Suspected China and India nexus actors both compromised Balochistan Police systems, planting malware in a public complaint portal used by citizens.

Continue reading
Suspected China nexus and India nexus threat actors independently compromised the same Pakistani police force over a two year span, and one of them turned a citizen facing complaint portal into a malware delivery point.
SentinelLABS researchers Aleksandar Milenkoski and Julian-Ferdinand Vögele mapped the intrusions in a report published, tracking C2 traffic tied to PlugX, ShadowPad, Cobalt Strike, and Remcos infrastructure hitting Balochistan Police and three other Pakistani law enforcement bodies between February 2024 and April 2026.
Two rival intelligence services rarely show up in the same target's logs for the same reasons.
Here they did but for different ones. China's presumed interest tracks the safety of its own nationals in Balochistan, where deadly attacks on Chinese workers tied to the China-Pakistan Economic Corridor have gone unresolved for years.
India's presumed interest tracks the province's role as ground zero in the India-Pakistan proxy war narrative, where Islamabad accuses New Delhi of backing Baloch separatists and New Delhi accuses Islamabad right back over Kashmir. Same police force, opposite reasons to want inside it.
Balochistan Police took the heaviest concentration of intrusions.
Compromised infrastructure included two network appliances, a Fortinet FortiMail gateway that had been rotated out of production but stayed reachable on the network, and web servers running several applications under the EU-backed Smart Police Station digitization program: the FIR system for criminal complaint filings, HRMIS personnel records, the Anti-Vehicle Lifting System, HotelEye guest registration linked to national ID data, the Criminal Record Management System with biometric matching, Tenant Registration, and the Complaint Management System (CMS).
If the attackers reached the databases behind those front ends, that's personnel files, biometric records, criminal case history, stolen vehicle records, hotel check-in logs, tenant registrations, and citizen complaints, all in one province's police infrastructure.
Three other organizations also turned up compromised: Khyber Pakhtunkhwa Police, Islamabad Police, and the Punjab Safe Cities Authority, which runs Punjab's integrated police command-and-control system.
SentinelLABS grouped the C2 traffic into four clusters by tooling rather than by actor, since PlugX, ShadowPad, and Cobalt Strike are all shared or commodity malware that multiple operators can run. Only the Remcos cluster maps cleanly to a single actor.
| C2 cluster | C2 servers | First seen | Last seen |
|---|---|---|---|
| PlugX | 172.111.233[.]36, .96, .12, .105, .26; 172.94.9[.]49, .43, .19; 45.74.6[.]17 | 27 Feb 2024 | 28 Sep 2024 |
| ShadowPad | 45.125.32[.]218 | 5 Nov 2024 | 29 Nov 2024 |
| Cobalt Strike | 142.171.183[.]8, 193.42.25[.]65 | 12 Oct 2024 | 5 Dec 2025 |
| Remcos | 89.31.121[.]220 | 13 Jan 2026 | 9 Apr 2026 |
PlugX and ShadowPad are both backdoors that circulate among multiple China-nexus groups, so the tooling alone points east. Victimology outside Pakistani law enforcement backs that up: government, foreign affairs, defense, NGO, and research targets across South, Southeast, Central, and East Asia, the Arabian Peninsula, and Southeast Europe, which is a fairly standard China-aligned collection footprint.
Cobalt Strike server 142.171.183[.]8 shows the same pattern, with victims spanning government, academic, telecom, and NGO targets across South, East, and Southeast Asia, the Middle East, and South America, including Tibetan Buddhist organizations in Taiwan, a long-running Chinese cyberespionage target set. SentinelLABS attributes both Cobalt Strike servers to China-nexus actors with medium confidence. The second server, 193.42.25[.]65, only ever talked to Balochistan Police, and it also served as next-stage infrastructure for the CMS portal implants covered below.
The Remcos server, 89.31.121[.]220, gets attributed to a suspected India-nexus actor that Recorded Future tracks as TAG-179, with infrastructure and TTP overlap to what Kaspersky calls Mysterious Elephant and what Qihoo 360 calls APT-C-08 or Bitter. SentinelLABS notes TAG-179 ramped up activity and diversified its tradecraft starting in early 2025, consistent with what Kaspersky and Qihoo 360 have separately documented.
One lure in Qihoo 360's reporting delivers a Remcos payload configured to the exact same C2 server SentinelLABS observed. The lure is a decoy document dressed up as an operational plan for deporting Afghan Citizen Card holders, referencing coordination between district police, Pakistan's national ID authority NADRA, and intelligence organizations. It's a lure built for exactly this target set. Outside Pakistani law enforcement, TAG-179's victimology in the observed window (November 2025 to April 2026) covers government, defense, foreign affairs, intelligence, research, and manufacturing targets across South and Southeast Asia and the Middle East.
The most concrete artifact in the report is what happened to the Complaint Management System at `cms.balochistanpolice[.]gov[.]pk`. This portal serves two very different audiences: police staff logging in with `ps-`prefixed district credentials (recovered from stealer logs on the dark web), and ordinary citizens using a public search form to check on complaints they've filed, no login required.

SentinelLABS attributes the CMS compromise to the actor behind 193.42.25[.]65, based on shared infrastructure and the shared focus on Balochistan Police. Two variants of an implant called `cms_plugin.exe` turned up on VirusTotal, uploaded to the portal's `/client scripts/` directory in late 2024:
The .NET sample's PDB path, `D:\codedome\case\six\Client\Client2\obj\Debug\Client2.pdb`, let researchers pivot to a cluster of related AsyncRAT builds sharing the same `D:\codedome` development environment, plus matching variable naming and string obfuscation. Some of those samples carry pinyin terms in their PDB paths, like `xinshi`, and at least one logs status messages in simplified Chinese. None of that proves who's behind the keyboard, but it's a reasonably strong signal for a Chinese-speaking developer.
Both `cms_plugin.exe` samples display "Update Complete! Please refresh the page" after execution, mimicking a routine portal update. That framing, combined with where the file sat in the directory structure, suggests the target was anyone using the CMS front end: police staff, whose infection could open a path into internal networks and data beyond the portal, or citizens checking a complaint, whose infection would let the operator watch them after the fact.
A police complaint portal is about as unglamorous a piece of government infrastructure as exists, and that's exactly the point. Digitization programs built to make policing more accessible end up creating a single reachable surface that touches personnel data, criminal records, biometrics, and ordinary citizens, all at once. Whoever compromises that surface doesn't just get institutional data; they get a foothold into everyone who trusted the portal enough to use it.
For any organization running public-facing government or law-enforcement web applications, the CMS case is a reminder that the client-side scripts directory of a public portal is a viable implant delivery point, and that a fake "update" prompt is a low-effort way to get users to run something. The web application layer, not just the network perimeter, is where this campaign actually landed its most durable access.
C2 IP addresses ``` 172.111.233.36, 172.111.233.96, 172.111.233.12, 172.111.233.105, 172.111.233.26 – PlugX 172.94.9.49, 172.94.9.43, 172.94.9.19, 45.74.6.17 – PlugX 45.125.32.218 – ShadowPad 142.171.183.8, 193.42.25.65 – Cobalt Strike 89.31.121.220 – Remcos (TAG-179) 41.216.188.140 – AsyncRAT ```
Implant-hosting URL ``` hxxps://cms.balochistanpolice[.]gov[.]pk/client%20scripts/cms_plugin.exe ```
SHA-1 hashes (selected — full list in source report) ``` 23f6781919a50b118d8d4e6a7e9ae63b71ecc885 – cms_plugin.exe (Rust stager) 4039454c9189e64285e93fc075a30b93f814b5b5 – cms_plugin.exe 58cb2d95063b9df807b7aa8dc106b74ce988a491 – cms_plugin.exe 5d60ff36ff519c2e13e7f66cfa0bb46be79592a7 – Backdoor (TAG-179) 63b88d00331de88af696dfb7a896935d830e485f – Backdoor (TAG-179) ``` (Full 16-hash IOC list, including all TAG-179 lures and launchers, is in the SentinelLABS source report.)
For organizations running similar public-sector or citizen-facing web portals, this case underscores a gap that traditional perimeter and CVSS-driven scanning tends to miss: an unmonitored write-access path into a client-scripts directory is a low-noise, high-value implant delivery point, regardless of how the initial foothold on the server was obtained.
ThreatSpy's reachability-based prioritization is built for exactly this kind of exposure — flagging web-facing directories with write access reachable from the public internet as high-priority, independent of whether a CVE exists for the underlying stack.
Practitioners reviewing similar portals should audit write permissions on public directories, monitor for unexpected executable uploads, and treat any legacy or "rotated out" appliance still live on the network (as the FortiMail gateway here was) as an active attack surface, not a retired one.

DHS confirms a breach of its HSIN intelligence-sharing network during World Cup security operations; a senator warns of national security risk