Dual-Threat State Actor Cyber Espionage: How Rival China- and India-Linked Actors Converged on Balochistan Police Networks (2024–2026)
Between February 2024 and April 2026, suspected China-nexus clusters using PlugX, ShadowPad and Cobalt Strike, and a later India-nexus Remcos campaign tracked as TAG-179, independently compromised the same Pakistani law-enforcement target class—with the heaviest concentration on Balochistan Police—creating a rare documented dual-threat state actor cyber espionage case. One China-linked actor went further, turning the force’s public Complaint Management System into a malware delivery surface that reached both officers and citizens.
The finding, published by SentinelLabs on 9 July 2026, forces a hard rethink of single-actor incident models. Defenders can no longer assume that a confirmed foothold belongs to one campaign. Concurrent rival occupation is a distinct risk class for government, law-enforcement and critical-infrastructure networks in contested regions.
Geopolitical and Organizational Stakes
Balochistan sits at the intersection of a long-running Baloch separatist insurgency, Chinese infrastructure investment under the China-Pakistan Economic Corridor, and India-Pakistan rivalry. Attacks claimed by or linked to the Balochistan Liberation Army, including a March 2024 suicide bombing that killed Chinese nationals and an October 2024 assault near Karachi airport, have drawn explicit Chinese criticism of Pakistani protection. In January 2026, Chinese and Pakistani ministers agreed to deepen counterterrorism coordination and create a special unit to protect Chinese nationals.
For China-nexus operators, police data offered an independent picture of the threat environment rather than reliance on a partner whose security record has repeatedly fallen short. For India-nexus operators, the same force holds the operational record of how Pakistan manages a province central to mutual accusations of proxy support for militants—charges both sides deny. Digitization programs that centralized FIR systems, biometric matching, hotel and tenant registration linked to national identity, personnel records and citizen complaints raised the intelligence value of a single police enterprise. Activity also touched Khyber Pakhtunkhwa Police, Islamabad Police and the Punjab Safe Cities Authority.
India-Linked Campaign: TAG-179 and Remcos
Researchers clustered command-and-control traffic by tooling rather than named APT because PlugX, ShadowPad and Cobalt Strike are shared or commodity tools. The Remcos cluster mapped cleanly to a single tracked actor.
Remcos traffic from 89.31.121[.]220 first appeared against Pakistani law-enforcement targets on 13 January 2026 and continued until 9 April 2026. Recorded Future tracks the operator as TAG-179; it shows tactical and infrastructure overlaps with the groups Kaspersky calls Mysterious Elephant and Qihoo 360 tracks as APT-C-08 (Bitter). Activity intensified and TTPs diversified from early 2025, consistent with earlier public research.
Lures were purpose-built for Pakistani law enforcement. One decoy posed as an operational plan for deporting Afghan Citizen Card holders and referenced district police, NADRA and intelligence. Broader TAG-179 victimology from late 2025 into 2026 included government, defense, foreign affairs, intelligence, research and manufacturing targets across South and Southeast Asia and the Middle East. No infrastructure overlap with the China-nexus clusters was observed.
China-Linked Campaigns: PlugX, ShadowPad, Cobalt Strike and CMS Weaponization
Three China-nexus clusters operated across 2024–2025.
PlugX C2 servers (including 172.111.233[.]36 and related addresses, plus 172.94.9[.]49 and 45.74.6[.]17) communicated with Pakistani law-enforcement infrastructure from 27 February 2024 until 28 September 2024. ShadowPad traffic via 45.125.32[.]218 appeared between 5 and 29 November 2024 (broader victim window roughly August–December). Cobalt Strike servers 142.171.183[.]8 and 193.42.25[.]65 remained active from 12 October 2024 through 5 December 2025.
Victimology for PlugX and ShadowPad—government, foreign affairs, defense, NGO and research entities across Asia, the Arabian Peninsula and Southeast Europe—aligns with China-aligned collection. Cobalt Strike attribution sits at medium confidence, supported by traffic to Tibetan organizations in Taiwan and wider Asia–Middle East–South Asia targeting.
The most operationally significant action was the late-2024 compromise of Balochistan Police’s Complaint Management System at cms.balochistanpolice[.]gov[.]pk. Operators uploaded cms_plugin.exe to the publicly reachable client scripts path. Two variants appeared:
- A Rust stager that displayed the fake message “Update Complete! Please refresh the page” and retrieved a next stage from 193.42.25[.]65 (payload unrecovered).
- A .NET binary masquerading as Qihoo 360’s 360Safe.exe that reflectively loaded AsyncRAT communicating with 41.216.188[.]140.
Chinese-language log strings and pinyin PDB paths such as D:\codedome\… and terms like xinshi indicated a Chinese-speaking developer. Techniques included upload of malware to a public path, masquerading, user execution and reflective loading. Network appliances, including a decommissioned but still-reachable Fortinet FortiMail, were also reached.
timeline title Dual Campaign Timeline on Pakistani Law Enforcement section 2024 27 Feb : PlugX C2 first seen Oct : Cobalt Strike first seen; CMS implants uploaded late 2024 28 Sep : PlugX last seen Nov : ShadowPad window section 2025 Through Dec : Cobalt Strike remains active section 2026 13 Jan : Remcos / TAG-179 first seen 9 Apr : Remcos last seen 9 Jul : Public disclosure
Convergence Without Shared Infrastructure
China-nexus activity ran for nearly two years on Pakistani LE (Feb 2024–Dec 2025); India-nexus Remcos appeared Jan–Apr 2026 against the same target class and Balochistan concentration, with no shared infrastructure observed. Separate toolkits produced distinct network signatures and host artifacts. Multiple independent web applications (FIR, HRMIS, biometrics, HotelEye, tenant registration, CMS) plus appliances created room for concurrent footholds when windows overlapped or followed closely. The citizen- and staff-facing CMS further expanded the infection surface without requiring deep lateral movement for initial access.
Absence of reported mutual detection or ejection does not prove deliberate avoidance or mutual unawareness. It does demonstrate that dual-threat state actor cyber espionage on the same enterprise is operationally sustainable when tooling and infrastructure remain isolated. For incident responders, discovering one state-linked implant no longer ends the hunt.
Compromised Systems and Data at Risk
Primary concentration fell on Balochistan Police web applications and appliances: the Complaint Management System (officer logins often prefixed ps- and later observed in stealer logs; citizens could check status without login), FIR systems, HRMIS personnel records, Anti-Vehicle Lifting System, HotelEye guest registration linked to national ID, Criminal Record Management System with biometric matching, Tenant Registration, and orphaned network appliances.
If backend databases were reached, exposed data classes would include police personnel and payroll, criminal case files and fingerprints, stolen vehicle records, hotel check-ins tied to national identity, landlord/tenant registrations, and citizen complaints including misconduct reports. Exact exfiltration volumes and operational use of the data have not been publicly quantified. Access alone would have enabled independent assessments of internal security threats, personnel posture and citizen interactions with the force.
Multi-Actor Hunting, Attribution and Response
Threat-intelligence and SOC teams must treat dual-threat state actor cyber espionage as a distinct class rather than sequential single-actor incidents. Cluster first by tooling and infrastructure; attribute second. Shared or commodity malware such as PlugX, ShadowPad and Cobalt Strike can support multiple operators—collapsing all hits into one APT narrative produces false confidence. After confirming one state foothold on high-value law-enforcement or government targets in contested regions, assume concurrency and hunt deliberately for a second beacon family. Maintain separate timelines per malware family. Treat public portals and static asset directories as first-class hunting surfaces; unexpected executables or update masquerades require integrity monitoring. Pivot on stealer logs for staff credentials matching law-enforcement naming conventions. Publish attribution with explicit confidence tiers that combine tooling, victimology, developer language artifacts and known group overlaps.
Safe ejection of concurrent state actors requires per-cluster eradication and architectural isolation.
| Measure | Rationale from this case |
|---|---|
| Isolate citizen portals from staff authentication domains and backend databases | CMS became dual-use implant delivery |
| Ban executable content in client-scripts and static paths; enforce integrity monitoring | cms_plugin.exe placement |
| Segment by application (biometrics ≠ complaints ≠ HR ≠ hotel/tenant) and fully retire orphaned appliances | Multiple independent apps and a still-reachable FortiMail |
| Eradicate per C2 cluster; re-hunt for a second family after the first is removed | Independent campaigns over the multi-year window |
| Preserve parallel forensic timelines | Different actors, different motives |
| Force credential reset and re-enrollment for staff who used compromised portals | Dual user base |
| Detect concurrent rare egress from the same subnet | Separate C2 fleets still share victim network |
Tabletop exercises should now include the scenario of ejecting Actor A without tipping Actor B or burning all sources.
Forward Look
Digitized internal-security systems concentrate precisely the data regional powers most want: biometric holdings, criminal records, personnel files and citizen-state interactions. As South Asian and Indo-Pacific tensions persist, dual-threat state actor cyber espionage on the same enterprise will become less exceptional. Single-actor playbooks leave defenders blind to the second flag. Organizations responsible for government, law-enforcement and critical infrastructure must adopt multi-actor hunting, confidence-labeled attribution and per-cluster response before concurrent occupation becomes routine.