A version of “PlugX” malware used by Chinese state-backed hackers has been deleted from thousands of US computers worldwide following a multi-month law enforcement operation, the US Department of Justice (DoJ) has announced.
The malware was used by Chinese cyber espionage group Mustang Panda to infect, control and steal information from computers used by governments and businesses across the US, Europe and Asia since 2014.
The French law enforcement, in partnership with France-based cybersecurity company, Sekoia.io, led the operation to develop the disinfection technique and framework for carrying out the task. This was adopted by the FBI to disinfect US-based devices.
Sekoia.io recently reported on the capability to send commands to delete the PlugX version from infected devices. The firm revealed on December 26, 2024, that a legal framework was established and disinfection operations conducted using the technique in 10 countries. This resulted in 59,475 disinfection payloads being sent during the campaign, targeting 5,539 IP addresses.
In the US, the FBI obtained warrants from a US court to authorize the deletion of PlugX from US-based computers. This came after the agency confirmed the effectiveness of the deletion commands and were able to ensure they did not impact the legitimate functions of infected computers.
The FBI was able to delete PlugX malware from approximately 4258 US-based computers and networks.
The last of the court warrants expired on January 3, concluding the US portion of the operation.
The FBI is providing notice to US owners of Windows-based computers affected by this court-authorized operation through the victims’ internet service providers.
Mustang Panda Paid by Chinese Government to Target Devices
An FBI affidavit filed to a US court on January 14 said the Mustang Panda group was paid by the People’s Republic of China (PRC) government to develop and deploy the specific PlugX variant.
The cyber espionage group used the variant to infiltrate numerous government and private sector businesses.
This included a number of European shipping companies in 2024 and several European governments from 2021 to 2023.
Worldwide Chinese dissident groups and governments throughout the Indo-Pacific were also heavily targeted in the campaign.
US Attorney for the Eastern District of Pennsylvania, Jacqueline Romero, said the wide-ranging hack demonstrated the “recklessness and aggressiveness” of PRC-sponsored hackers.
“Working alongside both international and private sector partners, the DoJ court-authorized operation to delete PlugX malware proves its commitment to a ‘whole-of-society’ approach to protecting US cybersecurity,” she commented.
The announcement came after it was reported in November that Chinese state-sponsored group Salt Typhoon had breached major telecommunications providers in the US as part of a large-scale cyber-espionage campaign.
Victims Usually Unaware of Infection
The PlugX variant is spread through a computer’s USB port, infecting attached USB devices, and then potentially spreading to other Windows-based computers that the USB device is later plugged into, the FBI wrote in its affidavit.
The attackers achieved persistence partly by creating registry keys which automatically run the PlugX application when the computer is started.
The computer owners are typically unaware that they have been infected.
PlugX is able to communicate with a command and control (C2) server when the infected computer connects to the internet.
The C2 is able to remotely request information about the victim computer, file system exploration on the infected computer, and uploading, downloading, moving and deleting files.