Multi-Group Espionage Targets Pakistani Law Enforcement via Weaponized Police Portal
Suspected China- and India-aligned threat actors conducted sustained cyber espionage campaigns between February 2024 and April 2026, compromising Pakistani law enforcement organizations' web applications, network appliances, and email gateways, including the Balochistan Police's Complaint Management System to deploy malware like PlugX, ShadowPad, Cobalt Strike, Remcos RAT, a Rust stager (cms_plugin.exe), and AsyncRAT.
Between February 2024 and April 2026, suspected state-sponsored cyber espionage groups, including China-aligned actors and the India-nexus threat actor Mysterious Elephant (APT-C-08), conducted targeted attacks against various Pakistani law enforcement organizations. The campaigns involved compromising critical infrastructure such as network appliances, web servers hosting sensitive applications, and Fortinet FortiMail email gateways belonging to entities like the Balochistan Police, Khyber Pakhtunkhwa Police, Islamabad Police, and Punjab Safe Cities Authority. Attackers weaponized the compromised Balochistan Police Complaint Management System (CMS), accessible at cms.balochistanpolice.gov.pk, by uploading malicious implants disguised as portal updates, such as a Rust stager named cms_plugin.exe and a .NET executable 360Safe.exe which loads AsyncRAT. These implants were designed to deliver further payloads (including PlugX, ShadowPad, Cobalt Strike, and Remcos RAT) and exfiltrate sensitive data including criminal, biometric, hotel, tenant, and personnel records, extending the threat actor's reach to both law enforcement staff and citizens interacting with the portal.
Attack Chain
- Threat actors gain initial access to network appliances, web servers (including those hosting the Complaint Management System and Smart Police Station applications), and Fortinet FortiMail appliances within Pakistani law enforcement networks.
- Attackers weaponize the compromised Complaint Management System (CMS) portal (
cms.balochistanpolice.gov.pk) by deploying malicious files masquerading as legitimate portal updates. - A Rust stager, named
cms_plugin.exe, is uploaded to the compromised CMS web application. - Police staff or citizens, interacting with the CMS, are prompted with a fake "Update Complete! Please refresh the page" message and execute the malicious
cms_plugin.exe. - Upon execution, the
cms_plugin.exestager downloads additional payloads from attacker-controlled infrastructure, such as193.42.25[.]65. - A .NET executable,
360Safe.exe, masquerading as legitimate security software, is deployed to reflectively load an AsyncRAT client, establishing persistent access and control. - Various malware families, including PlugX, ShadowPad, Cobalt Strike, and Remcos RAT, are deployed to victim systems, utilizing C2 servers such as
142.171.183[.]8for communication. - Threat actors perform cyber espionage, collecting and exfiltrating sensitive police and citizen data, including criminal, biometric, hotel registration, and personnel records, for intelligence gathering.
Impact
These sustained espionage campaigns severely impact the integrity and confidentiality of sensitive national security and citizen data across multiple Pakistani law enforcement agencies. The compromise of web applications managing criminal and biometric records, hotel and tenant registrations, criminal case files, and personnel records exposes vast amounts of personally identifiable information and operational intelligence. The weaponization of public-facing portals like the Complaint Management System transforms them into malware delivery mechanisms, potentially compromising both law enforcement personnel and the citizens they serve. The intelligence gathered by these state-sponsored groups provides significant geopolitical advantages and insights into Pakistan's internal security picture, undermining national security and public trust in digital government services.
Recommendation
- Monitor process creation logs for the execution of suspicious binaries like
cms_plugin.exeand360Safe.exeas identified in the IOCs and rules section. - Block network connections to the identified attacker C2 IP addresses
193.42.25[.]65and142.171.183[.]8at the perimeter firewall and DNS resolvers. - Review web server access logs for
cms.balochistanpolice.gov.pkand other public-facing applications for unauthorized file uploads or suspicious activity indicative of web shell deployment or compromise. - Implement and enforce application whitelisting policies to prevent the execution of unauthorized executables like
cms_plugin.exeand360Safe.exe. - Deploy the Sigma rules in this brief to your SIEM and tune for your environment to detect
cms_plugin.exeand360Safe.exeexecution and C2 communications. - Patch all internet-facing Fortinet FortiMail appliances and web applications, including the Complaint Management System, immediately with the latest security updates to address any known vulnerabilities that could have facilitated initial access.
Detection coverage 3
Detect cms_plugin.exe Execution (Rust Stager)
highDetects the execution of cms_plugin.exe, a Rust stager implant observed in espionage campaigns against Pakistani law enforcement, which downloads additional payloads.
Detect 360Safe.exe Masquerading for AsyncRAT
highDetects the execution of 360Safe.exe when used as a malicious binary to load AsyncRAT, masquerading as a legitimate Qihoo 360 Total Security component. This rule specifically looks for execution outside typical legitimate paths or suspicious parent processes.
Detect Network Connections to Espionage C2 IPs
criticalDetects outbound network connections to known attacker-controlled command-and-control (C2) servers identified in multi-group espionage campaigns targeting Pakistani law enforcement.
Detection queries are available on the platform. Get full rules →
Indicators of compromise
1
domain
2
filename
2
ip
| Type | Value |
|---|---|
| ip | 142.171.183.8 |
| ip | 193.42.25.65 |
| domain | cms.balochistanpolice.gov.pk |
| filename | cms_plugin.exe |
| filename | 360Safe.exe |