China- and India-Linked Hackers Target Pakistani Police Systems, SentinelOne Reports

Published
Written by:
Rachita Jain
Rachita Jain
VPN Staff Editor
Key Takeaways
  • SentinelLABS Pakistan Police cyberespionage report: China- and India-linked espionage groups targeted Pakistani police systems holding sensitive operational and citizen data.
  • Compromised complaint portal: Attackers planted malware in a police complaint website used by officers and the public.
  • Why it matters: Digital policing platforms remain attractive intelligence targets, highlighting risks from compromised trusted government services.

A new report from SentinelLABS says suspected cyberespionage groups linked to both China and India independently targeted multiple Pakistani law enforcement organizations between February 2024 and April 2026. According to the researchers, the attackers focused on systems containing police, criminal, biometric, and citizen records, with Balochistan Police emerging as the primary target.

The findings come from an official SentinelLABS investigation published on July 9, 2026.

Multiple Espionage Groups Targeted Pakistani Law Enforcement

According to SentinelLABS, several Pakistani law enforcement organizations experienced cyber intrusions over a two-year period. The affected organizations include Balochistan Police, Khyber Pakhtunkhwa Police, Islamabad Police, and the Punjab Safe Cities Authority (PSCA).

Researchers identified activity involving four malware families or attack frameworks: PlugX, ShadowPad, Cobalt Strike, and Remcos. Based on the tools used, infrastructure, and victim patterns, SentinelLABS attributes the PlugX and ShadowPad campaigns to suspected China-linked threat actors, while the Remcos activity is associated with a suspected India-linked group tracked as TAG-179. The Cobalt Strike activity was also attributed with medium confidence to China-linked actors.

Balochistan Police experienced the highest concentration of attacks. Compromised systems included network appliances and servers hosting web applications responsible for managing criminal case files, biometric records, hotel guest registrations, tenant registrations, personnel information, and citizen complaints.

SentinelLABS notes that when multiple espionage groups from different countries independently target the same organization, it highlights the intelligence value of the information held by that institution.

Complaint Portal Was Used to Deliver Malware

One of the report's most significant findings involves the compromise of the Balochistan Police Complaint Management System (CMS), an online platform used by both police personnel and members of the public.

Researchers found that attackers placed malicious files on the portal that appeared to be legitimate software updates. When executed, the files downloaded additional malware from attacker-controlled servers. One version deployed an AsyncRAT remote access trojan disguised as software associated with the Chinese security vendor Qihoo 360, while another downloaded an additional payload using a Rust-based loader.

The fake update displayed an "Update Complete! Please refresh the page" message, making the malware appear to be part of a routine portal update.

The CMS landing page of Balochistan Police
The CMS landing page of Balochistan Police | Source - Sentinel One

Because the CMS is used by both law enforcement staff and citizens checking the status of complaints, SentinelLABS says the compromise potentially exposed both groups. A successful infection could have allowed attackers to gain control of users' devices. For police personnel, this may have provided access to internal police networks and operational information. For citizens, it could have enabled surveillance of individuals interacting with the complaint system.

Why the Attacks Matter

SentinelLABS believes the suspected China-linked activity was primarily motivated by concerns over the safety of Chinese nationals working in Pakistan, particularly those connected to the China-Pakistan Economic Corridor (CPEC). The report notes that repeated attacks on Chinese citizens have led Beijing to seek independent insight into Pakistan's internal security situation.

The researchers suggest the suspected India-linked activity was likely driven by the long-running security rivalry between India and Pakistan, with Balochistan representing a strategically important region because of the ongoing insurgency and broader regional tensions.

The report concludes that modern digital policing platforms have become valuable intelligence targets because they centralize sensitive operational, institutional, and civilian data in one place.

For privacy users, the report serves as another reminder that trusted government portals can become malware delivery points if compromised. Even legitimate websites may temporarily expose visitors to malicious software during a cyberattack.

The findings are based on SentinelLABS' technical analysis and infrastructure tracking and have been published as an official research report. At this time, the report does not recommend any specific action for the general public beyond awareness. Organizations operating public-facing services should continue monitoring their systems for compromise and follow established security best practices.


For a better user experience we recommend using a more modern browser. We support the latest version of the following browsers: For a better user experience we recommend using the latest version of the following browsers: