Cyberespionage activity has been sustained against several Pakistani law enforcement organizations, particularly Balochistan Police, from to. Suspected China- and India-nexus threat actors have converged on this victim class, with multiple intrusions observed at Balochistan Police, including compromised servers hosting web applications that manage police and citizen data. The technical analysis reveals a complex operation involving staging and delivery of custom implants masquerading as portal updates.
The suspected China-nexus actor deployed an AsyncRAT client using the Cobalt Strike C2 server 193.42.25[.]65, while the India-nexus actor used Remcos infrastructure to deliver a backdoor launcher. Both actors leveraged compromised web servers and network appliances to reach their targets, with the China-nexus actor also compromising the Complaint Management System (CMS) web application.[/subscribe_to_unlock_form]
Cyberespionage activity has been sustained against several Pakistani law enforcement organizations, particularly Balochistan Police, from to. Suspected China- and India-nexus threat actors have converged on this victim class, with multiple intrusions observed at Balochistan Police, including compromised servers hosting web applications that manage police and citizen data. The technical analysis reveals a complex operation involving staging and delivery of custom implants masquerading as portal updates.
The suspected China-nexus actor deployed an AsyncRAT client using the Cobalt Strike C2 server 193.42.25[.]65, while the India-nexus actor used Remcos infrastructure to deliver a backdoor launcher. Both actors leveraged compromised web servers and network appliances to reach their targets, with the China-nexus actor also compromising the Complaint Management System (CMS) web application.[emaillocker id="1283"]
The conclusion highlights the strategic motives behind these intrusions, including concern for the safety of Chinese nationals in Pakistan and insight into India's adversarial security relationship with Pakistan. The compromise of Balochistan Police's CMS web application adds a second dimension to the activity, extending the threat actor's reach beyond the initially compromised environment.
| Tactic | Technique Id | Technique | Sub-technique |
|---|---|---|---|
| Initial access | T1566.002 | Phishing | Spearphishing Link |
| Execution | T1204.002 | User Execution | Malicious File |
| Persistence | T1547.001 | Boot or Logon Autostart Execution | Registry Run Keys / Startup Folder |
| Collection | T1005 | Data from Local System | - |
| Command and control | T1071.001 | Application Layer Protocol | Web Protocols |
| Exfiltration | T1041 | Exfiltration Over C2 Channel | - |
| Objective | Behavior ID | Behavior |
|---|---|---|
| Command & Control | B0030 | C2 Communication |
| Discovery | E1083 | File and Directory Discovery |
| Persistence | F0012 | Registry Run Keys / Startup Folder |
| Execution | E1204 | User Execution |
| Anti-Static Analysis | B0032 | Executable Code Obfuscation |
| Anti-Static Analysis | E1027 | Obfuscated Files or Information |
The following reports contain further technical details:
[/emaillocker]