---Advertisement---

China India Aligned Hackers Weaponize Balochistan Police Portal PlugX ShadowPad

By xploitzone
July 13, 2026 6:22 PM
---Advertisement---

SentinelOne SentinelLABS documented sustained cyber espionage against Balochistan Police and other Pakistani law enforcement from 2024 to 2026 by four separate threat clusters deploying PlugX ShadowPad Cobalt Strike and Remcos RAT linked to China and India aligned actors.

Picture the same citizen complaint portal that a regular person uses to report a neighborhood dispute quietly serving as a malware delivery mechanism for a foreign intelligence operation at the exact same time.

The same web address that a police officer opens to process a case file and that a citizen opens to track their complaint against local authorities sits compromised at the server level and has been hosting implants built by suspected state linked threat actors. That exact scenario played out at the Balochistan Police Complaint Management System and SentinelOne SentinelLABS published a full detailed account on July 11 2026.

Balochistan Police Espionage Campaign

SentinelOne principal threat researcher Aleksandar Milenkoski documented sustained cyber espionage activity against several Pakistani law enforcement organizations between February 2024 and April 2026.

Timeline of espionage activity targeting Pakistani law enforcement organizations between 2024 and 2026.

The confirmed compromised assets at Balochistan Police include two network appliances web servers hosting several Balochistan Police web applications associated with the Smart Police Station digitalization initiative and a Fortinet FortiMail appliance that had served as the agencys primary inbound email gateway. The compromise window for these assets spans from June 2 2024 through April 9 2026 representing nearly two years of maintained access across multiple infrastructure layers.

Four distinct threat clusters operated against these targets each carrying a different malware family. PlugX activity ran from February 27 through September 28 2024. ShadowPad activity ran from August 3 through December 1 2024. The deployment of both PlugX and ShadowPad traditionally associates with Chinese nation state hacking groups with ShadowPad specifically considered a successor to PlugX developed and distributed among Chinese state aligned operators.

A Cobalt Strike cluster also operated against the targets with command and control traffic to the attacker controlled server at 142.171.183.8 extending beyond Pakistani law enforcement to government academic telecommunications and non-governmental entities across South East and Southeast Asia the Middle East and South America consistent with China aligned collection priorities including Tibetan Buddhist organizations in Taiwan which China targets persistently.

The fourth cluster deployed Remcos RAT and shares infrastructure and tactical overlaps with Mysterious Elephant also tracked as APT-C-08 APT-K-47 and TAG-179 which in turn carries commonalities with India nexus adversaries including SideWinder Confucius and Bitter.

The Remcos cluster used lures related to Pakistani law enforcement specifically a decoy document purporting to contain an operational plan for the repatriation of illegal foreigners including Afghan Citizen Card holders which represents a topic carrying genuine operational relevance for Pakistani police at the time of targeting.

Decoy operational document used to lure Pakistani law enforcement personnel.

The most operationally significant finding involves what happened to the Complaint Management System at cms.balochistanpolice.gov.pk which serves both police staff and citizens for registering tracking and resolving complaints.

Balochistan Police Complaint Management System targeted during the espionage campaign.

Two distinct variants of an implant named cms_plugin.exe were uploaded to this application. The first variant functions as a Rust stager designed to download an additional payload from the IP address 193.42.25.65 and execute it. Upon execution it displays the message “Update Complete! Please refresh the page” mimicking a legitimate CMS portal update to prevent victim suspicion while the payload downloads silently.

Decompiled malware code analyzed by SentinelLabs researchers.

The second variant masquerades as 360Safe.exe a legitimate binary used by Qihoo 360 Total Security to reflectively load an assembly implementing an AsyncRAT client providing remote access capability through the cover of an apparently legitimate security tool.

APT Threat Detection & Mitigation

The convergence of both a partner and an adversary of Pakistan operating against the same law enforcement targets at overlapping time periods represents the clearest signal of how high value these institutions sat as intelligence collection targets. Milenkoski’s assessment frames this precisely.

When multiple cyber espionage actors operate against law enforcement institutions of a single state the convergence itself signals target value. What draws them involves a particular kind of institution that holds the government’s internal security picture including what it knows about the threats inside its own borders and how it acts against them.

The Complaint Management System compromise adds a dimension beyond simple server level intrusion. By placing implants inside a portal accessible to both citizens and law enforcement personnel the threat actor transformed a tool built to make policing more accessible and accountable into a malware delivery mechanism reaching across both categories of users simultaneously.

Any citizen who interacted with the compromised portal during the compromise window potentially exposed their device to the implant delivery chain alongside the law enforcement staff the portal primarily serves.

The broader victimology for PlugX and ShadowPad confirms that Pakistani law enforcement represents one node inside a much wider Chinese aligned collection campaign covering government foreign affairs defense nongovernmental and research entities across South Southeast Central and East Asia the Arabian Peninsula and Southeast Europe. Attribution confidence for the China aligned clusters rests on overlapping tooling victimology and the specific pattern of PlugX and ShadowPad deployment rather than any single definitive technical indicator.

Pakistani law enforcement organizations and other government agencies in the region should audit their web application infrastructure for unauthorized file uploads particularly in citizen facing portals that carry lower security scrutiny than internal administrative systems.

Any file named to mimic legitimate security software especially well known vendors like Qihoo 360 appearing in web application directories warrants immediate investigation. FortiMail and similar perimeter email gateway appliances should receive particular attention given that the Balochistan Police FortiMail appliance sat among the confirmed compromised assets suggesting this infrastructure class serves as a reliable lateral movement or initial access target for state level operators in this region.

The pattern of targeting citizen facing government portals rather than purely internal administrative systems represents a meaningful tactical evolution. A portal designed explicitly to improve public access and government transparency carries by design a wider attack surface than a purely internal system since it must accept input from unauthenticated public users making it both easier to access and harder to fully lock down without breaking its intended function.

xploitzone

Exploring the world of cybersecurity through in depth analysis of vulnerabilities,data breaches and emerging threats. Delivering real insights technical breakdowns and bug bounty discoveries for security enthusiasts and researchers.

Join Twitter

Join Now

Join Telegram

Join Now

Leave a Comment