Pierluigi Paganini January 14, 2025

The FBI has removed Chinese PlugX malware from over 4,200 computers in networks across the United States, the U.S. Department of Justice reported.

The Justice Department and FBI, along with international partners, announced they deleted PlugX malware from thousands of infected computers worldwide as part of a multi-month law enforcement operation. The malware was operated by a China-linked threat actor, known as Mustang Panda (aka Twill Typhoon, to steal sensitive information from victim computers.

According to court documents, the Chinese government paid Mustang Panda to develop PlugX malware, used since 2014 to target U.S., European, and Asian entities. A court operation recently removed PlugX infections from U.S. systems.

French law enforcement and cybersecurity firm Sekoia.io led the international operation against the malware. They discovered how to send commands to the infected hosts to wipe the PlugX version.

The FBI tested the commands and confirmed their effectiveness, the feds also determined that the commands have no impact on the normal functions of the infected computers.

“In August 2024, the Justice Department and FBI obtained the first of nine warrants in the Eastern District of Pennsylvania authorizing the deletion of PlugX from U.S.-based computers. The last of these warrants expired on Jan. 3, 2025, thereby concluding the U.S. portions of the operation.” reads the press release published by DoJ. “In total, this court-authorized operation deleted PlugX malware from approximately 4,258 U.S.-based computers and networks.”

The PlugX variant targeted by the international operation supports wormable capabilities that allowed the threat to spread through USB flash drives.

According to court documents, threat actors used the malware to target European shipping firms (2024), European governments (2021-2023), Chinese dissident groups, and Indo-Pacific governments, including Taiwan and Japan.

A French law enforcement agency has gained access to the C2 server (45.142.166.112) used to control the malware. Then law enforcement used the C2 server to send commands to computers infected with the variant of PlugX malware. This PlugX malware supports a “self-delete” command that instruct the malware to:

• delete the files created by the PlugX malware on the victim computer
• delete the PlugX registry keys used to automatically run the PlugX application when the victim computer is started,
• create a temporary script file to delete the PlugX application after it is stopped,
• stop the PlugX application,
• run the temporary file to delete the PlugX application, delete the directory created on the victim computer by the PlugX malware to store the PlugX files, and delete the temporary file from the victim computer.

The FBI started notifying the owners of the computers in the US that were sanitized with the help of ISPs.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, PlugX malware)