SUspected state-linked hackers from communist china and republic of india separately bust into the same Pakistani police ram force’s networks over more than two years, according to a report published on Thursday by cybersecurity firm SentinelLABS, which found one group planting malware inside a public-facing portal citizens use to lodge complaints against police.SentinelLABS said it tracked four distinct hacking campaigns against Pakistani law enforcement agencies between February 2024 and April 2026. All four reached Balochistan Police, the force serving Pakistan’s largest province by area and home to a long-running separatist insurgency.Three other agencies were also hit, with less detail available: Khyber Pakhtunkhwa Police, Islamabad Police, and the Punjab Safe Cities Authority, an autonomous body running command, control and communication systems for police in major Punjab cities.Researchers said the overlap itself is meaningful. When multiple cyberespionage actors — hackers conducting long-term intelligence collection on behalf of a state — target one country’s law enforcement, “the convergence itself is a signal of target value,” the report said.What was hit?The intrusions reached four layers of Balochistan Police’s systems, and the evidence becomes less certain the deeper the breach goes.At the outer layer, hackers had confirmed contact with two network appliances and an email gateway — the system that filters and routes a network’s incoming and outgoing mail. The email gateway was no longer the force’s primary inbound system at the time but remained connected, and researchers said it “may have continued to process outbound or internal mail relay traffic.”Deeper in, hackers reached servers hosting seven applications built under an EU-supported programme to digitise Balochistan policing: personnel records, stolen-vehicle tracking, hotel guest registration linked to national ID records, fingerprint-matched criminal records, landlord-tenant registration, case filings (also known as First Information Reports, or FIRs), and citizen complaints.For six of those seven — everything but the citizen complaints system — SentinelLABS’s evidence stops at server access. The report describes what data hackers could have reached with that level of access — personnel files, criminal case records, biometric data, stolen-vehicle records, hotel and tenant registrations, together, the report said, offering “broad visibility” into how Balochistan Police operates, what it can do, and what it knows — but had no evidence that the data was indeed accessed or taken out.The deepest breachThe seventh application, the Complaint Management System (CMS), is where the intrusion went furthest. It is a separate platform from the FIR system, used for registering citizen complaints, from reports of crime and lost documents to complaints against police officers. Hackers got write access to a live folder on the portal and uploaded two malware files disguised as a routine update. One displayed the message “Update Complete! Please refresh the page” on execution, mimicking the portal itself.Built to infect whoever used the portal — police staff or citizens interacting with the CMS — the implants were meant to give the attacker a foothold either way: a way into police networks through a staffer’s machine, or a way to compromise a citizen’s device after they filed a complaint against police.Separately, stolen login credentials for the portal’s staff-side interface, recovered from what the industry calls infostealer logs — harvested password troves that a category of malware quietly collects from infected machines and later sells or leaks on the dark web — show a consistent naming pattern by police station. That is evidence of who uses the system, though not connected to how the implants spread. The infection findings mark the deepest confirmed reach of any of the four campaigns.Even here, the researchers note one aspect they could not determine. One of the malware files was a “stager” — a small first-stage program, written in the Rust programming language, whose only job was to download a second-stage payload, the actual harmful software an initial infection is meant to pull down. Researchers “could not retrieve the next stage at the time of analysis.” The report documents no confirmed case of an actual infection or data theft.What’s the evidence?The report rests on analysis of “command-and-control”, or C2, traffic — communication between infected machines and the remote servers hackers use to issue instructions. That data shows which infrastructure touched Pakistani police networks, and when. Linking that infrastructure to specific hackers draws on evidence of uneven strength.The weakest is tooling: these are malware families such as those called “PlugX” and “ShadowPad” — backdoors, or malware built to give hackers persistent hidden access to infected machines, “shared among multiple” suspected China-linked groups. That points to a broad camp rather than one operator, but a camp that almost certainly is China-linked.Several samples also carried Chinese words spelled in the Roman alphabet, and one included log messages in simplified Chinese, together pointing to a single Chinese-speaking developer behind the tools.Researchers also cross-check work by rival vendors, who often track the same activity under different code names, to test whether separate observers are describing one group or several.Who were the hackersSentinelLABS did not name specific hacking groups. It sorted the intrusions into four clusters by malware family and assessed, with differing confidence, which state’s interests each aligns with.Three clusters — built on malware called PlugX, ShadowPad and Cobalt Strike — are assessed as China-linked. The PlugX and ShadowPad findings rest mainly on tooling. Cobalt Strike is different: it is commercial software originally sold to corporate security teams for stress-testing their own defences, but widely misused by hackers, and it carries no attribution built in.The Cobalt Strike finding, which includes the CMS breach, is therefore rated only “medium confidence.” Researchers instead point to a pattern of past targets — including Tibetan Buddhist organisations in Taiwan, a long-standing target of Chinese state espionage — hit by one of the cluster’s two command servers to ascribe it to potential Chinese actors. The CMS compromise traces to the cluster’s other server, which the report says communicated only with Balochistan Police; its attribution rests on that server’s grouping within the wider cluster and on the developer fingerprint above, not on the Tibet-linked evidence.Also Read | Pakistan vows to 'hunt and kill' militants after 42 killed in Balochistan in four daysThe fourth cluster, built on malware called Remcos, is assessed as India-linked and tied to a group Recorded Future — another cybersecurity company — tracks as TAG-179. SentinelLABS said the group’s methods “overlap to varying degrees” with two others named separately by rival trackers — Russian cybersecurity firm Kaspersky’s “Mysterious Elephant” and Chinese firm Qihoo 360’s “APT-C-08,” also called “Bitter” — a partial match, not confirmation, all three describe one group.Why BalochistanFor China, researchers pointed to the safety of Chinese nationals working on Belt-and-Road projects — Beijing’s global infrastructure programme, which in Pakistan flows through the China-Pakistan Economic Corridor (CPEC). Some past attacks on Chinese nationals have been claimed by the Balochistan Liberation Army, a Baloch separatist group; the report cites an October 2024 bombing at Karachi’s airport and a March 2024 suicide bombing in northwestern Pakistan as notable examples, without specifying which group claimed either. China’s ambassador to Pakistan called the attacks “unacceptable” that October, warning the security situation was the main obstacle to CPEC.Pakistan has long accused India of backing the Baloch insurgency, describing the BLA as an “Indian proxy” — a charge the report says Islamabad “has not publicly substantiated,” and that India denies. For potential India-linked hackers, Balochistan Police’s operational record could offer a window into a conflict central to that standoff. Reuters reported that the Indian embassy in Washington and the Balochistan police authorities did not respond to requests for comment on the SentinelLABS report.What’s unknown?The CMS intrusion’s ultimate payload — what the Rust stager was built to fetch — was never recovered. The suspected India-linked campaign was still active as of April 2026, the most recent date in the report. And a January 2026 agreement between Chinese and Pakistani security officials to deepen counterterrorism cooperation made no public mention of the cyber intrusions documented here.
Global News Perspectives
In today's interconnected world, staying informed about global events is more important than ever. ZisNews provides news coverage from multiple countries, allowing you to compare how different regions report on the same stories. This unique approach helps you gain a broader and more balanced understanding of international affairs. Whether it's politics, business, technology, or cultural trends, ZisNews ensures that you get a well-rounded perspective rather than a one-sided view. Expand your knowledge and see how global narratives unfold from different angles.
Customizable News Feed
At ZisNews, we understand that not every news story interests everyone. That's why we offer a customizable news feed, allowing you to control what you see. By adding keywords, you can filter out unwanted news, blocking articles that contain specific words in their titles or descriptions. This feature enables you to create a personalized experience where you only receive content that aligns with your interests. Register today to take full advantage of this functionality and enjoy a distraction-free news feed.
Like or Comment on News
Stay engaged with the news by interacting with stories that matter to you. Like or dislike articles based on your opinion, and share your thoughts in the comments section. Join discussions, see what others are saying, and be a part of an informed community that values meaningful conversations.
Download the Android App
For a seamless news experience, download the ZisNews Android app. Get instant notifications based on your selected categories and stay updated on breaking news. The app also allows you to block unwanted news, ensuring that you only receive content that aligns with your preferences. Stay connected anytime, anywhere.
Diverse News Categories
With ZisNews, you can explore a wide range of topics, ensuring that you never miss important developments. From Technology and Science to Sports, Politics, and Entertainment, we bring you the latest updates from the world's most trusted sources. Whether you are interested in groundbreaking scientific discoveries, tech innovations, or major sports events, our platform keeps you updated in real-time. Our carefully curated news selection helps you stay ahead, providing accurate and relevant stories tailored to diverse interests.
No comments yet.