{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/fortimail/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["FortiMail","Complaint Management System","Smart Police Station digitalization initiative web applications"],"_cs_severities":["high"],"_cs_tags":["cyber-espionage","nation-state","malware","rat","windows"],"_cs_type":"advisory","_cs_vendors":["Fortinet"],"content_html":"\u003cp\u003eBetween February 2024 and April 2026, suspected state-sponsored cyber espionage groups, including China-aligned actors and the India-nexus threat actor Mysterious Elephant (APT-C-08), conducted targeted attacks against various Pakistani law enforcement organizations. The campaigns involved compromising critical infrastructure such as network appliances, web servers hosting sensitive applications, and Fortinet FortiMail email gateways belonging to entities like the Balochistan Police, Khyber Pakhtunkhwa Police, Islamabad Police, and Punjab Safe Cities Authority. Attackers weaponized the compromised Balochistan Police Complaint Management System (CMS), accessible at \u003ccode\u003ecms.balochistanpolice.gov.pk\u003c/code\u003e, by uploading malicious implants disguised as portal updates, such as a Rust stager named \u003ccode\u003ecms_plugin.exe\u003c/code\u003e and a .NET executable \u003ccode\u003e360Safe.exe\u003c/code\u003e which loads AsyncRAT. These implants were designed to deliver further payloads (including PlugX, ShadowPad, Cobalt Strike, and Remcos RAT) and exfiltrate sensitive data including criminal, biometric, hotel, tenant, and personnel records, extending the threat actor's reach to both law enforcement staff and citizens interacting with the portal.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThreat actors gain initial access to network appliances, web servers (including those hosting the Complaint Management System and Smart Police Station applications), and Fortinet FortiMail appliances within Pakistani law enforcement networks.\u003c/li\u003e\n\u003cli\u003eAttackers weaponize the compromised Complaint Management System (CMS) portal (\u003ccode\u003ecms.balochistanpolice.gov.pk\u003c/code\u003e) by deploying malicious files masquerading as legitimate portal updates.\u003c/li\u003e\n\u003cli\u003eA Rust stager, named \u003ccode\u003ecms_plugin.exe\u003c/code\u003e, is uploaded to the compromised CMS web application.\u003c/li\u003e\n\u003cli\u003ePolice staff or citizens, interacting with the CMS, are prompted with a fake \u0026quot;Update Complete! Please refresh the page\u0026quot; message and execute the malicious \u003ccode\u003ecms_plugin.exe\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eUpon execution, the \u003ccode\u003ecms_plugin.exe\u003c/code\u003e stager downloads additional payloads from attacker-controlled infrastructure, such as \u003ccode\u003e193.42.25[.]65\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eA .NET executable, \u003ccode\u003e360Safe.exe\u003c/code\u003e, masquerading as legitimate security software, is deployed to reflectively load an AsyncRAT client, establishing persistent access and control.\u003c/li\u003e\n\u003cli\u003eVarious malware families, including PlugX, ShadowPad, Cobalt Strike, and Remcos RAT, are deployed to victim systems, utilizing C2 servers such as \u003ccode\u003e142.171.183[.]8\u003c/code\u003e for communication.\u003c/li\u003e\n\u003cli\u003eThreat actors perform cyber espionage, collecting and exfiltrating sensitive police and citizen data, including criminal, biometric, hotel registration, and personnel records, for intelligence gathering.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThese sustained espionage campaigns severely impact the integrity and confidentiality of sensitive national security and citizen data across multiple Pakistani law enforcement agencies. The compromise of web applications managing criminal and biometric records, hotel and tenant registrations, criminal case files, and personnel records exposes vast amounts of personally identifiable information and operational intelligence. The weaponization of public-facing portals like the Complaint Management System transforms them into malware delivery mechanisms, potentially compromising both law enforcement personnel and the citizens they serve. The intelligence gathered by these state-sponsored groups provides significant geopolitical advantages and insights into Pakistan's internal security picture, undermining national security and public trust in digital government services.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003e\u003cstrong\u003eMonitor\u003c/strong\u003e process creation logs for the execution of suspicious binaries like \u003ccode\u003ecms_plugin.exe\u003c/code\u003e and \u003ccode\u003e360Safe.exe\u003c/code\u003e as identified in the IOCs and rules section.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eBlock\u003c/strong\u003e network connections to the identified attacker C2 IP addresses \u003ccode\u003e193.42.25[.]65\u003c/code\u003e and \u003ccode\u003e142.171.183[.]8\u003c/code\u003e at the perimeter firewall and DNS resolvers.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eReview\u003c/strong\u003e web server access logs for \u003ccode\u003ecms.balochistanpolice.gov.pk\u003c/code\u003e and other public-facing applications for unauthorized file uploads or suspicious activity indicative of web shell deployment or compromise.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eImplement\u003c/strong\u003e and \u003cstrong\u003eenforce\u003c/strong\u003e application whitelisting policies to prevent the execution of unauthorized executables like \u003ccode\u003ecms_plugin.exe\u003c/code\u003e and \u003ccode\u003e360Safe.exe\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eDeploy\u003c/strong\u003e the Sigma rules in this brief to your SIEM and tune for your environment to detect \u003ccode\u003ecms_plugin.exe\u003c/code\u003e and \u003ccode\u003e360Safe.exe\u003c/code\u003e execution and C2 communications.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePatch\u003c/strong\u003e all internet-facing Fortinet FortiMail appliances and web applications, including the Complaint Management System, immediately with the latest security updates to address any known vulnerabilities that could have facilitated initial access.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-11T18:53:22Z","date_published":"2026-07-11T18:53:22Z","id":"https://feed.craftedsignal.io/briefs/2026-07-pakistani-police-espionage/","summary":"Suspected China- and India-aligned threat actors conducted sustained cyber espionage campaigns between February 2024 and April 2026, compromising Pakistani law enforcement organizations' web applications, network appliances, and email gateways, including the Balochistan Police's Complaint Management System to deploy malware like PlugX, ShadowPad, Cobalt Strike, Remcos RAT, a Rust stager (cms_plugin.exe), and AsyncRAT.","title":"Multi-Group Espionage Targets Pakistani Law Enforcement via Weaponized Police Portal","url":"https://feed.craftedsignal.io/briefs/2026-07-pakistani-police-espionage/"}],"language":"en","title":"CraftedSignal Threat Feed - FortiMail","version":"https://jsonfeed.org/version/1.1"}