FBI Deletes PlugX Malware From Over 4,200 Computers

The U.S. Department of Justice (DoJ) announced Tuesday that a court-authorized operation enabled the Federal Bureau of Investigation (FBI) to delete PlugX malware from over 4,250 infected computers across the United States.

The multi-month effort targeted a version of the malware developed and deployed by a China-sponsored hacking group known as “Mustang Panda,” also referred to as “Twill Typhoon.”

PlugX, a malicious tool designed to infiltrate and exfiltrate data from compromised systems, has been used by Mustang Panda since at least 2014. The group reportedly operates under the sponsorship of the Chinese government, targeting U.S. entities, European and Asian businesses, and even Chinese dissidents.

Once a device is infected, the malware persists, allowing hackers to communicate with it whenever it’s powered on, as reported by The Record. Many victims remained unaware of the malware’s presence, which prompted federal authorities to act, as noted by the DoJ.

The Record reports that French authorities revealed that cybersecurity firm Sekoia alerted the Paris Prosecutor’s Office and national agencies about a botnet created using PlugX malware. The malware, used for espionage, had compromised thousands of devices in France and worldwide.

Sekoia experts identified and seized control of a command-and-control server managing infected devices. This breakthrough enabled the company to develop a remote disinfection method, which was shared with several countries via Europol.

The disinfection campaign began on July 18 and is set to continue for months. Authorities confirmed that PlugX has already been removed from devices in Malta, Portugal, Croatia, Slovakia, Austria, and France.

As a result, nine warrants issued by the Eastern District of Pennsylvania authorized the FBI to carry out this malware removal, concluding on January 3, 2025.

This initiative removed PlugX malware from 4,258 U.S.-based systems, including numerous home computers. It marked a significant milestone in addressing Mustang Panda’s extensive hacking activities, which U.S. Attorney Jacqueline Romero described as “reckless and aggressive.”

The FBI has alerted affected computer owners through their internet service providers and is continuing its investigation into Mustang Panda’s cyber intrusions. Authorities urge the public to use antivirus software and maintain updated security measures to prevent reinfections.

Anyone suspecting their system may be compromised can file a report through the FBI’s Internet Crime Complaint Center (IC3) or contact their local FBI office for assistance.