Two Years Inside Law Enforcement
On July 11, researchers at SentinelOne's SentinelLABS published details of a sustained cyber espionage campaign against Pakistani law enforcement that ran from February 2024 to April 2026. The scope is what makes it striking. This was not a smash and grab. Multiple threat actors maintained access to police infrastructure for more than two years, targeting Balochistan Police, Khyber Pakhtunkhwa Police, Islamabad Police and the Punjab Safe Cities Authority. The intruders were living inside systems that manage some of the most sensitive data a state holds about its citizens.
SentinelLABS identified four distinct threat clusters, and the attribution points in more than one direction. The researchers describe China-aligned groups deploying the well-known PlugX and ShadowPad implants during 2024, an India-nexus actor using Remcos RAT linked to the group tracked as Mysterious Elephant or APT-C-08, and a Cobalt Strike cluster with China-nexus ties. The presence of both China and India aligned activity against the same set of targets underscores that Pakistani law enforcement had become a contested intelligence prize for competing regional interests.
The Data at Risk
The compromised assets read like an inventory of a modern police force's digital nervous system. At Balochistan Police, the intruders reached two network appliances, web servers hosting Smart Police Station applications, a Fortinet FortiMail email gateway and the Complaint Management System running at cms.balochistanpolice.gov.pk. Through these systems, the attackers had potential access to criminal records, biometric data, hotel and tenant registrations linked to national identity records, personnel files and citizen complaint data. This is the raw material of population-scale surveillance.
Aleksandar Milenkoski, a principal threat researcher at SentinelLABS, framed the escalation clearly. The compromise of the Complaint Management System web application, he said, adds a second dimension to the activity against Balochistan Police, extending the threat actor's reach beyond the initially compromised environment. In other words, the attackers did not stop at the perimeter. They pivoted through citizen-facing web applications into deeper systems, using one foothold to widen the blast radius across the police organization's estate.
Custom Tooling Signals Intent
The campaign was not built on commodity malware alone. SentinelLABS documented custom implants that reflect deliberate engineering, including a Rust stager that downloaded payloads from an attacker-controlled address at 193.42.25.65 and a .NET executable masquerading as 360Safe.exe that reflectively loaded AsyncRAT. Disguising an implant as a recognized security product, and delivering another as a portal update inside the Complaint Management System, shows attackers who understood the target environment well enough to blend in with its own software.
That level of tailoring is a signal about intent and resourcing. Espionage operators who invest in bespoke stagers and application-specific lures are not opportunists. They are running a program with objectives, and the two-year dwell time confirms it. The blend of established nation-state tooling like PlugX and ShadowPad with newer custom loaders suggests groups that maintain a toolkit and adapt it per environment, precisely the operational maturity that makes these actors difficult to evict once they are established.
Web Applications as Espionage Footholds
The most transferable lesson here has nothing to do with geopolitics. It is that citizen-facing government web applications are becoming the preferred entry point for long-term espionage. Complaint portals, service request systems and public-facing management consoles are built for accessibility, updated infrequently, and monitored lightly. They sit on the internet by design and connect to sensitive back-end systems by necessity. That combination makes them ideal for attackers who want a durable, low-noise foothold that survives for years.
For any government or enterprise running public web applications in front of sensitive data, the Balochistan case is a warning about assumptions. The perimeter you expose for public service is the same perimeter an adversary will probe first. Once inside a complaint management system, the attacker's next move is lateral, toward the identity records and personnel files behind it. Defenders who treat these front-end applications as low-value because they are public are inverting the actual risk. To an intelligence operator, the public front door is the most attractive one.
What Defenders Should Take Away
The practical takeaways are unglamorous and effective. Government and enterprise defenders should monitor public web applications with the same rigor applied to internal crown jewels, segment those applications away from identity and records systems, and hunt for the long-dwell indicators that distinguish espionage from opportunistic crime. Two years of undetected access is a monitoring failure as much as a prevention failure. The tooling here left artifacts, from unusual outbound connections to disguised executables, that mature detection should surface.
There is also a hard truth about attribution and disclosure. When multiple state-aligned actors converge on the same targets, the victim is caught in a contest it did not choose, and the exposure of citizen biometric and criminal data has consequences that outlast any single intrusion. SentinelLABS deserves credit for the visibility, but the deeper story is structural. As governments digitize policing and identity, they concentrate the exact data that intelligence services most want, and they must defend it as the strategic asset it has become.



