‘Update complete, please refresh’: China, India-linked hackers targeted the same Pakistan police force, analysis finds
‘Update Complete, Please Refresh’ Malware Linked to China and India Hackers Targeting Pakistani Police
complete please refresh – China and India-linked cyber actors have been identified as the source of coordinated hacking campaigns targeting the Balochistan Police in Pakistan, according to a recent analysis. The focus keyword “complete please refresh” appears prominently in the malware used, which mimics a routine system update message to deceive users. These attacks, spanning nearly two years, reveal a strategic effort to exploit vulnerabilities in Pakistan’s law enforcement infrastructure, raising concerns about data security and geopolitical cyber warfare.
Targeted Cyber Campaigns and Strategic Motives
The analysis by SentinelLABS highlights four distinct hacking operations that targeted the Balochistan Police, a critical unit in Pakistan’s largest province. These campaigns, which began in February 2024 and continued through April 2026, were not limited to the police force. Researchers also noted breaches at three additional agencies: the Khyber Pakhtunkhwa Police, Islamabad Police, and the Punjab Safe Cities Authority. The shared interest in the Balochistan Police suggests it holds significant strategic value for cyber adversaries, possibly due to its role in managing separatist movements and critical infrastructure.
“The convergence of multiple hacking groups on the same target indicates a coordinated effort to maximize espionage gains,” the report states. This alignment between China and India-linked hackers points to a broader geopolitical strategy, where cyber operations are used to gather intelligence, disrupt communication, and influence political dynamics within Pakistan.
Malware Tactics and System Vulnerabilities
One of the key techniques employed by the hackers involved the use of malware disguised as system updates. The malicious files displayed the message “Update Complete! Please refresh the page” to blend seamlessly with the Balochistan Police’s citizen complaints portal. This tactic not only deceives users but also creates a pathway for long-term access to sensitive data. The malware was specifically designed to exploit both police staff and citizens, ensuring that the attack vector remains active and undetected for extended periods.
“The deceptive message serves as a psychological tool to reduce suspicion,” explains the report. By mimicking routine updates, hackers could maintain persistent access to the system without triggering alerts, allowing them to manipulate data and monitor activities discreetly.
Deep Penetration and Data Exposure
The cyberattacks penetrated four layers of the Balochistan Police’s digital infrastructure, revealing the depth of the adversaries’ capabilities. At the outermost layer, attackers gained access to network devices and an email gateway, which, while no longer the primary system, remained operational and could process internal and external communication. Researchers speculate that this access might still be used to intercept sensitive information or serve as a fallback in case of a full system compromise.
Further into the network, the hackers targeted servers running seven applications, including personnel records, stolen-vehicle tracking systems, and hotel guest databases linked to national IDs. These tools are vital for tracking criminal activity and managing public safety. While the breach stopped short of full data exfiltration for six of the seven systems, the seventh—specifically the citizen complaints portal—showed evidence of deeper compromise, suggesting the attackers had access to critical operational data.
Uncertainty and Future Threats
The latest phase of the attack remains unclear, as one malware file was classified as a “stager,” a small program written in Rust that only downloads a second-stage payload. Researchers were unable to retrieve the complete payload during their analysis, leaving the full impact of the intrusion uncertain. Although there is no confirmed evidence of data theft, the stager’s presence highlights the potential for more advanced operations to follow, such as stealing intelligence or disrupting police functions.
“The stager represents a critical step in the attack chain, indicating the hackers are preparing for more aggressive actions,” the report adds. This suggests that the current breach is just the beginning, with the possibility of deeper exploitation as the adversaries refine their tactics.
Broader Implications and Geopolitical Context
The coordinated efforts of China and India-linked hackers underscore the growing role of cyber warfare in regional conflicts. Balochistan, a province with a history of separatist unrest, has become a focal point for cyber operations targeting its police force. Analysts believe the attacks may be part of a larger strategy to gather intelligence on Pakistan’s security operations, monitor communications, or weaken institutional control over the region.
With the increasing frequency of such campaigns, Pakistan’s cybersecurity framework faces mounting pressure to adapt and strengthen. The use of the “complete please refresh” message as a deceptive tool highlights how sophisticated cyber threats are evolving to exploit both technical and human vulnerabilities. As the attacks continue, experts warn that the Balochistan Police could serve as a gateway for more extensive breaches targeting national security and public trust in government institutions.
