Introduction
The PlugX malware [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11], a remote access Trojan (RAT) developed by the China-based hacking group Mustang Panda, also known as Twill Typhoon [6] [9] [11], has been a significant threat to global cybersecurity. A collaborative operation led by the US Department of Justice (DoJ) [7], French authorities [5] [9], and cybersecurity firm Sekoia.io successfully removed this malware from over 4,000 infected systems worldwide.
Description
A variant of PlugX malware [3], a remote access Trojan (RAT) developed by the China-based hacking group Mustang Panda, also known as Twill Typhoon [6] [9] [11], has been successfully removed from over 4,000 infected Windows-based computers and networks in the US and worldwide following a multi-month operation led by the US Department of Justice (DoJ) and French authorities, in collaboration with cybersecurity firm Sekoia.io [7] [9]. This group, linked to state-sponsored hacking by the People’s Republic of China (PRC) government, has been active in global infiltration efforts since at least 2014 [8], specifically targeting espionage activities against government and business systems across the US, Europe [2] [3] [6] [7] [10] [11], and Asia [2] [3] [6] [7] [10] [11], as well as Chinese dissident groups [3] [10], to steal sensitive information [2] [11]. PlugX [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11], first discovered in 2012 [1], has been infecting computers globally primarily through phishing tactics and USB flash drives, and is designed to collect and stage files for exfiltration [9].
The operation developed a disinfection technique that utilized access to the hackers’ command-and-control (C2) server, allowing the FBI to issue commands that triggered the malware’s “self-destruct” function. This effectively erased the PlugX variant from infected systems without impacting the legitimate functions of the devices. Sekoia.io reported the capability to send commands that instructed infected devices to remove the malware, its associated files [2] [4], and registry keys [2] [5]. By December 26, 2024 [7], a legal framework was established to conduct disinfection operations in 10 countries [7], resulting in 59,475 disinfection payloads sent to 5,539 IP addresses [7], with at least 45,000 IP addresses in the US having contacted the C2 server since September 2023.
In the US [3] [4] [6] [7] [8] [11], the FBI obtained nine court warrants from the Eastern District of Pennsylvania between August and December 2024 to authorize the deletion of PlugX from infected computers, confirming the effectiveness of the deletion commands [7] [10]. The operation concluded with the expiration of the last court warrants on January 3, 2025 [7]. Following the operation [5], the FBI began notifying affected computer owners through their internet service providers [7], while encouraging the use of antivirus software and security updates to prevent reinfection [10]. The FBI continues to investigate Mustang Panda’s activities [10], which include the ability of infected computers to communicate with a hard-coded C2 server, allowing attackers to execute various commands [5], including file manipulation and system exploration [5]. US Attorney Jacqueline Romero criticized the actions of Chinese state-sponsored hackers [6], describing their long-term infection of thousands of Windows-based computers [6], including many home computers in the US [6], as reckless and aggressive [6]. The US Justice Department has accused the Chinese government of funding the development of the PlugX malware for espionage purposes [9], underscoring the ongoing threat posed by this state-backed group. Additionally, the Mustang Panda group has been linked to compromising cargo shipping companies’ systems in countries such as Norway, Greece [8], and the Netherlands [8], highlighting the extensive reach of their cyber operations. In 2022, the group was reported to have conducted phishing campaigns against organizations in Europe and Russia [3], and in 2023 [3], it targeted Myanmar with similar tactics [3].
Conclusion
The successful removal of the PlugX malware variant marks a significant achievement in international cybersecurity efforts. The operation not only neutralized a major threat but also highlighted the importance of international collaboration in combating cybercrime. Moving forward, continued vigilance and cooperation among global cybersecurity entities are essential to mitigate future threats posed by state-sponsored hacking groups like Mustang Panda. The emphasis on using antivirus software and regular security updates remains crucial in preventing reinfection and safeguarding sensitive information.
References
[1] https://www.techtimes.com/articles/309085/20250115/doj-fbi-hacks-over-4000-us-computers-remove-chinese-malware-plugx-used-espionage.htm
[2] https://arstechnica.com/tech-policy/2025/01/fbi-forces-chinese-malware-to-delete-itself-from-thousands-of-us-computers/
[3] https://www.csoonline.com/article/3802814/international-effort-erases-plugx-malware-from-thousands-of-windows-computers.html
[4] https://www.theverge.com/2025/1/14/24343495/fbi-computer-hack-uninstall-plugx-malware
[5] https://www.techtarget.com/searchSecurity/news/366618048/FBI-removes-Chinese-PlugX-malware-from-4258-US-computers
[6] https://www.techradar.com/pro/security/a-major-fbi-operation-has-deleted-chinese-malware-from-thousands-of-us-computers
[7] https://www.infosecurity-magazine.com/news/chinese-plugx-malware-deleted/
[8] https://www.engadget.com/cybersecurity/doj-remotely-cleaned-thousands-of-computers-infected-with-chinese-malware-191837967.html
[9] https://techcrunch.com/2025/01/14/doj-confirms-fbi-operation-that-mass-deleted-chinese-malware-from-thousands-of-us-computers/
[10] https://www.justice.gov/opa/pr/justice-department-and-fbi-conduct-international-operation-delete-malware-used-china-backed
[11] https://securityaffairs.com/173073/malware/fbi-deleted-china-linked-plugx-malware-from-over-4200-us-computers.html
