Threat Advisory

PlugX and ShadowPad Infrastructures Used Against Balochistan Police

Threat: Malware
Targeted Region: Asia, Pakistan, China, India, East Asia
Threat Actor Region: China
Targeted Sector: Technology & IT
Criticality: High
[subscribe_to_unlock_form]

EXECUTIVE SUMMARY:

Cyberespionage activity has been sustained against several Pakistani law enforcement organizations, particularly Balochistan Police, from to. Suspected China- and India-nexus threat actors have converged on this victim class, with multiple intrusions observed at Balochistan Police, including compromised servers hosting web applications that manage police and citizen data. The technical analysis reveals a complex operation involving staging and delivery of custom implants masquerading as portal updates.

The suspected China-nexus actor deployed an AsyncRAT client using the Cobalt Strike C2 server 193.42.25[.]65, while the India-nexus actor used Remcos infrastructure to deliver a backdoor launcher. Both actors leveraged compromised web servers and network appliances to reach their targets, with the China-nexus actor also compromising the Complaint Management System (CMS) web application.[/subscribe_to_unlock_form]

EXECUTIVE SUMMARY:

Cyberespionage activity has been sustained against several Pakistani law enforcement organizations, particularly Balochistan Police, from to. Suspected China- and India-nexus threat actors have converged on this victim class, with multiple intrusions observed at Balochistan Police, including compromised servers hosting web applications that manage police and citizen data. The technical analysis reveals a complex operation involving staging and delivery of custom implants masquerading as portal updates.

The suspected China-nexus actor deployed an AsyncRAT client using the Cobalt Strike C2 server 193.42.25[.]65, while the India-nexus actor used Remcos infrastructure to deliver a backdoor launcher. Both actors leveraged compromised web servers and network appliances to reach their targets, with the China-nexus actor also compromising the Complaint Management System (CMS) web application.[emaillocker id="1283"]

The conclusion highlights the strategic motives behind these intrusions, including concern for the safety of Chinese nationals in Pakistan and insight into India's adversarial security relationship with Pakistan. The compromise of Balochistan Police's CMS web application adds a second dimension to the activity, extending the threat actor's reach beyond the initially compromised environment.

THREAT PROFILE:

Tactic Technique Id Technique Sub-technique
Initial access T1566.002 Phishing Spearphishing Link
Execution T1204.002 User Execution Malicious File
Persistence T1547.001 Boot or Logon Autostart Execution Registry Run Keys / Startup Folder
Collection T1005 Data from Local System -
Command and control T1071.001 Application Layer Protocol Web Protocols
Exfiltration T1041 Exfiltration Over C2 Channel -

MBC MAPPING:

Objective Behavior ID Behavior
Command & Control B0030 C2 Communication
Discovery E1083 File and Directory Discovery
Persistence F0012 Registry Run Keys / Startup Folder
Execution E1204 User Execution
Anti-Static Analysis B0032 Executable Code Obfuscation
Anti-Static Analysis E1027 Obfuscated Files or Information

REFERENCES:

The following reports contain further technical details:

[/emaillocker]
crossmenu