China, India APTs Converge on Balochistan Police
SentinelLABS ties 22 months of intrusions at Balochistan Police to two separate crews: China-nexus operators using PlugX and India-linked Mysterious Elephant.
News. SentinelLABS on Friday attributed roughly two years of intrusions across several Pakistani law enforcement organizations to two unrelated clusters — one China-nexus, one India-linked — operating on the same networks at overlapping times without any obvious sign of coordination between them. The centerpiece is Balochistan Police, whose citizen-facing Complaint Management System was, according to principal threat researcher Aleksandar Milenkoski, quietly staging China-nexus implants for months while the organization’s biometric records, personnel files, and criminal case data sat behind it.
The full timeline in the SentinelLABS writeup runs from February 2024 to April 2026. The Balochistan Police intrusion itself is dated June 2, 2024 through April 9, 2026 — a 22-month window in which both nexuses were, at various points, inside the same target.
Two crews, one target
The China-nexus side of the campaign is characterized by the tools the DFIR community has been reading for a decade: PlugX (observed Feb 27 – Sept 28, 2024), ShadowPad (Aug 3 – Dec 1, 2024), and Cobalt Strike, along with two custom cms_plugin.exe variants — a Rust stager and a .NET loader masquerading as 360Safe.exe that side-loads an AsyncRAT client. According to Milenkoski’s writeup, the implants were hosted on the Complaint Management System portal itself, disguised as portal updates. Lure documents referenced Afghan Citizen Card repatriation operations, a plausible pretext for the provincial police staff the portal serves.
The India-linked side is attributed to Mysterious Elephant, tracked variously as APT-C-08, APT-K-47, and TAG-179, and running Remcos RAT against overlapping targets. SentinelLABS notes commonalities with a broader India-nexus set — SideWinder, Confucius, Bitter — that has been active against South Asian government and defense targets for years. Attribution here is the field’s usual “commonalities with” phrasing, not a courtroom identification; treat it as such.
What actually gets weaponized
The specific asset list in Milenkoski’s writeup is worth reading in full: two network appliances, the web servers hosting the Smart Police Station digitalization applications, a Fortinet FortiMail appliance serving as the primary inbound email gateway, and the public Complaint Management System at cms.balochistanpolice.gov.pk. Behind those, per the report, were the applications managing biometric records, hotel and tenant registrations, criminal case files, and personnel records.
Milenkoski’s own framing, quoted in the writeup: “By hosting implants in a portal used by both citizens and law enforcement personnel, the threat actor turned a tool built to make policing in Pakistan more accessible and accountable to the public into a malware delivery mechanism.”
That sentence is doing a lot of work. The last decade of e-government has been, more or less uniformly, a push to move law enforcement service delivery from paper counters to public web portals — complaint intake, driver records, tenant registration, criminal-case status. The security assumption baked into that push has almost always been that the portals are the product, and defensive investment can follow adoption. The Balochistan case is what it looks like when a portal that has been assumed to be the product becomes, instead, the delivery vehicle for something else entirely, and stays that way for roughly two years without the operator noticing.
What’s newsworthy
The specific tooling in this campaign is not new. PlugX and ShadowPad have been in the field’s inbox for a decade, and Mysterious Elephant has been on threat-intel dashboards for at least three years. What is worth pausing on is the convergence — two unrelated adversary programs, presumably not on speaking terms, arriving at the same target list, in the same organization, in overlapping timeframes, and both settling in for the long haul. That is not a coincidence about tooling; it is a signal about targeting priorities in a region where two large state espionage programs have independently decided that the same provincial law enforcement dataset is worth paying to keep watching.
The same mistake, different decade: build a public-facing portal, treat it as an accessibility win, and forget that it is now the shortest path between the open internet and the personnel files behind it.
Sourcing
- SentinelLABS, One Target: China and India Espionage Converge on Pakistani Law Enforcement — Aleksandar Milenkoski, 2026-07-11
- The Hacker News, Hackers Weaponize Balochistan Police Portal in Multi-Group Espionage Campaigns — 2026-07-11
- Topic hub: Threat Intel & Field Notes
- Related: DragonReturn Drops DcRAT on Indian Taxpayers — 2026-07-06
- Related: Silver Fox ships MODBEACON, a Rust RAT with gRPC C2 — 2026-07-11
- Related: UNK_MassTraction: China-nexus cluster hits Roundcube at universities — 2026-07-08
Found this useful? Share it.
