The operations, detected between February 2024 and April 2026, converged most heavily on Balochistan Police, the principal law-enforcement agency in the strategically important south-western province. Khyber Pakhtunkhwa Police, Islamabad Police and the Punjab Safe Cities Authority were also targeted.
The campaigns appeared to be independent rather than coordinated. Their overlap nevertheless highlighted the intelligence value of police databases in a country confronting militant violence, separatist attacks, border tensions and competing regional interests.
Researchers identified command-and-control communications involving four widely used hacking tools: PlugX, ShadowPad, Cobalt Strike and Remcos. PlugX and ShadowPad have long been associated with China-linked cyber-espionage groups, while the Remcos activity was connected to a suspected India-linked actor tracked as TAG-179.
Balochistan Police systems showed the greatest concentration of malicious activity. Compromised assets included network appliances, application servers and a Fortinet FortiMail device that had previously operated as the force’s primary incoming email gateway.
Several affected servers hosted applications developed under the Smart Police Station initiative, a programme designed to modernise policing and improve public access to services. The platforms potentially exposed information spanning police operations and civilian interactions with law enforcement.
The systems included a criminal records database using fingerprint-based biometric matching, a human resources platform containing officers’ postings and performance records, a stolen-vehicle tracking system and applications registering hotel guests and tenants through national identity databases.
Other platforms handled First Information Reports and citizen complaints. Access to their underlying data could provide detailed insight into investigations, police deployment, suspected offenders, vulnerable locations and the force’s capacity to respond to security threats.
One of the most serious compromises involved the Balochistan Police Complaint Management System. Attackers planted malicious files that appeared to be routine portal updates, transforming an application used by police personnel and the public into a potential malware delivery channel.
The portal allows citizens to track complaints using a reference number and mobile phone number, while a restricted section is believed to serve police stations across the province. Credentials recovered from data-stealing malware logs followed naming patterns linked to individual districts and police stations.
China-linked activity involving PlugX was detected from February to September 2024, while ShadowPad communications appeared during November that year. Cobalt Strike infrastructure remained active against police systems from October 2024 until December 2025.
The India-linked Remcos activity was observed from January to April 2026. The suspected operator used a decoy document presented as an operational plan for deporting undocumented foreigners, including Afghan Citizen Card holders.
The document referred to coordination between district police forces, intelligence bodies and the National Database and Registration Authority. Its subject matter would have made it a plausible lure for officers involved in Pakistan’s programme to repatriate Afghan nationals.
China’s suspected interest centres on the security of its citizens and investments in Pakistan. Chinese workers and engineers involved in the China-Pakistan Economic Corridor have repeatedly been targeted by militant organisations, including the Balochistan Liberation Army.
Attacks on Chinese nationals have strained security cooperation between Beijing and Islamabad. China has pressed Pakistan to strengthen protection around infrastructure projects, while the two governments have expanded counterterrorism coordination, police training and specialised security arrangements.
Access to provincial police data could allow Beijing to assess militant threats independently instead of relying entirely on information supplied by Pakistani authorities.
The suspected India-linked campaign appears more closely tied to the wider security rivalry between New Delhi and Islamabad. Balochistan remains central to mutual accusations involving separatism, cross-border militancy and intelligence activity.
Pakistan has accused India of supporting the Baloch insurgency, allegations rejected by New Delhi. India has accused Pakistan of assisting militant groups responsible for attacks in Jammu and Kashmir, charges Islamabad denies.
Follow Arabian Post
Select Arabian Post as your preferred source on Google and MSN News for trusted business news and Arab politics and updates.