<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>FortiMail - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/products/fortimail/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Sat, 11 Jul 2026 18:53:22 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/products/fortimail/feed.xml" rel="self" type="application/rss+xml"/><item><title>Multi-Group Espionage Targets Pakistani Law Enforcement via Weaponized Police Portal</title><link>https://feed.craftedsignal.io/briefs/2026-07-pakistani-police-espionage/</link><pubDate>Sat, 11 Jul 2026 18:53:22 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2026-07-pakistani-police-espionage/</guid><description>Suspected China- and India-aligned threat actors conducted sustained cyber espionage campaigns between February 2024 and April 2026, compromising Pakistani law enforcement organizations' web applications, network appliances, and email gateways, including the Balochistan Police's Complaint Management System to deploy malware like PlugX, ShadowPad, Cobalt Strike, Remcos RAT, a Rust stager (cms_plugin.exe), and AsyncRAT.</description><content:encoded><![CDATA[<p>Between February 2024 and April 2026, suspected state-sponsored cyber espionage groups, including China-aligned actors and the India-nexus threat actor Mysterious Elephant (APT-C-08), conducted targeted attacks against various Pakistani law enforcement organizations. The campaigns involved compromising critical infrastructure such as network appliances, web servers hosting sensitive applications, and Fortinet FortiMail email gateways belonging to entities like the Balochistan Police, Khyber Pakhtunkhwa Police, Islamabad Police, and Punjab Safe Cities Authority. Attackers weaponized the compromised Balochistan Police Complaint Management System (CMS), accessible at <code>cms.balochistanpolice.gov.pk</code>, by uploading malicious implants disguised as portal updates, such as a Rust stager named <code>cms_plugin.exe</code> and a .NET executable <code>360Safe.exe</code> which loads AsyncRAT. These implants were designed to deliver further payloads (including PlugX, ShadowPad, Cobalt Strike, and Remcos RAT) and exfiltrate sensitive data including criminal, biometric, hotel, tenant, and personnel records, extending the threat actor's reach to both law enforcement staff and citizens interacting with the portal.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>Threat actors gain initial access to network appliances, web servers (including those hosting the Complaint Management System and Smart Police Station applications), and Fortinet FortiMail appliances within Pakistani law enforcement networks.</li>
<li>Attackers weaponize the compromised Complaint Management System (CMS) portal (<code>cms.balochistanpolice.gov.pk</code>) by deploying malicious files masquerading as legitimate portal updates.</li>
<li>A Rust stager, named <code>cms_plugin.exe</code>, is uploaded to the compromised CMS web application.</li>
<li>Police staff or citizens, interacting with the CMS, are prompted with a fake &quot;Update Complete! Please refresh the page&quot; message and execute the malicious <code>cms_plugin.exe</code>.</li>
<li>Upon execution, the <code>cms_plugin.exe</code> stager downloads additional payloads from attacker-controlled infrastructure, such as <code>193.42.25[.]65</code>.</li>
<li>A .NET executable, <code>360Safe.exe</code>, masquerading as legitimate security software, is deployed to reflectively load an AsyncRAT client, establishing persistent access and control.</li>
<li>Various malware families, including PlugX, ShadowPad, Cobalt Strike, and Remcos RAT, are deployed to victim systems, utilizing C2 servers such as <code>142.171.183[.]8</code> for communication.</li>
<li>Threat actors perform cyber espionage, collecting and exfiltrating sensitive police and citizen data, including criminal, biometric, hotel registration, and personnel records, for intelligence gathering.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>These sustained espionage campaigns severely impact the integrity and confidentiality of sensitive national security and citizen data across multiple Pakistani law enforcement agencies. The compromise of web applications managing criminal and biometric records, hotel and tenant registrations, criminal case files, and personnel records exposes vast amounts of personally identifiable information and operational intelligence. The weaponization of public-facing portals like the Complaint Management System transforms them into malware delivery mechanisms, potentially compromising both law enforcement personnel and the citizens they serve. The intelligence gathered by these state-sponsored groups provides significant geopolitical advantages and insights into Pakistan's internal security picture, undermining national security and public trust in digital government services.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li><strong>Monitor</strong> process creation logs for the execution of suspicious binaries like <code>cms_plugin.exe</code> and <code>360Safe.exe</code> as identified in the IOCs and rules section.</li>
<li><strong>Block</strong> network connections to the identified attacker C2 IP addresses <code>193.42.25[.]65</code> and <code>142.171.183[.]8</code> at the perimeter firewall and DNS resolvers.</li>
<li><strong>Review</strong> web server access logs for <code>cms.balochistanpolice.gov.pk</code> and other public-facing applications for unauthorized file uploads or suspicious activity indicative of web shell deployment or compromise.</li>
<li><strong>Implement</strong> and <strong>enforce</strong> application whitelisting policies to prevent the execution of unauthorized executables like <code>cms_plugin.exe</code> and <code>360Safe.exe</code>.</li>
<li><strong>Deploy</strong> the Sigma rules in this brief to your SIEM and tune for your environment to detect <code>cms_plugin.exe</code> and <code>360Safe.exe</code> execution and C2 communications.</li>
<li><strong>Patch</strong> all internet-facing Fortinet FortiMail appliances and web applications, including the Complaint Management System, immediately with the latest security updates to address any known vulnerabilities that could have facilitated initial access.</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>cyber-espionage</category><category>nation-state</category><category>malware</category><category>rat</category><category>windows</category></item></channel></rss>