The Geopolitical Crosshairs Targeting Pakistani Police Data
Sustained cyber espionage campaigns weaponize local law enforcement systems to harvest sensitive citizen data and security records.
Modern digital portals designed to connect the public with state services can easily transform into geopolitical playgrounds. In Pakistan, local law enforcement digitalization has exposed highly sensitive domestic data. Between February 2024 and April 2026, sustained cyber espionage campaigns targeted Pakistani law enforcement, highlighting how multiple nation-state threat actors linked to regional rivals systematically compromised systems holding sensitive criminal registries, biometric information, and state intelligence records.
Public safety databases are lucrative intelligence targets. Historically, law enforcement systems hold highly structured, personal data about citizens and ongoing investigations. In highly contested regions, such databases provide intelligence agencies with deep visibility into a neighbor's internal security apparatus. Unfortunately, modernizing civic tools via web portals often prioritizes operational efficiency over rigorous security controls, creating attractive avenues for threat actors seeking long-term network persistence.
The intrusions highlighted a rare overlap of distinct cyber espionage campaigns operating in the same territory. "At Balochistan Police, the compromised assets included servers hosting web applications that manage police and citizen data, such as criminal and biometric records," Aleksandar Milenkoski, principal threat researcher at SentinelOne SentinelLABS, said in a report published this week. The breach compromised Balochistan Police assets between June 2, 2024, and April 9, 2026, including two network appliances, web servers, and a Fortinet FortiMail appliance. Attackers hijacked the Complaint Management System (cms.balochistanpolice.gov[.]pk), uploading two cms_plugin.exe variants. One Rust stager downloaded payloads from 193.42.25[.]65, mimicking an "Update Complete! Please refresh the page" message, while a .NET binary masqueraded as 360Safe.exe (from Qihoo 360 Total Security) to launch AsyncRAT. Researchers also found compromised nodes in the Khyber Pakhtunkhwa Police, Islamabad Police, and Punjab Safe Cities Authority (PSCA). Four clusters deployed PlugX, ShadowPad, Cobalt Strike, and Remcos RAT. Remcos, linked to India-nexus actor Mysterious Elephant (aka APT-C-08, APT-K-47, and TAG-179) with ties to SideWinder, Confucius, and Bitter, used decoy documents regarding Pakistani plans to repatriate illegal foreigners, including Afghan Citizen Card (ACC) holders. Chinese groups are suspected of deploying PlugX and ShadowPad. "The victimology we observed for PlugX (between 27 February and 28 September 2024) and ShadowPad (between 3 August and 1 December 2024) reinforces this assessment," the cybersecurity company said. "Beyond Pakistani law enforcement, victimology for PlugX and ShadowPad includes government, foreign affairs, defense, nongovernmental, and research entities across South, Southeast, Central, and East Asia, the Arabian Peninsula, and Southeast Europe, consistent with China-aligned collection." Additionally, Cobalt Strike traffic pointed to 142.171.183[.]8, targeting entities globally and Tibetan Buddhist organizations in Taiwan. "When multiple cyberespionage actors operate against law enforcement institutions of a single state, the convergence itself is a signal of target value," Milenkoski explained. "What draws them is a particular kind of institution: one that holds the government’s internal security picture, what it knows about the threats inside its borders, and how it acts against them." He added: "The compromise of the Complaint Management System web application adds a second dimension to the activity against Balochistan Police, extending the threat actor's reach beyond the initially compromised environment. By hosting implants in a portal used by both citizens and law enforcement personnel, the threat actor turned a tool built to make policing in Pakistan more accessible and accountable to the public into a malware delivery mechanism."
By the numbers, the digital intrusions spanned over two years, from February 2024 to April 2026. The investigation identified compromises across four critical Pakistani security bodies, including regional police forces and the PSCA. Security analysts flagged four distinct malware clusters—PlugX, ShadowPad, Cobalt Strike, and Remcos RAT—being deployed across various networks, with some command-and-control operations mapping to IP addresses like 142.171.183[.]8 and 193.42.25[.]65.
Why it matters is the deep erosion of public trust when civic portals are weaponized. When citizens can no longer trust official government applications to report crimes or verify credentials without risking malware infection, the social contract of digital governance collapses. For organizations and enterprises worldwide, this incident serves as a stark reminder that public-sector partners and municipal networks often carry elevated geopolitical risks that must be continuously evaluated in global threat models.