Skip to main content
Press slash or control plus K to focus the search. Use the arrow keys to navigate results and press enter to open a threat.
Reconnecting to live updates…

One Target, Two Flags | Rival Espionage Actors Converge On Pakistani Law Enforcement

0
Medium
Published: 07/09/2026 (07/09/2026, 22:16:04 UTC)
Source: AlienVault OTX General

Description

Between February 2024 and April 2026, multiple cyberespionage groups suspected to be linked to China and India conducted sustained intrusions targeting Pakistani law enforcement, especially the Balochistan Police. The attackers compromised network appliances and servers hosting critical web applications managing criminal records, biometric data, and citizen complaints. A China-nexus actor deployed custom implants disguised as portal updates in the Complaint Management System, targeting police personnel and citizens. The threat actors used various malware families including PlugX, ShadowPad, Cobalt Strike, and Remcos. The motivations appear linked to geopolitical interests involving the safety of Chinese nationals in Pakistan and intelligence gathering by India on security operations in a sensitive region. No known exploits in the wild or patches are indicated.

AI-Powered Analysis

Machine-generated threat intelligence

AILast updated: 07/10/2026, 08:02:43 UTC

Technical Analysis

This threat involves sustained cyberespionage intrusions by multiple advanced persistent threat groups with suspected ties to China and India, targeting Pakistani law enforcement infrastructure from early 2024 through mid-2026. The compromised assets include network appliances and servers running web applications critical to law enforcement operations such as criminal records and biometric data management. A China-nexus actor weaponized the Complaint Management System by deploying custom implants masquerading as portal updates, impacting both police and citizens. The attackers leveraged a range of malware tools including PlugX, ShadowPad, Cobalt Strike, Remcos, and others. The geopolitical motivations are linked to protecting Chinese nationals in Pakistan and intelligence collection by India in the strategically sensitive Balochistan province. No specific software versions or patches are identified, and no known exploits in the wild have been reported.

Potential Impact

The intrusions resulted in unauthorized access to sensitive law enforcement data including criminal records, biometric information, and citizen complaints. The deployment of implants and malware tools potentially allowed espionage actors to conduct surveillance, data exfiltration, and maintain persistent access within Pakistani law enforcement networks. This compromises operational security and intelligence confidentiality in a geopolitically sensitive region. The impact extends to both personnel and citizens interacting with the targeted systems.

Mitigation Recommendations

No specific patches or fixes are indicated for this threat. Since this is a targeted espionage campaign involving custom implants and multiple malware families, mitigation should focus on detecting and removing these implants and malware from affected systems. Organizations should review and harden security controls around web applications managing sensitive data, monitor for indicators of compromise related to PlugX, ShadowPad, Cobalt Strike, and Remcos, and apply threat intelligence updates from trusted sources. Patch status is not yet confirmed — check vendor advisories and threat intelligence updates for current remediation guidance.

Pro Console: star threats, build custom feeds, automate alerts via Slack, email & webhooks.Upgrade to Pro

Technical Details

Author
AlienVault
Tlp
white
References
["https://www.sentinelone.com/labs/one-target-china-india-espionage-converge-on-pakistani-law-enforcement/"]
Adversary
TAG-179
Pulse Id
6a501da43fb3cb230cc9a9b9
Threat Score
null

Indicators of Compromise

Ip

ValueDescriptionCopy
ip172.94.9.19
CC=DE ASN=AS3223 voxility llp
ip172.94.9.19
ip172.111.233.105
CC=US ASN=AS9009 m247 ltd
ip172.111.233.96
CC=US ASN=AS9009 m247 ltd
ip142.171.183.8
CC=CA ASN=AS577 bell canada
ip172.111.233.12
CC=US ASN=AS9009 m247 ltd
ip193.42.25.65
CC=HK ASN=AS55933 cloudie limited
ip45.125.32.218
CC=HK ASN=AS55933 cloudie limited
ip89.31.121.220
CC=RS ASN=AS9009 m247 ltd
ip172.94.9.43
CC=DE ASN=AS3223 voxility llp
ip172.94.9.43
ip172.94.9.49
CC=DE ASN=AS3223 voxility llp
ip172.94.9.49
ip41.216.188.140
ip41.216.188.140
CC=US ASN=AS211138 private-hosting di cipriano oscar
ip172.111.233.26
CC=US ASN=AS9009 m247 ltd
ip172.111.233.36
CC=US ASN=AS9009 m247 ltd
ip45.74.6.17
CC=BE ASN=AS9009 m247 ltd

Domain

ValueDescriptionCopy
domaincms.balochistanpolice.gov.pk
domaincms.balochistanpolice.gov.pk

Hash

ValueDescriptionCopy
hashfc59fc3d4b2af739014de04428ce2fb5
hashfc59fc3d4b2af739014de04428ce2fb5
MD5 of 2bab40c55637398f0497cff9c8cbea564d595c7f
hashd92fac74e6d7f4d8fc96c9ce6239435f
hashd92fac74e6d7f4d8fc96c9ce6239435f
MD5 of 539bd79fbb684edea94eb37518134b97e94b9dd8
hash000fad96a85dd6933c22d3dbec9aed47b7f1f066
hash000fad96a85dd6933c22d3dbec9aed47b7f1f066
hashc6c197e61079a0a33108c2c87b5e3c7056a138ec
hashc6c197e61079a0a33108c2c87b5e3c7056a138ec
hash96b15bb9ce8ef7c41b708b1620029d99
hash96b15bb9ce8ef7c41b708b1620029d99
MD5 of 6fe2e74d009abbd56de01fd7404a1245e9b47c79
hash91693c2d5a4b7d090fe06cc7382dfc18
hash91693c2d5a4b7d090fe06cc7382dfc18
MD5 of 47f8cb0c2dcf62702f58cfc1603d6325755f6820
hash08570471f39bb6725f07b8cddbea99ed48c22686
hash08570471f39bb6725f07b8cddbea99ed48c22686
hash23f4766c011d193f076dfc735dc460e2a41ead79
hash23f4766c011d193f076dfc735dc460e2a41ead79
hash23f6781919a50b118d8d4e6a7e9ae63b71ecc885
hash23f6781919a50b118d8d4e6a7e9ae63b71ecc885
hash2bab40c55637398f0497cff9c8cbea564d595c7f
hash2bab40c55637398f0497cff9c8cbea564d595c7f
hash4039454c9189e64285e93fc075a30b93f814b5b5
hash4039454c9189e64285e93fc075a30b93f814b5b5
hash47f8cb0c2dcf62702f58cfc1603d6325755f6820
hash47f8cb0c2dcf62702f58cfc1603d6325755f6820
hash539bd79fbb684edea94eb37518134b97e94b9dd8
hash539bd79fbb684edea94eb37518134b97e94b9dd8
hash58cb2d95063b9df807b7aa8dc106b74ce988a491
hash58cb2d95063b9df807b7aa8dc106b74ce988a491
hash5d60ff36ff519c2e13e7f66cfa0bb46be79592a7
hash5d60ff36ff519c2e13e7f66cfa0bb46be79592a7
hash63b88d00331de88af696dfb7a896935d830e485f
hash63b88d00331de88af696dfb7a896935d830e485f
hash6fe2e74d009abbd56de01fd7404a1245e9b47c79
hash6fe2e74d009abbd56de01fd7404a1245e9b47c79
hash71757adba833b46f961e840d0f055bcce0b529c4
hash71757adba833b46f961e840d0f055bcce0b529c4
hash8c329db96e093fa25268e078405a33c518dbb5c9
hash8c329db96e093fa25268e078405a33c518dbb5c9
hashd66ab0cd2e44dc8389c111b7ed34c7bcb0b35311
hashd66ab0cd2e44dc8389c111b7ed34c7bcb0b35311
hash1fd8ba64a687247466fa6e8b7d194154439ef527746fdb8c18b3c3d65b6d2390
SHA256 of 2bab40c55637398f0497cff9c8cbea564d595c7f
hash1fd8ba64a687247466fa6e8b7d194154439ef527746fdb8c18b3c3d65b6d2390
hash71fa6a00314701fef5c6f32c17e1438063d05616198ac9a12004aeab957e11ae
SHA256 of 539bd79fbb684edea94eb37518134b97e94b9dd8
hash71fa6a00314701fef5c6f32c17e1438063d05616198ac9a12004aeab957e11ae
hash7ea0930a332788c2e88e5822e4908d77cdcaad57e0e97401ed8fe4b117fdfc95
hash7ea0930a332788c2e88e5822e4908d77cdcaad57e0e97401ed8fe4b117fdfc95
SHA256 of 6fe2e74d009abbd56de01fd7404a1245e9b47c79
hash9fb6f4c55e5198739123264f8007cf6e22b3821af97a00a471bd54b30991ecd0
hash9fb6f4c55e5198739123264f8007cf6e22b3821af97a00a471bd54b30991ecd0
SHA256 of 47f8cb0c2dcf62702f58cfc1603d6325755f6820

Url

ValueDescriptionCopy
urlhttp://cms.balochistanpolice.gov.pk/client%20scripts/
urlhttp://cms.balochistanpolice.gov.pk/client%20scripts/cms_plugin.exe
urlhttp://cms.balochistanpolice.gov.pk/client%20scripts/cms_plugin.exe

Threat ID: 6a50a39468715ace433baa42

Added to database: 07/10/2026, 07:47:32 UTC

Last enriched: 07/10/2026, 08:02:43 UTC

Last updated: 07/10/2026, 08:02:43 UTC

Views: 3

Community Reviews

0 reviews

Crowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.

Sort by
Loading community insights…

Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.

Actions

PRO

Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.

Please log in to the Console to use AI analysis features.

External Links

Need more coverage?

Upgrade to Pro Console for AI refresh and higher limits.

For incident response and remediation, OffSeq services can help resolve threats faster.

Latest Threats

Breach by OffSeqOFFSEQFRIENDS — 25% OFF

Check if your credentials are on the dark web

Instant breach scanning across billions of leaked records. Free tier available.

Scan now
OffSeq TrainingCredly Certified

Lead Pen Test Professional

Technical5-day eLearningPECB Accredited
View courses