One Target, Two Flags | Rival Espionage Actors Converge On Pakistani Law Enforcement

One Target, Two Flags | Rival Espionage Actors Converge On Pakistani Law Enforcement
SentinelLABS tracked China- and India-nexus intrusions against Pakistani law enforcement from February 2024 to April 2026, with Balochistan Police emerging as the main target and the CMS portal being turned into an implant delivery point. The activity involved PlugX, ShadowPad, Cobalt Strike, Remcos, AsyncRAT, TAG-179, and compromised infrastructure tied to sensitive police, citizen, and biometric records. #BalochistanPolice #TAG-179 #PlugX #ShadowPad #CobaltStrike #Remcos #AsyncRAT #CPEC

Keypoints

  • Balochistan Police was the primary victim, with intrusions spanning network appliances and servers hosting sensitive web applications from 2024 to 2026.
  • Compromised systems stored or managed criminal records, biometric data, personnel records, hotel and tenant registrations, stolen vehicle data, and citizen complaints.
  • Suspected China-nexus and India-nexus actors converged on the same Pakistani law enforcement targets, indicating high intelligence value.
  • Four C2 activity clusters were identified: PlugX, ShadowPad, Cobalt Strike, and Remcos.
  • A suspected China-nexus actor compromised the Balochistan Police Complaint Management System and deployed implants disguised as a portal update.
  • The CMS compromise affected both police staff and citizens, giving the attacker a potential foothold into internal networks and surveillance access to complainants.
  • The TAG-179 cluster, linked to India-nexus activity, used lure files tied to Pakistani repatriation and police coordination themes.

MITRE Techniques

  • [T1056.001] Keylogging – Not explicitly described as keylogging, but the CMS compromise and credential exposure suggest collection of login data via access to stolen credentials (‘stolen login credentials for the portal’).
  • [T1071.001] Web Protocols – The implants and C2 traffic used web-based communications and portal paths for delivery and control (‘downloads a payload’, ‘posts to /Complaint/PublicSearch’).
  • [T1105] Ingress Tool Transfer – The Rust cms_plugin.exe stager downloaded the next stage from attacker infrastructure (‘downloads a payload from 193.42.25[.]65 and executes it’).
  • [T1055] Process Injection – The .NET implant reflectively loaded an AsyncRAT assembly, consistent with code injection/loading behavior (‘it reflectively loads an assembly implementing an AsyncRAT client’).
  • [T1218] System Binary Proxy Execution – The malicious file masqueraded as a legitimate security component to evade suspicion (‘masquerades as 360Safe.exe’).
  • [T1036] Masquerading – Multiple files and messages were designed to appear as legitimate portal updates or software (‘Update Complete! Please refresh the page’, ‘masquerades as 360Safe.exe’).
  • [T1204.002] Malicious File – The implant was hosted as an executable on the CMS portal and intended for victims to run (‘cms_plugin.exe’).
  • [T1566.001] Spearphishing Attachment – TAG-179 lure files were used to entice victims with themed decoy documents (‘Lure file’, ‘decoy document posing as an operational plan’).
  • [T1587.001] Develop Capabilities: Malware – The article details custom implants and staged payloads built for the operation (‘custom implants’, ‘two variants of an implant named cms_plugin.exe’).

Indicators of Compromise

  • [SHA-1 Hashes ] TAG-179 lure files and backdoor components – 000fad96a85dd6933c22d3dbec9aed47b7f1f066, 23f6781919a50b118d8d4e6a7e9ae63b71ecc885, and 6 more hashes
  • [SHA-1 Hashes ] cms_plugin.exe samples and related loaders – 4039454c9189e64285e93fc075a30b93f814b5b5, 58cb2d95063b9df807b7aa8dc106b74ce988a491, and 1 more hash
  • [IP Addresses ] C2 servers for PlugX, ShadowPad, Cobalt Strike, Remcos, and AsyncRAT – 172.111.233[.]36, 45.125.32[.]218, and other 11 items
  • [IP Addresses ] Cobalt Strike / implant infrastructure – 193.42.25[.]65, 41.216.188[.]140, and other 0 items
  • [URL ] CMS implant-hosting location – https[://]cms.balochistanpolice[.]gov[.]pk/client%20scripts/cms_plugin.exe
  • [File Names ] Malicious and lure filenames referenced in the campaign – cms_plugin.exe, and 2 more file names


Read more: https://www.sentinelone.com/labs/one-target-china-india-espionage-converge-on-pakistani-law-enforcement/