Malik Haidar has spent over two decades navigating the shadows of the digital battlefield, specializing in the high-stakes world of state-sponsored cyber espionage. With a background that bridges the gap between deep-tier technical analytics and the cold calculus of geopolitical strategy, he has spent years defending multinational corporations and government entities from some of the world’s most persistent threat actors. In this discussion, he provides a rare look into a sprawling, multi-year campaign where Pakistani law enforcement agencies became the focal point for both regional allies and adversaries. This operation, which unfolded between February 2024 and April 2026, reveals a complex web of overlapping interests, where public safety tools were twisted into instruments of surveillance.
The conversation explores the strategic convergence of China- and India-aligned threat clusters, the specific weaponization of the Balochistan Police’s public portal, and the massive scale of data exfiltration involving everything from biometric records to hotel registrations. We also examine the psychological tactics used to lure victims through sensitive social issues and the technical evolution of malware families like ShadowPad and Remcos RAT.
When multiple foreign intelligence groups target a single nation’s law enforcement agencies simultaneously, what does that tell us about the strategic value of the data being held there?
When you see four distinct threat clusters—each deploying unique malware like PlugX, ShadowPad, and Cobalt Strike—all hammering the same infrastructure, it sends a clear signal about “target value.” In the world of espionage, these agencies are the keepers of the state’s internal security picture; they know who the threats are, where they live, and how the government plans to neutralize them. By compromising assets across the Islamabad Police, the Punjab Safe Cities Authority, and others, these actors weren’t just looking for random files; they were hunting for the fingerprints of the state’s domestic control. Between February 2024 and April 2026, the sheer persistence of these groups shows that this wasn’t a hit-and-run, but a deep-seated effort to map out the entire law enforcement ecosystem of Pakistan. It is a rare and visceral example of how a nation’s “partner” and its “adversary” can find themselves rubbing shoulders in the same compromised server, both hungry for the same intelligence.
The compromise of the Balochistan Police Complaint Management System is particularly striking because it affects citizens as well as officers. How does weaponizing a public service portal like this shift the ethical and tactical boundaries of state-sponsored hacking?
This is a chilling evolution because it turns a tool designed for public accountability and transparency into a trap for the very people it’s meant to protect. By uploading two distinct variants of an implant named “cms_plugin.exe” to the portal, the attackers essentially turned a bridge between the police and the public into a malware delivery factory. When a citizen or a staff member executes that Rust stager, they are met with a polite message saying “Update Complete! Please refresh the page,” which provides a false sense of security while a payload is being pulled from a server like 193.42.25[.]65. This tactic bypasses traditional perimeter defenses by exploiting the inherent trust people have in their government’s digital initiatives. It’s no longer just about breaching a network; it’s about poisoning the well of public service to ensure the malware reaches as many high-value targets as possible.
The report highlights distinct toolsets like ShadowPad and Remcos RAT being used by different regional actors. What are the nuances in how these groups operate, and how do their goals differ despite hitting the same targets?
While the targets overlap, the toolsets reveal very different operational philosophies and regional focus areas. The China-nexus actors rely heavily on ShadowPad—the sophisticated successor to PlugX—and their activity shows a massive, global footprint that reaches from Tibetan Buddhist organizations in Taiwan to research entities in Southeast Europe. Their use of the Cobalt Strike server at 142.171.183[.]8 suggests a highly organized, systematic collection effort that views Pakistani law enforcement as just one piece of a much larger Asian and Middle Eastern puzzle. Conversely, the India-nexus clusters, linked to groups like Mysterious Elephant, appear much more focused on the immediate tactical landscape of their neighbor. They use Remcos RAT and highly localized lures to get inside, suggesting their goal is more about keeping a sharp, constant eye on the specific movements and plans of the Pakistani security apparatus.
The attackers went after very specific databases, including hotel registrations and tenant records linked to national IDs. From a strategic intelligence perspective, why is this “boring” administrative data actually a goldmine for an adversary?
In the hands of an intelligence agency, a hotel registry or a tenant record is anything but boring; it is a high-definition map of human movement, association, and identity. By compromising the servers hosting these biometric and registration records, an adversary can unmask undercover operations or track the travel patterns of sensitive personnel in real-time. This allows them to know exactly who is staying at a specific location and cross-reference it with national identity records to build a complete profile of an individual’s life. When you combine this with the breach of the Fortinet FortiMail appliance, which served as the primary email gateway, the attacker gains a god-like view of the agency’s internal and external communications. It transforms the police department’s own digitalization efforts, like the Smart Police Station initiative, into a self-contained surveillance network for the enemy.
We see the use of lures related to the repatriation of illegal foreigners to trick users. What does this use of “hot-button” social issues tell us about the psychological sophistication of these threat actors?
These actors are master psychologists who know that the fastest way into a secure system is through a human being’s sense of duty or anxiety. By crafting a decoy document that purports to contain an operational plan for the repatriation of Afghan Citizen Card holders, they are tapping into a high-priority, emotionally charged policy issue for Pakistani law enforcement. They know an officer is far more likely to click on a document that feels urgent and relevant to their daily orders than a generic phishing link. This psychological engineering is backed by clever technical camouflage, such as the .NET executable masquerading as “360Safe.exe” to reflectively load an AsyncRAT client. It’s a sophisticated “bait and switch” where the victim’s professional dedication is used as the key to unlock the front door for a foreign intelligence service.
What is your forecast for the future of regional cyber espionage in South Asia?
I believe we are entering an era of “crowded theaters,” where the digital infrastructure of South Asian nations will become a permanent, multi-tenant battleground for various state-sponsored groups. As government services continue to digitize at a rapid pace, the surface area for attack will grow faster than the ability to defend it, leading to more incidents where multiple adversaries are found operating inside the same network simultaneously. We will likely see a shift toward even more deceptive implants that mimic legitimate security software, making it nearly impossible for local administrators to distinguish between a system update and a hostile takeover. The “Smart” initiatives of the future will have to be built with the assumption that they are already compromised, shifting the focus from keeping hackers out to detecting their presence before they can turn public trust into a weapon.

