Back to Feed
Nation-stateJul 10, 2026

China, India-Linked Hackers Both Targeted Same Pakistani Police Force

China and India-linked hackers targeted Pakistan's Balochistan Police for over two years.

Summary

Cyberespionage groups associated with both China and India have been observed infiltrating Pakistani law enforcement networks, including the Balochistan Police, for at least two years. The intrusions, which ran from February 2024 to April 2026, targeted sensitive data like biometric databases and criminal case files, utilizing malware such as PlugX, ShadowPad, Cobalt Strike, and Remcos. Researchers suggest China's motive is to assess threats to its Belt and Road projects, while India's interest lies in monitoring Pakistan's handling of Baloch separatists.

Full text

New research from SentinelOne shows that cyberespionage groups linked to both China and India spent more than two years quietly breaking into Pakistani law enforcement networks, with Balochistan Police getting hit from both sides of the region’s rivalries. According to the security firm’s SentinelLabs threat intelligence unit, the intrusions ran from February 2024 through April 2026 and targeted several Pakistani police organizations, with Balochistan Police absorbing the bulk of the activity. The attackers reached servers tied to biometric databases, criminal case files, personnel records, and citizen-facing systems. The researchers grouped the intrusions into four clusters based on the malware and infrastructure involved: PlugX, ShadowPad, Cobalt Strike, and Remcos. They cautioned that clusters built on shared or commodity malware — unlike the Remcos activity, tied to a single tracked actor — may each involve more than one operator. What stands out is the presence of China-linked cyberspies inside a police force belonging to one of Beijing’s closest regional partners. SentinelLabs frames the likely motive as self-interest. Specifically, Chinese nationals working on Belt and Road projects in Pakistan have been repeatedly targeted in attacks tied to Baloch separatist militants, and Chinese officials have openly criticized Islamabad’s ability to protect them. Gaining direct access to Pakistani police data would allow Beijing to evaluate the threat on its own. On the other hand, the India-linked activity aligns with a dispute that Islamabad and New Delhi have had for years. Pakistan has long accused India of backing Baloch militants, which India has denied, and New Delhi has its own interest in whatever Balochistan Police’s networks reveal about Islamabad’s handling of that insurgency.Advertisement. Scroll to continue reading. The researchers also found malicious files disguised as software updates planted directly on Balochistan Police’s public Complaint Management System, the portal residents use to file and track complaints. The fake update prompt would have hit anyone using the site, including officers and ordinary citizens. SentinelLabs linked the intrusion to a Chinese-speaking developer based on shared code patterns and artifacts found in related malware samples. Related: RATs in the Machine: Inside a Pakistan-Linked Three-Pronged Cyber Assault on India Related: Armored Likho APT Targeting Government, Electric Power Entities Related: China-Linked APT Expands Arsenal With New ‘Leash’ Backdoors Written By Eduard Kovacs Eduard Kovacs (@EduardKovacs) is senior managing editor at SecurityWeek. He worked as a high school IT teacher before starting a career in journalism in 2011. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering. Daily Briefing Newsletter Subscribe to the SecurityWeek Email Briefing for the latest cybersecurity threats, trends, and expert insights. More from Eduard Kovacs Microsoft Patches Defender ‘RoguePlanet’ VulnerabilityAI Coding Tools Tricked Into Hacking Developer Machine via Decades-Old TechniqueGoogle Patches 382 Chrome VulnerabilitiesBlueHammer Vulnerability Exploited in Ransomware AttacksNissan Employee Data Breached in Oracle PeopleSoft HackNew Controller Flaws Expose Highway Signs and Billboards to Remote HackingWhatsApp Rolling Out Username Feature to Bolster Phone Number PrivacyInsurance Regulators Group NAIC Hit in Oracle PeopleSoft Hack Latest News Okta Warns of Vishing Attacks Targeting Microsoft 365 CustomersGigaWiper Combines Multiple Malware for System-Level Sabotage‘HalluSquatting’ Turns AI Hallucinations Into Botnet Delivery MechanismNetwork of 200 GitHub Repositories Used for Malware InfectionQIZ Security Raises $17 Million for Cryptographic Governance PlatformUK Government Rolls Out Agentic AI Defense Plan Alongside Industry PledgePalo Alto Networks Patches 13 Vulnerabilities12 Million Impacted by Data Breach at Japanese Telco KDDI Trending Daily Briefing NewsletterSubscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts. Webinar: Why Email Security Keeps Failing (And What Has to Change) July 8, 2026 Join this live webinar as we break down why email-layer defenses alone can't keep pace with the modern phishing ecosystem, how agentic AI is changing the capacity equation for security teams, and more. Register Virtual Event: 2026 Cloud Security Summit July 16, 2026 This year's summit will help organizations learn how to utilize tools, controls, and design models needed to properly secure cloud environments. Interact with leading solution providers and other end users facing similar challenges in securing a variety of cloud deployments. Register People on the MoveBlueVoyant has appointed Ravi Subramanian as CFO and Jamie Coleman as CCO.Solana Foundation has appointed Michael Coates as Chief Information Security Officer.Michael Sikorski has joined Coinbase as Chief Information Security Officer.More People On The MoveExpert Insights The Shift Toward Business-Aligned Risk Management Moving from isolated, technical data to a continuous risk lifecycle can help organizations align security controls with actual business consequences. (Steve Durbin) How to Conduct a Successful Audit of AI-Driven Software Development As AI-generated code becomes commonplace, CISOs need new audit strategies to measure developer practices, govern AI tool usage, and identify software risks before they reach production. (Matias Madou) Frontier AI: Six Questions Every Enterprise Should Ask Security Vendors From model selection and automation to validation and measurable results, the right questions can help enterprises separate genuine AI capabilities from marketing hype. (Joshua Goldfarb) The AI Token Costs That Can Break Cybersecurity As cybersecurity platforms embrace agentic AI, organizations must balance detection performance against the escalating costs of token consumption, deployment architecture, and AI credits. (Danelle Au) When Information Becomes the Attack Surface – Understanding AI Agent Traps From hidden content injections to cognitive state poisoning, attackers are turning trusted data sources into traps for autonomous AI. (Etay Maor) Flipboard Reddit Whatsapp Whatsapp Email

Indicators of Compromise

  • malware — PlugX
  • malware — ShadowPad
  • malware — Cobalt Strike
  • malware — Remcos

Entities

China-linked cyberspies (threat_actor)India-linked activity (threat_actor)SentinelOne (vendor)SentinelLabs (product)