FBI Deletes PlugX Malware from 4,250 Hacked Computers in Multi-Month Operation

FBI PlugX Malware Removal Operation

In a significant cybersecurity operation, the U.S. Department of Justice (DOJ) and the Federal Bureau of Investigation (FBI) have successfully removed the PlugX malware from over 4,200 computers in the United States. Here are the key details of this operation:

Background and Threat

  • The PlugX malware is a remote access trojan (RAT) that has been in use since at least 2008. It allows attackers to gain complete control over infected systems, enabling them to steal information, install additional malicious software, and manipulate system settings without detection135.

Mustang Panda and Twill Typhoon

  • The malware was linked to hacking groups known as "Mustang Panda" and "Twill Typhoon," which are believed to be sponsored by the People’s Republic of China (PRC). These groups have been involved in hacking campaigns since at least 2014, targeting a wide range of victims including U.S. businesses, European and Asian governments, and Chinese dissident groups135.

Operation Details

  • The operation involved collaboration with international partners, including French authorities and the French cybersecurity firm Sekoia.io. Sekoia developed a method for identifying and deleting the specific version of PlugX from infected devices, which was tested and confirmed by the FBI to ensure it did not impact the legitimate functions of the infected computers5.
  • The DOJ obtained nine rolling warrants in August 2024 to authorize the removal of the malware. The operation resulted in the deletion of PlugX malware from approximately 4,258 U.S.-based computers and networks5.

Scope and Impact

  • The malware was found to be widespread, with infections in more than 170 countries. A snapshot of PlugX activity showed that around 15 countries accounted for over 80% of the total infections, with the United States being one of the most affected5.
  • Mustang Panda is known for targeting governments and organizations involved in China’s Belt and Road Initiative, as well as various other international targets including European shipping companies, European governments, and governments throughout the Indo-Pacific region5.
  • Court documents unsealed in the Eastern District of Pennsylvania revealed the details of the operation and the involvement of PRC-sponsored hacking groups. The public disclosure of the operation was delayed until January 2025, following the completion of the malware removal35.

Official Statements

  • U.S. Attorney Jacqueline C. Romero emphasized the severity of the cyber intrusions and the comprehensive approach to U.S. cybersecurity protection. FBI Philadelphia Special Agent in Charge Wayne Jacobs highlighted the FBI’s resolve to pursue PRC adversaries and protect American victims35.

Conclusion

The removal of PlugX malware from thousands of U.S. computers marks a significant victory in the fight against state-sponsored cyber threats. The operation underscores the importance of international collaboration and the commitment of U.S. law enforcement agencies to protecting national cybersecurity.

Sources:

  • [The Cyber Express: U.S. Authorities Eradicate PlugX Malware Nationwide]1
  • [Legal News Line: International coalition removes malware linked to China-backed hackers]3
  • [The Record: DOJ deletes China-linked PlugX malware off more than 4,200 US computers]5