HackMyIP
← Back to News
2026-07-11 The Hacker News

APT Groups Target Pakistani Law Enforcement in Multi-Year Espionage Campaign

APTThreat IntelMalware

SentinelOne SentinelLABS has uncovered a sustained cyber espionage operation targeting multiple Pakistani law enforcement agencies, with activity spanning February 2024 through April 2026. Researchers attribute the intrusions to four distinct threat clusters aligned with both China- and India-linked state-sponsored interests. Compromised assets include servers hosting web applications that manage sensitive police and citizen data, ranging from criminal case files and biometric records to hotel and tenant registrations tied to national identity databases. Organizations confirmed as impacted include Balochistan Police, Khyber Pakhtunkhwa Police, Islamabad Police, and the Punjab Safe Cities Authority (PSCA).

The attackers deployed four unique malware families across the campaign. PlugX and ShadowPad, both traditionally linked to Chinese nation-state groups, were used against government, defense, and research targets across South and Southeast Asia, the Arabian Peninsula, and Southeast Europe. ShadowPad in particular is regarded as the successor to PlugX, and the overlapping victimology between the two deployments reinforces the China-nexus assessment, according to principal threat researcher Aleksandar Milenkoski. A custom implant masquerading as a portal update was installed on Balochistan Police's Complaint Management System (CMS), putting both officers and citizens at risk. The fourth cluster leveraged Cobalt Strike, while Remcos RAT was tied to an India-aligned adversary sharing infrastructure with the group tracked as Mysterious Elephant (APT-C-08, APT-K-47, TAG-179), which exhibits tactical overlap with SideWinder, Confucius, and Bitter. Defenders investigating their own exposure can run a port scanner to identify unexpected services on law enforcement-adjacent infrastructure, or perform a WHOIS lookup on suspicious domains surfaced during incident triage.

Attack chains relied on lures themed around Pakistani law enforcement operations, including a decoy document purporting to contain an operational plan for repatriating illegal foreigners and Afghan Citizen Card (ACC) holders. This social engineering layer was designed to entice officers into executing payloads that would establish footholds in networks managing some of the country's most sensitive identification and case data. Given the depth of biometric and personnel records exposed, agencies should audit certificate health with an SSL/TLS checker to ensure encrypted portals have not been downgraded or mis-issued following compromise. The breadth of tooling—spanning custom implants, shared commodity loaders, and commercial red-team frameworks—suggests at least some clusters involve multiple operators collaborating under shared objectives, complicating attribution and defense efforts.

Source: The Hacker News →

Related Tools

Check whether this kind of story affects you — free, no signup:

My IP →IP Lookup →Privacy Checkup →

Related Guides

Learn the background behind this story:

What is my IP and why it matters →IP address security →How to stop being tracked online →