Pakistani Police Systems Hit by Chinese and Indian Espionage

Written by

Two rival nation-state cyber espionage operations, one linked to China and the other to India, have converged on the same Pakistani police force.

According to new analysis published by SentinelLabs, the research arm of SentinelOne, on July 9, suspected China- and India-nexus actors ran intrusion campaigns against several Pakistani law enforcement bodies between February 2024 and April 2026, concentrating on Balochistan Police, the province's main force.

The compromised assets included servers hosting applications for biometric records, criminal case files and tenant registrations tied to national identity data. One China-nexus actor reportedly planted implants in a portal used by officers and citizens.

SentinelLabs grouped the command and control (C2) activity observed into four clusters. PlugX, ShadowPad and Cobalt Strike point to China-nexus operators; a Remcos cluster was tied to a suspected India-nexus actor Recorded Future tracks as TAG-179, overlapping with the group others call Bitter.

Read more on Chinese espionage: Chinese Hackers Target European Governments in Espionage Campaigns

Two Rivals, Opposite Motives

For China, SentinelLabs said the likely driver was the safety of its nationals, tied to the China-Pakistan Economic Corridor (CPEC).

They have reportedly faced repeated deadly attacks, some claimed by the Balochistan Liberation Army (BLA), a Baloch separatist group. Police data would allow China to assess that threat independently.

India's motive is more likely its rivalry with Pakistan, in which Balochistan is a recurring flashpoint.

Islamabad accused New Delhi of backing the insurgency, which India denied, and the force holds the record of how Pakistan polices the province.

A Citizen Portal Turned Against Its Users

The standout finding was the compromise of the force's Complaint Management System (CMS), used by both officers and citizens checking a complaint.

Two variants of an implant named cms_plugin.exe were uploaded in late 2024, one in Rust, the other .NET. The Rust variant is a stager that, on execution, displayed "Update Complete! Please refresh the page," mimicking a portal update.

The .NET variant posed as a component of Chinese vendor Qihoo 360's security software and loaded an AsyncRAT client. Shared code and simplified Chinese strings pointed to a Chinese-speaking developer.

Reaching the databases behind these applications would expose:

  • Police personnel and payroll records

  • Criminal case files and fingerprint biometrics

  • Stolen vehicle records

  • Hotel check-ins tied to identity data

  • Landlord and tenant registrations

  • Citizen complaints, including misconduct reports

The convergence reflects a structural risk in digital policing: systems that centralize records and services also concentrate intelligence value, making police infrastructure intelligence terrain for any capable adversary.

What’s Hot on Infosecurity Magazine?