[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fzNPjYi3ArmjjoCtiaxFUd0NEP0A2RUI99lPKy1YC_So":3},{"article":4,"iocs":49},{"id":5,"title":6,"slug":7,"summary":8,"ai_summary":9,"brief":10,"full_text":11,"url":12,"image_url":13,"published_at":14,"ingested_at":15,"relevance_score":16,"entities":17,"category_id":31,"category":32,"article_tags":36},"4b239426-21e0-4fc5-9c1b-6f899db3e255","Hackers Weaponize Balochistan Police Portal in Multi-Group Espionage Campaigns","hackers-weaponize-balochistan-police-portal-in-multi-group-espionage-campaigns-5a7828","Cybersecurity researchers have disclosed details of sustained cyber espionage activity against several Pakistani law enforcement organizations undertaken by suspected China- and India-aligned threat actors between February 2024 and April 2026. \"At Balochistan Police, the compromised assets included servers hosting web applications that manage police and citizen data, such as criminal and","Suspected China- and India-aligned threat actors have engaged in sustained cyber espionage against Pakistani law enforcement organizations between February 2024 and April 2026. The attackers compromised web applications managing sensitive police and citizen data, deploying custom implants and utilizing malware families like PlugX, ShadowPad, Cobalt Strike, and Remcos RAT. The campaigns targeted multiple police departments and authorities, with victimology suggesting state-sponsored activity.","Hackers weaponize Balochistan Police portal in multi-group espionage campaigns targeting Pakistani law enforcement.","Hackers Weaponize Balochistan Police Portal in Multi-Group Espionage Campaigns Ravie LakshmananJul 11, 2026Threat Intelligence \u002F Cyber Espionage Cybersecurity researchers have disclosed details of sustained cyber espionage activity against several Pakistani law enforcement organizations undertaken by suspected China- and India-aligned threat actors between February 2024 and April 2026. \"At Balochistan Police, the compromised assets included servers hosting web applications that manage police and citizen data, such as criminal and biometric records,\" Aleksandar Milenkoski, principal threat researcher at SentinelOne SentinelLABS, said in a report published this week. The activity targeted network appliances and servers hosting web applications that manage biometric records, hotel and tenant registrations linked to national identity records, criminal case files, and personnel records. The China-nexus threat actor is also said to have compromised one of these web applications to deploy a custom implant masquerading as a portal update. The application in question, named Complaint Management System (CMS), serves police staff and citizens, thereby putting both categories of users within the attacker's orbit. SentinelOne said it detected compromised infrastructure associated with several other Pakistani law enforcement organizations, including the Khyber Pakhtunkhwa Police, the Islamabad Police, and the Punjab Safe Cities Authority (PSCA). Four different threat clusters have been flagged, each deploying a unique malware family: PlugX, ShadowPad, Cobalt Strike, and Remcos RAT. The use of Remcos RAT has been linked to an India-nexus threat actor, while the PlugX, ShadowPad, and Cobalt Strike clusters are built on shared or commodity tooling and may each involve more than one operator. That having said, the deployment of both PlugX and ShadowPad, the latter of which is considered a successor to PlugX, is traditionally associated with Chinese nation-state hacking groups. \"The victimology we observed for PlugX (between 27 February and 28 September 2024) and ShadowPad (between 3 August and 1 December 2024) reinforces this assessment,\" the cybersecurity company said. \"Beyond Pakistani law enforcement, victimology for PlugX and ShadowPad includes government, foreign affairs, defense, nongovernmental, and research entities across South, Southeast, Central, and East Asia, the Arabian Peninsula, and Southeast Europe, consistent with China-aligned collection.\" The Remcos-related intrusion set is assessed to share infrastructure and tactical overlaps with a hacking group known as Mysterious Elephant (aka APT-C-08, APT-K-47, and TAG-179), which, in turn, has commonalities with India-nexus adversaries such as SideWinder, Confucius, and Bitter. Attack chains have been found to employ lures related to Pakistani law enforcement, displaying a decoy document that purports to contain an operational plan for the repatriation of illegal foreigners, including Afghan Citizen Card (ACC) holders. The Cobalt Strike activity cluster's ties to China-nexus threat actors is based on the fact that traffic to the attacker-controlled command-and-control (C2) server (\"142.171.183[.]8\") extends beyond Pakistani law enforcement to government, academic, telecommunications, and non-governmental entities across South, East, and Southeast Asia, the Middle East, and South America – a victimology profile consistent with China-aligned hackers. Among those targeted are Tibetan Buddhist organizations in Taiwan, which have long been targeted by China for cyber espionage. Further examination of the activity aimed at Balochistan Police has uncovered the compromise of the following assets that took place between June 2, 2024, and April 9, 2026 - Two network appliances Web servers hosting several Balochistan Police web applications associated with the Smart Police Station digitalization initiative A Fortinet FortiMail appliance that had served as the agency's primary inbound email gateway One of the infected applications is the Complaint Management System (\"cms.balochistanpolice.gov[.]pk\"), which is used for registering, tracking, and resolving citizen complaints. Two distinct variants of an implant called \"cms_plugin.exe\" have been uploaded to the site in connection with the operation - A Rust stager that's designed to download an additional payload from \"193.42.25[.]65\" and execute it. The exact nature of the next stage is unknown, but the samples display a message \"Update Complete! Please refresh the page\" upon execution, mimicking a CMS portal update. A .NET executable that masquerades as \"360Safe.exe,\" a legitimate binary used by Qihoo 360 Total Security, to reflectively load an assembly implementing an AsyncRAT client. The activity is notable because it has drawn both a \"partner and an adversary of Pakistan\" to the same victim for intelligence gathering, likely fueled by geopolitical motives. \"When multiple cyberespionage actors operate against law enforcement institutions of a single state, the convergence itself is a signal of target value,\" Milenkoski explained. \"What draws them is a particular kind of institution: one that holds the government’s internal security picture, what it knows about the threats inside its borders, and how it acts against them.\" \"The compromise of the Complaint Management System web application adds a second dimension to the activity against Balochistan Police, extending the threat actor's reach beyond the initially compromised environment. By hosting implants in a portal used by both citizens and law enforcement personnel, the threat actor turned a tool built to make policing in Pakistan more accessible and accountable to the public into a malware delivery mechanism.\" Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post. SHARE     Tweet Share Share Share SHARE  Advanced Persistent Threat, cyber espionage, data security, email security, Government security, Malware, Nation-State, network security, Threat Intelligence, Web Security ⚡ Top Stories This Week 16-Year-Old Linux KVM Flaw Lets Guest VMs Escape to Host on Intel and AMD x86 Systems BeyondTrust Patches Critical Auth Bypass Flaws in Remote Support and PRA Court Filing Reveals Windows Device ID Helped FBI Trace Alleged Scattered Spider Hacker Rogue Agent Flaw Could Have Let Attackers Hijack Google Dialogflow CX Chatbots RedWing MaaS Packages Android Bank Fraud as a Telegram Rental Service 15-Year-Old GhostLock Flaw Enables Root and Container Escape on Most Linux Distros GitHub Copilot Refuses Harmful Requests in Chat, Then Writes Them in Code New HalluSquatting Attack Could Trick AI Coding Assistants Into Installing Botnet Malware GhostApproval Symlink Flaws Could Let Malicious Repos Run Code in AI Coding Agents Top AI Agents Built to Catch Malicious Code Can Be Tricked Into Running It Meta's New AI Image Tool Lets Others Use Your Public Instagram Photos in AI Images ThreatsDay: Cloud Bucket Hijacking, Windows LPE Chain, Global Fraud Bust + 17 More Stories Dormant GitHub Accounts Help Attackers Blend In While Mapping Corporate Orgs Attackers Exploit 'Ill Bloom' Vulnerability to Drain Over $5 Million From Cryptocurrency Wallets Unpatched XRING Flaw in XQUIC Lets Remote Clients Crash HTTP\u002F3 Servers Researcher Details WhatsApp-to-Host Attack Chain Using Three OpenClaw Flaws New TrojPix Attack Leaks Data From Air-Gapped Systems via Video Cable Emissions Unpatched Flaws Disclosed in Filesystem Bundled Into Millions of Embedded Devices New \"Bad Epoll\" Linux Kernel Flaw Lets Unprivileged Users Gain Root, Hits Android Google Disrupts NetNut Residential Proxy Network Spanning 2 Million Home Devices European Parliament Member Investigating Spyware Was Hacked With Pegasus ⭐ Featured Resources What 200+ Security Teams Reveal About Using IP Intelligence in 2026 Get Hands-On SANS Training for Today’s Cyber Defense and Offensive Security Challenges See What’s","https:\u002F\u002Fthehackernews.com\u002F2026\u002F07\u002Fhackers-weaponize-balochistan-police.html","https:\u002F\u002Fblogger.googleusercontent.com\u002Fimg\u002Fb\u002FR29vZ2xl\u002FAVvXsEimRVwRIhs54UhNHyRll9YzVxICmTpgqwjAK1Sy7vYt6FAzb9oImcFpuM0J8dOWdtdjCdlROkternhP9r5jZD9HNvwVwcyRzhesdYgbVjUpJk7p4rxDDJSdEUibs1Gk-Ihy1bTcxs8fA7kgG49ImfTWEZO6068Ui-_X6sTTraCg8lFuucYJrUJi2RhdXyG2\u002Fs1600\u002Fpakistan.jpg","2026-07-11T17:49:31+00:00","2026-07-11T20:00:18.781782+00:00",9,[18,21,23,25,27,29],{"name":19,"type":20},"Mysterious Elephant","threat_actor",{"name":22,"type":20},"APT-C-08",{"name":24,"type":20},"APT-K-47",{"name":26,"type":20},"TAG-179",{"name":28,"type":20},"SideWinder",{"name":30,"type":20},"Confucius","6cbdd207-aaa1-4176-9534-e156b125e917",{"id":31,"icon":33,"name":34,"slug":35},null,"Nation-state","nation-state",[37,39,44],{"category":38},{"id":31,"icon":33,"name":34,"slug":35},{"category":40},{"id":41,"icon":33,"name":42,"slug":43},"89f78b1c-3503-45a1-9fc7-e23d2ce1c6d5","Malware","malware",{"category":45},{"id":46,"icon":33,"name":47,"slug":48},"e7b231c8-5f79-4465-8d38-1ef13aea5a14","Threat Intelligence","threat-intelligence",[50,54,57,60,62],{"type":51,"value":52,"context":53},"ip","142.171.183.8","Command-and-control (C2) server used by Cobalt Strike activity cluster.",{"type":43,"value":55,"context":56},"PlugX","Malware family deployed by China-nexus threat actors.",{"type":43,"value":58,"context":59},"ShadowPad","Malware family deployed by China-nexus threat actors, successor to PlugX.",{"type":43,"value":61,"context":56},"Cobalt Strike",{"type":43,"value":63,"context":64},"Remcos RAT","Malware family linked to an India-nexus threat actor."]