FBI Removes PlugX Malware From Thousands of PCs

The FBI and international law enforcement agencies have conducted a long-term operation that removed the PlugX malware from thousands of computers, including more than 4,000 machines in the United States. The operation was conducted in concert with French officials and specifically targeted computers infected with a version of PlugX allegedly developed by the Mustang Panda group at the behest of the Chinese federal government.

PlugX is a fully featured backdoor that gives attackers full control of an infected machine. The malware has been in use for more than a decade and is typically associated with Chinese APT groups, including Mustang Panda, which is also known as RedDelta and Twill Typhoon. Just last week, researchers at Recorded Future’s Insikt Group revealed that Mustang Panda has been using a custom version of PlugX in recent intrusions. The FBI and French authorities obtained several warrants over the last five months to remove PlugX from compromised machines and has been working with French security firm Sekoia.io to identify infected computers and remediate them. 

The operation was made possible by the efforts of French authorities, who gained access to the C2 server for this variant of PlugX. The agencies took advantage of a native command in the PlugX malware to tell it to delete itself from infected machines. 

“The Department of Justice prioritizes proactively disrupting cyber threats to protect U.S. victims from harm, even as we work to arrest and prosecute the perpetrators,” said Assistant Attorney General Matthew G. Olsen of the Justice Department’s National Security Division. “This operation, like other recent technical operations against Chinese and Russian hacking groups like Volt Typhoon, Flax Typhoon, and APT28, has depended on strong partnerships to successfully counter malicious cyber activity.” 

PlugX is not the sole property of any one threat group, but has been used by several different teams, almost exclusively Chinese groups. The version of PlugX targeted in this operation was allegedly developed by Mustang Panda as a contract job for the Chinese government. 

“China-based state-sponsored hackers have been using PlugX malware since at least

2014. This group of computer hackers is known by cybersecurity researchers as Mustang Panda and Twill Typhoon. The FBI assesses that Mustang Panda takes payment from the Chinese government in exchange for providing malware, including PlugX, and other computer intrusion services. The FBI’s multi-year investigation of Mustang Panda has confirmed that this group of computer hackers has infiltrated the computer systems of numerous government and private organizations, including in the United States,” the affidavit released today says. 

In the affidavit, the FBI estimates that more than 45,000 computers in the U.S. have connected to the PlugX C2 server since September 2023. 

“This wide-ranging hack and long-term infection of thousands of Windows-based computers, including many home computers in the United States, demonstrates the recklessness and aggressiveness of PRC state-sponsored hackers,” said U.S. Attorney Jacqueline Romero for the Eastern District of Pennsylvania.