The FBI conducted a sophisticated operation to eliminate the PlugX malware, which had been utilized by China-backed hackers to steal sensitive data. According to the U.S. Department of Justice, the agency infiltrated approximately 4,200 computers across the country to neutralize the threat.
As detailed in a recently disclosed court filing, PlugX was disseminated by the hacker group “Mustang Panda” (also known as “Twill Typhoon”). This group has reportedly employed the malware since at least 2012, targeting thousands of Windows-based systems in the United States, Asia, and Europe. The malware infiltrated devices via USB drives and operated covertly in the background, granting attackers remote access to files and the ability to execute commands on compromised systems.
PlugX established a connection to a command-and-control server, with the server’s IP address embedded within its code. This mechanism enabled hackers to control infected systems, browse their contents, and collect data, including the owners’ IP addresses. The FBI reported that since September 2023, around 45,000 IP addresses within the U.S. communicated with such servers.
The FBI exploited this same mechanism to remove PlugX from infected devices. Collaborating with French law enforcement, who conducted a parallel operation, American specialists gained access to the control server and obtained a list of compromised IP addresses.
Subsequently, infected computers were sent a specialized command, instructing PlugX to delete its files, cease executing malicious code, and completely erase itself from the systems.
The use of such proactive methods reflects the FBI’s evolving strategy in combating cyber threats. In 2023, the agency executed a similar operation against the Qakbot botnet, remotely deploying software to infected devices to eradicate the malicious code. In 2021, the FBI also infiltrated hundreds of systems to remove backdoors left by the Chinese hacking group Hafnium during cyberattacks exploiting vulnerabilities in Microsoft Exchange.
