Full Report
A suspected China-linked threat actor turned a Pakistani police complaint portal used by ordinary citizens into a malware delivery mechanism — one piece of a two-year parallel campaign in which hacking groups tied to both China and India independently infiltrated the same law enforcement force, accessing biometric records, criminal case files, and citizen complaint data…
Analysis Summary
# Threat Actor: Unnamed China-linked Actor (Suspected)
*Note: This summary focuses on the China-linked element of the dual-nation campaign described in the article.*
## Attribution & Identity
- **Primary Attribution:** Suspected China-linked nation-state threat actor.
- **Associated Groups:** Analysis suggests a "parallel campaign" involving both Chinese and Indian-linked groups (the latter often associated with groups like Sidewinder or Patchwork, though not explicitly named in the snippet).
- **Identity Confidence:** Moderate-High (based on the use of hallmark malware and regional geopolitical focus).
## Activity Summary
- **Campaign Name:** "One Target, Two Flags" (SentinelLABS).
- **Timeline:** Activities recorded between February 2024 and April 2026.
- **Operations:** The actor weaponized a legitimate Pakistani police complaint portal used by civilians to deliver malware. This was part of a two-year infiltration of law enforcement institutions to exfiltrate sensitive national databases.
## Tactics, Techniques & Procedures
- **Watering Hole / Strategic Web Compromise:** Weaponizing a public police complaint portal to deliver malware payloads to both officers and civilians.
- **Parallel Intrusion:** Operating independently but simultaneously within the same victim network as competing nation-state actors (India-linked).
- **Data Exfiltration:** Focused on accessing citizen complaint data, biometric records, and criminal case files.
- **Malware Deployment:** Systematic use of modular remote access trojans (RATs) for persistent surveillance.
## Targeting
- **Sectors:** Law Enforcement, Government, Public Services.
- **Geography:** Pakistan (specifically focusing on Balochistan).
- **Victims:**
- Balochistan Police (Principal target).
- Four total Pakistani policing institutions.
- Ordinary citizens utilizing the police portal.
## Tools & Infrastructure
- **Malware Families:**
- **PlugX:** Modular RAT frequently associated with Chinese intelligence.
- **ShadowPad:** A high-value evolution of PlugX used by several Chinese MSS-linked actors.
- **Cobalt Strike:** Commercial penetration testing framework used for lateral movement.
- **Remcos:** Commercial RAT often used for initial surveillance.
- **Infrastructure:** Leveraged the official Pakistani police portal (compromised) as a delivery mechanism.
## Implications
- **Intelligence Convergence:** The simultaneous targeting of the same institution by rival powers (China and India) highlights the immense intelligence value of centralized law enforcement data.
- **Civilian Risk:** By weaponizing a public portal, the actor moved beyond traditional espionage into targeting the general populace, potentially for monitoring dissidents or tracking individuals of interest.
- **Strategic Sensitivity:** Balochistan is a region of high strategic interest for both China (due to CPEC/Belt and Road Initiative) and India, making the law enforcement data there a priority intelligence requirement.
## Mitigations
- **Application Integrity:** Implement rigorous file integrity monitoring (FIM) and code signing for public-facing web applications to detect unauthorized modifications.
- **Database Hardening:** Employ strict access controls and encryption for biometric and criminal record databases, ensuring MFA is required for all administrative access.
- **Network Segmentation:** Isolate public-facing portals from internal law enforcement networks holding sensitive investigative files.
- **Threat Hunting:** Conduct proactive hunts for common China-linked artifacts (e.g., specific DLL side-loading techniques associated with PlugX).