .NET variant, by impersonating “360Safe.exe,” leveraged trust in a well‑known security product to bypass heuristic defenses; once executed, it reflectively loaded an AsyncRAT client, granting the attacker remote shell capabilities, keystroke logging, and file‑system access on infected machines.

Strategic Implications and Geopolitical Motivation
The convergence of a suspected China‑aligned actor and an India‑aligned actor on the same Pakistani law‑enforcement target underscores the strategic value of the compromised data. Law‑enforcement repositories contain a state’s internal security picture—details on threats, investigative capabilities, and operational responses—making them prized intelligence assets for both regional partners seeking cooperation and adversaries aiming to anticipate or counteract Pakistan’s security posture. By compromising a public‑facing portal designed to improve transparency and accountability, the threat actors not only harvested data but also undermined public trust in digital governance, illustrating how cyber‑espionage can simultaneously serve strategic intelligence goals and exert psychological pressure.

SignUpSignUp form

LEAVE A REPLY

Please enter your comment!
Please enter your name here