Full Report
China and India ran separate espionage operations against the same Pakistani police force, each drawn by different stakes in Pakistan's internal security.
Analysis Summary
This report summarizes the findings of SentinelLABS regarding the convergence of suspected Chinese and Indian cyberespionage actors targeting Pakistani law enforcement between 2024 and 2026.
# Threat Actor: Suspected China-nexus & India-nexus Actors
## Attribution & Identity
The activity involves two distinct clusters:
* **China-nexus Actor:** Associated with high-end Chinese espionage tools. Associated groups mentioned include **TAG-179** (implied link to custom implant development).
* **India-nexus Actor:** Associated with the use of commodity and offensive security tools (Cobalt Strike, Remcos, AsyncRAT).
## Activity Summary
From February 2024 to April 2026, both actors conducted sustained operations against several Pakistani law enforcement organizations. The primary focus was the **Balochistan Police**.
* **Chinese Activity:** Focused on deep persistence within police web applications to monitor internal security data.
* **Indian Activity:** Focused on broader Balochistan provincial security posture, likely tied to regional geopolitical rivalries and counter-militancy tracking.
## Tactics, Techniques & Procedures
* **Malicious Updates:** Weaponizing legitimate web applications by planting implants masquerading as portal updates (cms_plugin.exe).
* **Side-Loading:** Traditional techniques to execute backdoors.
* **Lateral Movement:** Use of Cobalt Strike for post-exploitation.
* **Identity Masquerading:** Using lure files to trick personnel into executing malicious code.
**MITRE ATT&CK IDs referenced/implied:**
* **T1195.002:** Compromise Software Supply Chain (masquerading as portal updates)
* **T1071.001:** Application Layer Protocol: Web Protocols
* **T1574.002:** DLL Side-Loading
* **T1059:** Command and Scripting Interpreter
## Targeting
* **Sectors:** Law Enforcement, Internal Security, Government.
* **Geography:** Pakistan (specifically Balochistan province).
* **Victims:** Balochistan Police, several other unnamed Pakistani law enforcement organizations.
* **Data Targeted:** Biometric records, criminal case files, hotel/tenant registrations, personnel records, and national identity linkage data.
## Tools & Infrastructure
### Malware Families
* **PlugX & ShadowPad:** Historically associated with Chinese Ministry of State Security (MSS) operations.
* **Custom Backdoors:** Specifically attributed to TAG-179.
* **Offensive Security/Commodity Tools:** Cobalt Strike, Remcos RAT, AsyncRAT.
### Infrastructure
* **C2 IPs (Defanged):**
* 172.111.233[.]105, 172.111.233[.]12, 172.111.233[.]26, 172.111.233[.]36, 172.111.233[.]96 (PlugX)
* 172.94.9[.]19, 172.94.9[.]43, 172.94.9[.]49 (PlugX)
* 45.125.32[.]218 (ShadowPad)
* 142.171.183[.]8, 193.42.25[.]65 (Cobalt Strike)
* 89.31.121[.]220 (Remcos)
* 41.216.188[.]140 (AsyncRAT)
* **Compromised Host:**
* hxxps[://]cms.balochistanpolice[.]gov[.]pk/client%20scripts/cms_plugin.exe (Implant hosting)
## Implications
* **Chinese Interests:** Beijing likely views Pakistani counter-militancy as insufficient to protect Chinese nationals (CPEC workers). By compromising police systems, China can independently assess threats to its citizens rather than relying on Pakistani intelligence.
* **Indian Interests:** Access to Balochistan Police data allows India to monitor Pakistan's internal security posture in a region central to mutual accusations of cross-border militancy.
* **Strategic Convergence:** When two rival powers target the same entity, it signals the critical value of the data (biometrics and criminal records) as a "ground truth" for regional security.
## Mitigations
* **Application Integrity:** Implement code signing and rigorous integrity checks for all internal government portals and citizen-facing web applications.
* **Network Segmentation:** Isolate servers hosting sensitive biometric and criminal databases from general internet-facing portals.
* **Supply Chain Security:** Monitor for unauthorized changes or new executable files appearing in "client script" or "update" directories of web servers.
* **IOC Monitoring:** Proactively block and hunt for the defanged IP addresses and hashes associated with PlugX and ShadowPad within governmental networks.