Recent investigations have uncovered a series of cyber espionage activities targeting Pakistani law enforcement agencies, notably the Balochistan Police, between February 2024 and April 2026. These operations are attributed to threat actors with affiliations to both China and India.
The compromised assets within the Balochistan Police included servers hosting web applications that manage sensitive data such as biometric records, hotel and tenant registrations linked to national identity records, criminal case files, and personnel records. One significant breach involved the Complaint Management System (CMS), a portal used by both police staff and citizens. Attackers infiltrated this system, deploying a custom implant disguised as a portal update, thereby compromising the data of all users interacting with the platform.
Further analysis identified four distinct threat clusters, each utilizing different malware families: PlugX, ShadowPad, Cobalt Strike, and Remcos RAT. The deployment of PlugX and ShadowPad, traditionally associated with Chinese state-sponsored groups, suggests a China-aligned origin for these attacks. Conversely, the use of Remcos RAT points to an India-nexus threat actor, with infrastructure and tactics overlapping with groups like Mysterious Elephant, SideWinder, Confucius, and Bitter.
These cyber campaigns extended beyond the Balochistan Police, affecting other Pakistani law enforcement bodies, including the Khyber Pakhtunkhwa Police, the Islamabad Police, and the Punjab Safe Cities Authority (PSCA). The attackers employed lures related to law enforcement operations, such as documents concerning the repatriation of illegal foreigners, to facilitate their intrusions.
The victimology associated with the PlugX and ShadowPad clusters encompasses government, foreign affairs, defense, nongovernmental, and research entities across South, Southeast, Central, and East Asia, the Arabian Peninsula, and Southeast Europe. This pattern aligns with the typical targets of China-aligned cyber espionage activities.
In contrast, the Remcos-related intrusion set shares infrastructure and tactical similarities with India-nexus adversaries, indicating a separate but concurrent espionage effort targeting Pakistani law enforcement.
These findings underscore the persistent and sophisticated nature of cyber threats facing law enforcement agencies in Pakistan. The exploitation of critical systems like the CMS not only jeopardizes sensitive data but also erodes public trust in digital platforms designed for citizen engagement. It is imperative for organizations to bolster their cybersecurity measures, conduct regular audits, and stay vigilant against evolving threats to safeguard their infrastructure and the data they manage.