One Target, Two Flags Rival Espionage Actors Converge On Pakistani Law Enforcement

    Date: 07/10/2026

    Severity: High

    Summary

    Between 2024 and 2026, suspected China- and India-nexus threat actors targeted Pakistani law enforcement agencies. Attackers deployed malware like PlugX, ShadowPad, Cobalt Strike, and Remcos against Balochistan Police assets. Compromised systems included servers managing biometric data, national identity-linked registrations, and criminal records. A suspected Chinese actor also breached a public-facing web portal, deploying custom implants disguised as updates. This intense convergence of multiple cyberespionage actors highlights the high strategic value of the targeted institutions. The targeted data exposes Pakistan's internal security picture, border threats, and domestic law enforcement actions.

    Indicators of Compromise (IOC) List

    Domains/URLs

    https://cms.balochistanpolice.gov.pk/client%20scripts/cms_plugin.exe

    IP Address 

    142.171.183.8

    172.111.233.105

    172.111.233.12

    172.111.233.26

    172.111.233.36

    172.111.233.96

    172.94.9.19

    172.94.9.43

    172.94.9.49

    193.42.25.65

    41.216.188.140

    45.125.32.218

    45.74.6.17

    89.31.121.220

    Hash 

    000fad96a85dd6933c22d3dbec9aed47b7f1f066

    08570471f39bb6725f07b8cddbea99ed48c22686

    23f4766c011d193f076dfc735dc460e2a41ead79

    23f6781919a50b118d8d4e6a7e9ae63b71ecc885

    2bab40c55637398f0497cff9c8cbea564d595c7f

    4039454c9189e64285e93fc075a30b93f814b5b5

    47f8cb0c2dcf62702f58cfc1603d6325755f6820

    539bd79fbb684edea94eb37518134b97e94b9dd8

    58cb2d95063b9df807b7aa8dc106b74ce988a491

    5d60ff36ff519c2e13e7f66cfa0bb46be79592a7

    63b88d00331de88af696dfb7a896935d830e485f

    6fe2e74d009abbd56de01fd7404a1245e9b47c79

    71757adba833b46f961e840d0f055bcce0b529c4

    8c329db96e093fa25268e078405a33c518dbb5c9

    c6c197e61079a0a33108c2c87b5e3c7056a138ec

    d66ab0cd2e44dc8389c111b7ed34c7bcb0b35311

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Detection Query 1 :

    domainname like "https://cms.balochistanpolice.gov.pk/client%20scripts/cms_plugin.exe" or url like "https://cms.balochistanpolice.gov.pk/client%20scripts/cms_plugin.exe" or siteurl like "https://cms.balochistanpolice.gov.pk/client%20scripts/cms_plugin.exe"

    Detection Query 2 :

    dstipaddress IN ("172.111.233.12","172.111.233.96","172.111.233.36","45.125.32.218","89.31.121.220","193.42.25.65","142.171.183.8","172.111.233.26","172.111.233.105","172.94.9.19","172.94.9.49","45.74.6.17","41.216.188.140","172.94.9.43") or srcipaddress IN ("172.111.233.12","172.111.233.96","172.111.233.36","45.125.32.218","89.31.121.220","193.42.25.65","142.171.183.8","172.111.233.26","172.111.233.105","172.94.9.19","172.94.9.49","45.74.6.17","41.216.188.140","172.94.9.43")

    Detection Query 3 :

    sha1hash IN ("8c329db96e093fa25268e078405a33c518dbb5c9","539bd79fbb684edea94eb37518134b97e94b9dd8","2bab40c55637398f0497cff9c8cbea564d595c7f","4039454c9189e64285e93fc075a30b93f814b5b5","63b88d00331de88af696dfb7a896935d830e485f","58cb2d95063b9df807b7aa8dc106b74ce988a491","c6c197e61079a0a33108c2c87b5e3c7056a138ec","23f6781919a50b118d8d4e6a7e9ae63b71ecc885","47f8cb0c2dcf62702f58cfc1603d6325755f6820","08570471f39bb6725f07b8cddbea99ed48c22686","6fe2e74d009abbd56de01fd7404a1245e9b47c79","71757adba833b46f961e840d0f055bcce0b529c4","d66ab0cd2e44dc8389c111b7ed34c7bcb0b35311","000fad96a85dd6933c22d3dbec9aed47b7f1f066","23f4766c011d193f076dfc735dc460e2a41ead79","5d60ff36ff519c2e13e7f66cfa0bb46be79592a7")

    Reference:    

    https://www.sentinelone.com/labs/one-target-china-india-espionage-converge-on-pakistani-law-enforcement/    


    Tags

    Cyber EspionageGovernment Services and FacilitiesMalwareChinaIndiaPakistanPlugXShadowPadCobalt StrikeREMCOSBalochistan

    « Previous Article

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags