Overlapping TTPs: Multi-Group Espionage on Balochistan Police Servers
The latest report on the Balochistan Police portal breach is a textbook example of the 'land grab' happening in targeted sectors. We're seeing suspected China-aligned and India-aligned actors actively utilizing the same compromised assets to host web shells and exfiltrate sensitive citizen data.
What stands out is the sheer duration of the access (Feb 2024 – April 2026). This wasn't a smash-and-grab; it was persistent espionage. The attackers leveraged vulnerabilities in the web application interface to drop payloads.
If you're running IIS servers in LE or GovTech, you should be hunting for these specific indicators. Here’s a PowerShell snippet to scan for recently modified ASPX files in web roots, which is a classic sign of web shell injection:
Get-ChildItem -Path "C:\inetpub\wwwroot" -Recurse -Filter *.aspx |
Where-Object { $_.LastWriteTime -gt (Get-Date).AddDays(-30) } |
Select-Object FullName, LastWriteTime, Length
The overlap in infrastructure suggests these threat actors are stepping on each other's toes. It raises a big question about attribution when shared web shells are involved.
How is everyone handling incident response when you detect overlapping infrastructure? Do you attribute based on the final payload, or does the shared access make definitive attribution impossible?
SOC Analyst here. We've started treating any web shell discovery as a 'multi-tenant' incident by default. We assume that if we found one, there's likely a backdoor for a different group sitting in the logs. It changes our containment strategy significantly—we usually pull the plug on the whole VLAN now instead of just deleting the file.
From a pentester's perspective, this highlights the danger of public-facing portals with legacy codebases. I often see these .NET apps relying on outdated libraries or hardcoded connection strings. If you aren't monitoring App_Data or bin folders for unusual writes, you're missing the easiest entry point. We recommend blocking compilation binaries on the server unless absolutely necessary to stop dynamic compilation attacks.
Verified Access Required
To maintain the integrity of our intelligence feeds, only verified partners and security professionals can post replies.
Request Access