Research from SentinelOne’s SentinelLabs threat intelligence unit has revealed that cyberespionage groups linked to both China and India spent over two years quietly infiltrating Pakistani law enforcement networks, with Balochistan Police absorbing the bulk of the intrusions.
According to the findings, the campaign ran from February 2024 through April 2026 and hit several Pakistani police organizations. Attackers reached servers tied to biometric databases, criminal case files, personnel records, and citizen-facing portals.
SentinelLabs grouped the activity into four clusters based on distinct malware and infrastructure:
- PlugX
- ShadowPad
- Cobalt Strike
- Remcos
The researchers noted that clusters relying on shared or commodity malware may involve more than one operator, unlike the Remcos-based activity, which they tied to a single tracked actor.
Two Rivals, One Target
The presence of China-linked operators inside the security apparatus of one of Beijing’s closest regional partners is notable. SentinelLabs assesses the likely motive as self-interest: Chinese nationals working on Belt and Road infrastructure projects in Pakistan have repeatedly been targeted in attacks tied to Baloch separatist militants, and Chinese officials have publicly criticized Islamabad’s ability to protect them. Direct access to Pakistani police data would let Beijing independently assess that threat rather than rely on Islamabad’s reporting.
The India-linked activity tracks a longer-running dispute. Pakistan has accused India for years of backing Baloch militants, an allegation New Delhi denies. India would have its own interest in understanding how Balochistan Police’s networks characterize and respond to the insurgency.
Compromised Complaint Portal
SentinelLabs also found malicious files disguised as software updates planted directly on Balochistan Police’s public Complaint Management System, the portal residents use to file and track complaints. The fake update prompt would have been served to anyone visiting the site, including officers and ordinary citizens, not just targeted individuals.
The researchers linked that particular intrusion to a Chinese-speaking developer based on shared code patterns and artifacts found across related malware samples.
The findings illustrate how regional cyber rivalries can converge on the same soft target, with a provincial police force’s infrastructure serving as a proxy battleground for two separate nation-state intelligence interests.
