In a coordinated international effort, the U.S. Department of Justice (DOJ) announced the removal of PlugX malware from over 4,200 U.S. computers, marking a significant milestone in the fight against state-sponsored cyber threats.
The process began in August 2024, when the DOJ obtained the first of nine court-authorized warrants, granting the FBI permission to delete PlugX from infected devices.
Over the following months, the FBI meticulously identified and prepared affected systems for remediation. The removal involved sending a series of specialized commands to infected devices, including deleting files, registry keys, and directories associated with PlugX. A temporary script then stopped the malware, removed its components, and ensured the infection could not reestablish itself.
By January 2025, the malware was removed from targeted computers without affecting functionality, and device owners were notified through their internet providers. Public disclosure was delayed to ensure success and avoid alerting active threat actors.
PlugX, developed and deployed by the Chinese hacking group Mustang Panda, is known for its persistence and ability to spread via USB drives. Emerging in 2008 and evolving over the years, it has been used to target governments and corporations worldwide. Supported by French authorities and cybersecurity firm Sekoia, U.S. officials successfully dismantled the malware’s infrastructure and remotely eradicated infections with precision, setting a new benchmark for international cybersecurity cooperation.
The operation highlights the vital role of cross-border collaboration in tackling cyber threats that extend beyond national borders.
Why It Matters: The removal of PlugX malware by the DOJ is a major step in countering state-sponsored cyber threats, disrupting a long-running espionage campaign, and protecting thousands of U.S. systems without affecting functionality. This effort between U.S. and French authorities, aided by Sekoia, underscores the importance of international partnerships in tackling cross-border cyber risks. By dismantling Mustang Panda’s infrastructure, the operation also provided insights to strengthen future cybersecurity defenses while ensuring transparency and protecting user privacy.
- PlugX Malware Overview: Initially developed in 2008 by Chinese state-linked entities, PlugX has evolved into a highly adaptable tool for cyber espionage. It allows operators to maintain persistence on infected devices, log keystrokes, download files, and execute commands.
- Mustang Panda’s Role: This Chinese hacking group leveraged PlugX to target a range of entities, including governments, shipping companies, and dissident groups. The malware was spread via USB drives and across networks, enabling widespread infection in over 170 countries.
- Coordinated Response: The DOJ obtained nine rolling warrants in 2024 to authorize the deletion of PlugX malware from infected systems. French authorities and cybersecurity firm Sekoia were instrumental in identifying and dismantling the malware’s command-and-control infrastructure.
- Operation Highlights: Using a script designed by Sekoia, the FBI deleted PlugX from over 4,200 U.S.-based computers. The process ensured no legitimate system functions were disrupted, and owners of disinfected devices were notified through internet service providers.
Go Deeper -> US Removes Malware Allegedly Planted on Computers by Chinese-Backed Hackers – Reuters
FBI Deletes Chinese PlugX Malware from Thousands of US Computers – Bleeping Computer
DOJ Deletes China-Linked PlugX Malware Off More Than 4,200 US computers – The Record