SentinelLabs published new research on a long-running espionage pattern against Pakistani law enforcement organizations, with suspected China-nexus and India-nexus activity both converging on the same victim class between 2024 and 2026. The report is not just a regional intelligence story. It is a useful reminder for public-sector agencies, small contractors, and managed service providers that “routine” government databases can become strategic targets when they expose internal security posture, citizen records, or operational workflows.
According to SentinelLabs, the highest concentration of observed activity affected Balochistan Police, including network appliances, web servers, and applications tied to police and citizen services. The exposed systems reportedly supported functions such as complaint management, criminal records, biometric matching, tenant registration, hotel guest checks, vehicle theft tracking, and personnel management. SentinelLabs also reported C2 activity associated with PlugX, ShadowPad, Cobalt Strike, and Remcos infrastructure, with activity windows spanning from February 2024 through April 2026.
Original source: SentinelLabs — “One Target, Two Flags | Rival Espionage Actors Converge On Pakistani Law Enforcement”.
What Happened
The core finding is convergence. SentinelLabs assessed that suspected China-nexus and India-nexus actors both showed interest in Pakistani law enforcement infrastructure, particularly Balochistan Police. The motives differ, but the target value is similar: law enforcement systems can hold the government’s internal view of threats, people, investigations, identity records, and response capability.
The China-nexus activity is assessed as likely tied to Beijing’s need to understand risks to Chinese nationals and China-Pakistan Economic Corridor projects, especially in Balochistan where Chinese workers have repeatedly been targeted by militant attacks. The India-nexus activity is assessed through the lens of India-Pakistan rivalry and the strategic value of Balochistan-related security information.
SentinelLabs also described a compromise of the Balochistan Police Complaint Management System, where files named like portal update components were reportedly uploaded under client script paths. One variant acted as a stager and another reflectively loaded an AsyncRAT client. The important defender lesson is straightforward: a public-facing service portal can become a staging point for deeper collection, not just a website defacement risk.
Why It Matters
Public-sector data systems are often treated as compliance assets first and security assets second. That is backwards. Police, municipal, healthcare, utilities, courts, schools, and contractor portals frequently combine identity records, operational procedures, case files, employee data, and external-facing access paths. For an espionage actor, that mix is valuable even if the system is not classified.
For SMBs and government contractors, the lesson is not limited to Pakistan. If your organization hosts portals, integrates with public agencies, supports case-management workflows, or stores regulated client data, you may be part of someone else’s intelligence collection path. Attackers do not need your company to be the final target. They only need you to provide access, credentials, records, infrastructure, or context that helps them reach the real objective.
Defensive Takeaways
- Treat public-sector web apps as high-value infrastructure. Complaint portals, HR systems, records systems, and citizen service apps deserve the same patching, logging, and segmentation discipline as VPNs and identity servers.
- Separate the web tier from the data tier. A compromised portal should not provide easy paths to biometric databases, personnel records, case files, or identity-linked registration systems.
- Monitor for web-root and script-path abuse. Unexpected executables, archive files, DLLs, or “update” components in web directories should be treated as potential intrusion artifacts, not administrative clutter.
- Hunt for commodity tooling with espionage context. PlugX and ShadowPad point toward China-nexus tradecraft, while Remcos and Cobalt Strike can appear in both criminal and state-linked operations. Tooling alone is not attribution, but it is enough to drive containment and scoping.
- Log egress from application servers. Web servers should have tight outbound allow-lists. Unexpected C2-like traffic from a portal server is often the first signal that a “web issue” is actually an intrusion.
- Protect citizen-facing search functions. Public lookup forms can expose sensitive workflow patterns, enable enumeration, or become delivery points for malicious “updates” if deployment controls are weak.
- Assume stolen portal credentials exist. SentinelLabs noted credentials recovered from infostealer logs. Agencies and contractors should monitor stealer-log exposure, enforce MFA, and rotate credentials for administrative and service accounts.
Bulwark Black Assessment
This report is a strong example of why “low-side” public-sector systems still matter. The data may not be formally classified, but it can reveal the internal map: who works where, what cases exist, what investigations are active, which citizens are interacting with law enforcement, and how the agency’s digital workflows are structured.
For government contractors, the practical move is to identify every customer-facing or agency-facing portal you operate, then ask three questions: what sensitive data can this system reach, what outbound connections can it make, and how quickly would we know if a web directory was used to stage malware? If the answers are vague, the system is not just an application. It is an intelligence collection opportunity waiting for the wrong actor.
Strategic espionage often looks like boring infrastructure compromise until the geopolitical context is added. Defenders should not wait for attribution to be perfect before hardening the basics: segment the app stack, watch outbound traffic, review file integrity, rotate exposed credentials, and make public-sector portals boring again.













