Suspected state-linked hackers from China and India carried out separate breaches into the networks of the same Pakistani police force more than two years apart, according to a report published Thursday by cybersecurity firm SentinelLabs, which found one group planting malware inside the public-facing portal that citizens use to file complaints against police.
SentinelLabs said it tracked four separate hacking campaigns against Pakistani law enforcement agencies between February 2024 and April 2026. The four reached police in Balochistan, Pakistan’s largest province by area and home to a long-running separatist insurgency.
Three other agencies were also affected with little detail available: Khyber Pakhtunkhwa Police, Islamabad Police, and the Punjab Secure Cities Authority, an autonomous body that runs command, control and communication systems for police in major cities of Punjab.
The researchers said the overlap is meaningful in itself. When multiple cyberespionage actors – hackers conducting long-term intelligence collection on behalf of a state – target a country’s law enforcement, “convergence itself is indicative of target value,” the report said.
What was killed?
Infiltration reached four layers Balochistan Police systems, and evidence, become less certain the deeper the violation becomes.
At the outer layer, the hackers had confirmed contact with two network devices and an email gateway – the system that filters and routes a network’s incoming and outgoing mail. The email gateway was not the force’s primary inbound system at the time, but was connected, and the researchers said it “can continue to process outbound or internal mail relay traffic.”
Deeper, the hackers accessed servers hosting seven applications created under an EU-backed program to digitalize Balochistan policing: personnel records, stolen-vehicle tracking, hotel guest registration linked to national ID records, fingerprint-matching criminal records, landlord-tenant registration, case filing (also known as First Information Report or FIR), and citizen complaints.
For six of those seven – everything except the citizen complaint system – SentinelLabs’ evidence stops at server access. The report details what level of data hackers were able to access – personnel files, criminal case records, biometric data, stolen-vehicle records, hotel and tenant registrations, while also, the report said, offering “comprehensive visibility” into how Balochistan police work, what it can do, and what it knows – but there is no evidence that the data was actually accessed or extracted.
the deepest violation
The seventh application, the complaint management system (CMS), is where the intrusion went the furthest. It is a separate platform from the FIR system, which is used to lodge citizen complaints, ranging from reports of crimes and lost documents to complaints against police officers. The hackers gained write access to a live folder on the portal and uploaded two malware files as regular updates. One displayed the message “Update complete! Please refresh the page” upon execution, mimicking the portal.
Designed to infect anyone who uses the portal – police employees or citizens interacting with the CMS – the implant was intended to give the attacker a foothold in some way: a way to enter the police network through an employee’s machine, or a way to compromise a citizen’s device after filing a complaint against the police.
Separately, stolen login credentials for the portal’s staff-side interface, retrieved from what the industry calls infostealer logs — aggregated passwords that a class of malware quietly collects from infected machines and later sells or leaks on the dark web — show consistent naming patterns by the police station. This is evidence of who uses the system, although it has nothing to do with how the implant spreads. The infection findings mark the deepest confirmed reach of any of the four missions.
Here too, the researchers noticed an aspect that they could not determine. One of the malware files was a “Stagger” – a small first-stage program, written in the Rust programming language, whose sole job was to download the payload of the second stage, the actual harmful software meant to pull down an initial infection. The researchers “could not retrieve the next step at the time of analysis.” The report notes no confirmed cases of actual infection or data theft.
What is the evidence?
The report is based on an analysis of “command-and-control”, or C2, traffic – communications between infected machines and remote servers used by hackers to issue instructions. That data shows which infrastructure affected Pakistani police networks and when. Linking that infrastructure to specific hackers provides evidence of disproportionate power.
The weakest is the tooling: These are malware families such as “PlugX” and “ShadowPad” – backdoors, or malware designed to give hackers persistent hidden access to infected machines, shared among “several” suspected China-linked groups. This points to a broader camp rather than a single operator, but one that almost certainly China-Joined together.
Several samples also contained Chinese words written in the Roman alphabet, and one included log messages in Simplified Chinese, pointing to a Chinese-speaking developer behind the tool.
Researchers also examine the work of rival vendors, who often track the same activity under different code names, to test whether different observers are describing one group or several.
who were the hackers
SentinelLabs did not name specific hacking groups. It sorted the intrusions into four groups by malware family and assessed with varying confidence what each state’s interests matched.
Three clusters – built on malware called PlugX, Shadowpad and Cobalt Strike – have been assessed as being linked to China. The findings for PlugX and Shadowpad are based primarily on tooling. Cobalt Strike is different: it is a commercial software originally sold to corporate security teams to stress-test their defenses, but is widely misused by hackers, and has no built-in features.
The Cobalt Strike findings, which include a CMS breach, are rated only “medium confidence”. The researchers instead point to a pattern of previous targets — including a Tibetan Buddhist organization in Taiwan, a longtime target of Chinese state espionage — by one of the cluster’s two command servers that have been attributed to potential Chinese actors. CMS traces the cluster’s other servers, which the report says have been reported only to the Balochistan Police; Attribution depends on the clustering of that server within the broader cluster and the developer fingerprint above, and not on evidence linking it to Tibet.
Read this also Pakistan vows to ‘hunt down and kill’ after 42 terrorists killed in Balochistan in four days
The fourth cluster, built on malware called Remcos, is believed to be linked to India and linked to another cybersecurity company – Recorded Future Group – which tracks as TAG-179. SentinelLabs said the group’s methods “overlap to varying degrees” with two others named separately by rival trackers – Russian cybersecurity firm Kaspersky’s “Mysterious Elephant” and Chinese firm Qihoo 360’s “APT-C-08”, also known as “Bitter” – a partial match, not confirmation, as all three describe a group.
why balochistan
For China, researchers pointed to the safety of Chinese citizens working on Belt-and-Road projects – Beijing’s global infrastructure program, which flows into Pakistan via the China-Pakistan Economic Corridor (CPEC). Some previous attacks on Chinese civilians have been claimed by the Baloch separatist group Balochistan Liberation Army; The report cites the Karachi airport bombing in October 2024 and a suicide bombing in northwestern Pakistan in March 2024 as notable examples, without specifying which group claimed responsibility. China’s ambassador to Pakistan called the attacks “unacceptable” in October, warning that the security situation was the main obstacle to CPEC.
Pakistan long accused India Supporting the Baloch insurgency, the BLA was described as an “Indian proxy” – reports Islamabad “has not publicly confirmed” and India denies. For potential hackers linked to India, the operational record of the Balochistan police could provide a window into the conflict at the heart of that standoff. Reuters reported that the Indian Embassy in Washington and Balochistan police officials did not respond to requests for comment on the SentinelLabs report.
What is unknown?
The final payload of the CMS intrusion – which the Rust stager was created to deliver – was never recovered. The suspicious campaign linked to India was still active as of April 2026, the most recent date in the report. And the January 2026 agreement between Chinese and Pakistani security officials to deepen counterterrorism cooperation made no public mention of the cyber intrusion recorded here.







