The U.S. Department of Justice (DoJ) revealed that the FBI successfully removed the PlugX malware from over 4,250 infected computers in a major law enforcement operation. PlugX, a remote access trojan (RAT) widely used by state-sponsored threat actors associated with the People’s Republic of China (PRC), allows for remote control and data theft from compromised devices. The FBI’s operation was part of a multi-month effort to disrupt the malicious activity linked to a hacker group called Mustang Panda, also known by various other names like BASIN and RedDelta.
Since 2014, Mustang Panda has been behind numerous cyberattacks targeting U.S. victims, European and Asian governments, businesses, and dissident groups. The group is known for using PlugX to infiltrate and control computer systems, stealing sensitive information and spreading the malware through USB devices. The malware’s ability to remotely control systems made it a significant threat, affecting a wide range of targets, including Taiwan, Hong Kong, Japan, South Korea, India, and several Southeast Asian nations.
The disinfection campaign, which began in July 2024, aimed to remove the PlugX malware
The disinfection campaign, which began in July 2024, aimed to remove the PlugX malware from thousands of computers, including home devices across the U.S. Cybersecurity firm Sekoia and the Paris Prosecutor’s Office had previously reported the campaign, which also saw the malware’s associated server sinkholed for just $7. This action enabled the FBI to issue a self-delete command that wiped the malware from the affected devices without damaging any legitimate files or functions on the targeted computers.
According to the DoJ, over 59,000 disinfection payloads were issued to 5,539 unique IP addresses, demonstrating the scale of the operation. The self-delete command targeted the PlugX malware files, registry keys, and related directories. The Justice Department condemned the reckless nature of PRC-backed cyber actors, noting the wide-ranging impact on both public and private sector entities. This operation marks a significant success in combating state-sponsored cyber threats that have increasingly targeted critical infrastructure and sensitive data globally.
