One Target, Two Flags | Rival Espionage Actors Converge On Pakistani Law Enforcement
Between February 2024 and April 2026, multiple cyberespionage groups suspected to be linked to China and India conducted sustained intrusions targeting Pakistani law enforcement, especially the Balochistan Police. The attackers compromised network appliances and servers hosting critical web applications managing criminal records, biometric data, and citizen complaints. A China-nexus actor deployed custom implants disguised as portal updates in the Complaint Management System, targeting police personnel and citizens. The threat actors used various malware families including PlugX, ShadowPad, Cobalt Strike, and Remcos. The motivations appear linked to geopolitical interests involving the safety of Chinese nationals in Pakistan and intelligence gathering by India on security operations in a sensitive region. No known exploits in the wild or patches are indicated.
AI Analysis
Technical Summary
This threat involves sustained cyberespionage intrusions by multiple advanced persistent threat groups with suspected ties to China and India, targeting Pakistani law enforcement infrastructure from early 2024 through mid-2026. The compromised assets include network appliances and servers running web applications critical to law enforcement operations such as criminal records and biometric data management. A China-nexus actor weaponized the Complaint Management System by deploying custom implants masquerading as portal updates, impacting both police and citizens. The attackers leveraged a range of malware tools including PlugX, ShadowPad, Cobalt Strike, Remcos, and others. The geopolitical motivations are linked to protecting Chinese nationals in Pakistan and intelligence collection by India in the strategically sensitive Balochistan province. No specific software versions or patches are identified, and no known exploits in the wild have been reported.
Potential Impact
The intrusions resulted in unauthorized access to sensitive law enforcement data including criminal records, biometric information, and citizen complaints. The deployment of implants and malware tools potentially allowed espionage actors to conduct surveillance, data exfiltration, and maintain persistent access within Pakistani law enforcement networks. This compromises operational security and intelligence confidentiality in a geopolitically sensitive region. The impact extends to both personnel and citizens interacting with the targeted systems.
Mitigation Recommendations
No specific patches or fixes are indicated for this threat. Since this is a targeted espionage campaign involving custom implants and multiple malware families, mitigation should focus on detecting and removing these implants and malware from affected systems. Organizations should review and harden security controls around web applications managing sensitive data, monitor for indicators of compromise related to PlugX, ShadowPad, Cobalt Strike, and Remcos, and apply threat intelligence updates from trusted sources. Patch status is not yet confirmed — check vendor advisories and threat intelligence updates for current remediation guidance.
Indicators of Compromise
- ip: 172.94.9.19
- ip: 172.94.9.19
- domain: cms.balochistanpolice.gov.pk
- domain: cms.balochistanpolice.gov.pk
- ip: 172.111.233.105
- ip: 172.111.233.96
- ip: 142.171.183.8
- ip: 172.111.233.12
- ip: 193.42.25.65
- ip: 45.125.32.218
- ip: 89.31.121.220
- hash: fc59fc3d4b2af739014de04428ce2fb5
- hash: fc59fc3d4b2af739014de04428ce2fb5
- hash: d92fac74e6d7f4d8fc96c9ce6239435f
- hash: d92fac74e6d7f4d8fc96c9ce6239435f
- hash: 000fad96a85dd6933c22d3dbec9aed47b7f1f066
- hash: 000fad96a85dd6933c22d3dbec9aed47b7f1f066
- hash: c6c197e61079a0a33108c2c87b5e3c7056a138ec
- hash: c6c197e61079a0a33108c2c87b5e3c7056a138ec
- hash: 96b15bb9ce8ef7c41b708b1620029d99
- hash: 96b15bb9ce8ef7c41b708b1620029d99
- hash: 91693c2d5a4b7d090fe06cc7382dfc18
- hash: 91693c2d5a4b7d090fe06cc7382dfc18
- ip: 172.94.9.43
- ip: 172.94.9.43
- ip: 172.94.9.49
- ip: 172.94.9.49
- hash: 08570471f39bb6725f07b8cddbea99ed48c22686
- hash: 08570471f39bb6725f07b8cddbea99ed48c22686
- hash: 23f4766c011d193f076dfc735dc460e2a41ead79
- hash: 23f4766c011d193f076dfc735dc460e2a41ead79
- hash: 23f6781919a50b118d8d4e6a7e9ae63b71ecc885
- hash: 23f6781919a50b118d8d4e6a7e9ae63b71ecc885
- hash: 2bab40c55637398f0497cff9c8cbea564d595c7f
- hash: 2bab40c55637398f0497cff9c8cbea564d595c7f
- hash: 4039454c9189e64285e93fc075a30b93f814b5b5
- hash: 4039454c9189e64285e93fc075a30b93f814b5b5
- hash: 47f8cb0c2dcf62702f58cfc1603d6325755f6820
- hash: 47f8cb0c2dcf62702f58cfc1603d6325755f6820
- hash: 539bd79fbb684edea94eb37518134b97e94b9dd8
- hash: 539bd79fbb684edea94eb37518134b97e94b9dd8
- hash: 58cb2d95063b9df807b7aa8dc106b74ce988a491
- hash: 58cb2d95063b9df807b7aa8dc106b74ce988a491
- hash: 5d60ff36ff519c2e13e7f66cfa0bb46be79592a7
- hash: 5d60ff36ff519c2e13e7f66cfa0bb46be79592a7
- hash: 63b88d00331de88af696dfb7a896935d830e485f
- hash: 63b88d00331de88af696dfb7a896935d830e485f
- hash: 6fe2e74d009abbd56de01fd7404a1245e9b47c79
- hash: 6fe2e74d009abbd56de01fd7404a1245e9b47c79
- hash: 71757adba833b46f961e840d0f055bcce0b529c4
- hash: 71757adba833b46f961e840d0f055bcce0b529c4
- hash: 8c329db96e093fa25268e078405a33c518dbb5c9
- hash: 8c329db96e093fa25268e078405a33c518dbb5c9
- hash: d66ab0cd2e44dc8389c111b7ed34c7bcb0b35311
- hash: d66ab0cd2e44dc8389c111b7ed34c7bcb0b35311
- hash: 1fd8ba64a687247466fa6e8b7d194154439ef527746fdb8c18b3c3d65b6d2390
- hash: 1fd8ba64a687247466fa6e8b7d194154439ef527746fdb8c18b3c3d65b6d2390
- hash: 71fa6a00314701fef5c6f32c17e1438063d05616198ac9a12004aeab957e11ae
- hash: 71fa6a00314701fef5c6f32c17e1438063d05616198ac9a12004aeab957e11ae
- hash: 7ea0930a332788c2e88e5822e4908d77cdcaad57e0e97401ed8fe4b117fdfc95
- hash: 7ea0930a332788c2e88e5822e4908d77cdcaad57e0e97401ed8fe4b117fdfc95
- hash: 9fb6f4c55e5198739123264f8007cf6e22b3821af97a00a471bd54b30991ecd0
- hash: 9fb6f4c55e5198739123264f8007cf6e22b3821af97a00a471bd54b30991ecd0
- ip: 41.216.188.140
- ip: 41.216.188.140
- url: http://cms.balochistanpolice.gov.pk/client%20scripts/
- url: http://cms.balochistanpolice.gov.pk/client%20scripts/cms_plugin.exe
- url: http://cms.balochistanpolice.gov.pk/client%20scripts/cms_plugin.exe
- ip: 172.111.233.26
- ip: 172.111.233.36
- ip: 45.74.6.17
One Target, Two Flags | Rival Espionage Actors Converge On Pakistani Law Enforcement
Description
Between February 2024 and April 2026, multiple cyberespionage groups suspected to be linked to China and India conducted sustained intrusions targeting Pakistani law enforcement, especially the Balochistan Police. The attackers compromised network appliances and servers hosting critical web applications managing criminal records, biometric data, and citizen complaints. A China-nexus actor deployed custom implants disguised as portal updates in the Complaint Management System, targeting police personnel and citizens. The threat actors used various malware families including PlugX, ShadowPad, Cobalt Strike, and Remcos. The motivations appear linked to geopolitical interests involving the safety of Chinese nationals in Pakistan and intelligence gathering by India on security operations in a sensitive region. No known exploits in the wild or patches are indicated.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
This threat involves sustained cyberespionage intrusions by multiple advanced persistent threat groups with suspected ties to China and India, targeting Pakistani law enforcement infrastructure from early 2024 through mid-2026. The compromised assets include network appliances and servers running web applications critical to law enforcement operations such as criminal records and biometric data management. A China-nexus actor weaponized the Complaint Management System by deploying custom implants masquerading as portal updates, impacting both police and citizens. The attackers leveraged a range of malware tools including PlugX, ShadowPad, Cobalt Strike, Remcos, and others. The geopolitical motivations are linked to protecting Chinese nationals in Pakistan and intelligence collection by India in the strategically sensitive Balochistan province. No specific software versions or patches are identified, and no known exploits in the wild have been reported.
Potential Impact
The intrusions resulted in unauthorized access to sensitive law enforcement data including criminal records, biometric information, and citizen complaints. The deployment of implants and malware tools potentially allowed espionage actors to conduct surveillance, data exfiltration, and maintain persistent access within Pakistani law enforcement networks. This compromises operational security and intelligence confidentiality in a geopolitically sensitive region. The impact extends to both personnel and citizens interacting with the targeted systems.
Mitigation Recommendations
No specific patches or fixes are indicated for this threat. Since this is a targeted espionage campaign involving custom implants and multiple malware families, mitigation should focus on detecting and removing these implants and malware from affected systems. Organizations should review and harden security controls around web applications managing sensitive data, monitor for indicators of compromise related to PlugX, ShadowPad, Cobalt Strike, and Remcos, and apply threat intelligence updates from trusted sources. Patch status is not yet confirmed — check vendor advisories and threat intelligence updates for current remediation guidance.
Technical Details
- Author
- AlienVault
- Tlp
- white
- References
- ["https://www.sentinelone.com/labs/one-target-china-india-espionage-converge-on-pakistani-law-enforcement/"]
- Adversary
- TAG-179
- Pulse Id
- 6a501da43fb3cb230cc9a9b9
- Threat Score
- null
Indicators of Compromise
Ip
| Value | Description | Copy |
|---|---|---|
ip172.94.9.19 | CC=DE ASN=AS3223 voxility llp | |
ip172.94.9.19 | — | |
ip172.111.233.105 | CC=US ASN=AS9009 m247 ltd | |
ip172.111.233.96 | CC=US ASN=AS9009 m247 ltd | |
ip142.171.183.8 | CC=CA ASN=AS577 bell canada | |
ip172.111.233.12 | CC=US ASN=AS9009 m247 ltd | |
ip193.42.25.65 | CC=HK ASN=AS55933 cloudie limited | |
ip45.125.32.218 | CC=HK ASN=AS55933 cloudie limited | |
ip89.31.121.220 | CC=RS ASN=AS9009 m247 ltd | |
ip172.94.9.43 | CC=DE ASN=AS3223 voxility llp | |
ip172.94.9.43 | — | |
ip172.94.9.49 | CC=DE ASN=AS3223 voxility llp | |
ip172.94.9.49 | — | |
ip41.216.188.140 | — | |
ip41.216.188.140 | CC=US ASN=AS211138 private-hosting di cipriano oscar | |
ip172.111.233.26 | CC=US ASN=AS9009 m247 ltd | |
ip172.111.233.36 | CC=US ASN=AS9009 m247 ltd | |
ip45.74.6.17 | CC=BE ASN=AS9009 m247 ltd |
Domain
| Value | Description | Copy |
|---|---|---|
domaincms.balochistanpolice.gov.pk | — | |
domaincms.balochistanpolice.gov.pk | — |
Hash
| Value | Description | Copy |
|---|---|---|
hashfc59fc3d4b2af739014de04428ce2fb5 | — | |
hashfc59fc3d4b2af739014de04428ce2fb5 | MD5 of 2bab40c55637398f0497cff9c8cbea564d595c7f | |
hashd92fac74e6d7f4d8fc96c9ce6239435f | — | |
hashd92fac74e6d7f4d8fc96c9ce6239435f | MD5 of 539bd79fbb684edea94eb37518134b97e94b9dd8 | |
hash000fad96a85dd6933c22d3dbec9aed47b7f1f066 | — | |
hash000fad96a85dd6933c22d3dbec9aed47b7f1f066 | — | |
hashc6c197e61079a0a33108c2c87b5e3c7056a138ec | — | |
hashc6c197e61079a0a33108c2c87b5e3c7056a138ec | — | |
hash96b15bb9ce8ef7c41b708b1620029d99 | — | |
hash96b15bb9ce8ef7c41b708b1620029d99 | MD5 of 6fe2e74d009abbd56de01fd7404a1245e9b47c79 | |
hash91693c2d5a4b7d090fe06cc7382dfc18 | — | |
hash91693c2d5a4b7d090fe06cc7382dfc18 | MD5 of 47f8cb0c2dcf62702f58cfc1603d6325755f6820 | |
hash08570471f39bb6725f07b8cddbea99ed48c22686 | — | |
hash08570471f39bb6725f07b8cddbea99ed48c22686 | — | |
hash23f4766c011d193f076dfc735dc460e2a41ead79 | — | |
hash23f4766c011d193f076dfc735dc460e2a41ead79 | — | |
hash23f6781919a50b118d8d4e6a7e9ae63b71ecc885 | — | |
hash23f6781919a50b118d8d4e6a7e9ae63b71ecc885 | — | |
hash2bab40c55637398f0497cff9c8cbea564d595c7f | — | |
hash2bab40c55637398f0497cff9c8cbea564d595c7f | — | |
hash4039454c9189e64285e93fc075a30b93f814b5b5 | — | |
hash4039454c9189e64285e93fc075a30b93f814b5b5 | — | |
hash47f8cb0c2dcf62702f58cfc1603d6325755f6820 | — | |
hash47f8cb0c2dcf62702f58cfc1603d6325755f6820 | — | |
hash539bd79fbb684edea94eb37518134b97e94b9dd8 | — | |
hash539bd79fbb684edea94eb37518134b97e94b9dd8 | — | |
hash58cb2d95063b9df807b7aa8dc106b74ce988a491 | — | |
hash58cb2d95063b9df807b7aa8dc106b74ce988a491 | — | |
hash5d60ff36ff519c2e13e7f66cfa0bb46be79592a7 | — | |
hash5d60ff36ff519c2e13e7f66cfa0bb46be79592a7 | — | |
hash63b88d00331de88af696dfb7a896935d830e485f | — | |
hash63b88d00331de88af696dfb7a896935d830e485f | — | |
hash6fe2e74d009abbd56de01fd7404a1245e9b47c79 | — | |
hash6fe2e74d009abbd56de01fd7404a1245e9b47c79 | — | |
hash71757adba833b46f961e840d0f055bcce0b529c4 | — | |
hash71757adba833b46f961e840d0f055bcce0b529c4 | — | |
hash8c329db96e093fa25268e078405a33c518dbb5c9 | — | |
hash8c329db96e093fa25268e078405a33c518dbb5c9 | — | |
hashd66ab0cd2e44dc8389c111b7ed34c7bcb0b35311 | — | |
hashd66ab0cd2e44dc8389c111b7ed34c7bcb0b35311 | — | |
hash1fd8ba64a687247466fa6e8b7d194154439ef527746fdb8c18b3c3d65b6d2390 | SHA256 of 2bab40c55637398f0497cff9c8cbea564d595c7f | |
hash1fd8ba64a687247466fa6e8b7d194154439ef527746fdb8c18b3c3d65b6d2390 | — | |
hash71fa6a00314701fef5c6f32c17e1438063d05616198ac9a12004aeab957e11ae | SHA256 of 539bd79fbb684edea94eb37518134b97e94b9dd8 | |
hash71fa6a00314701fef5c6f32c17e1438063d05616198ac9a12004aeab957e11ae | — | |
hash7ea0930a332788c2e88e5822e4908d77cdcaad57e0e97401ed8fe4b117fdfc95 | — | |
hash7ea0930a332788c2e88e5822e4908d77cdcaad57e0e97401ed8fe4b117fdfc95 | SHA256 of 6fe2e74d009abbd56de01fd7404a1245e9b47c79 | |
hash9fb6f4c55e5198739123264f8007cf6e22b3821af97a00a471bd54b30991ecd0 | — | |
hash9fb6f4c55e5198739123264f8007cf6e22b3821af97a00a471bd54b30991ecd0 | SHA256 of 47f8cb0c2dcf62702f58cfc1603d6325755f6820 |
Url
| Value | Description | Copy |
|---|---|---|
urlhttp://cms.balochistanpolice.gov.pk/client%20scripts/ | — | |
urlhttp://cms.balochistanpolice.gov.pk/client%20scripts/cms_plugin.exe | — | |
urlhttp://cms.balochistanpolice.gov.pk/client%20scripts/cms_plugin.exe | — |
Threat ID: 6a50a39468715ace433baa42
Added to database: 07/10/2026, 07:47:32 UTC
Last enriched: 07/10/2026, 08:02:43 UTC
Last updated: 07/10/2026, 08:02:43 UTC
Views: 3
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.