The FBI, with court approval, has remotely removed PlugX malware from 4,258 computers in the United States. The operation targeted a version of the malware linked to Mustang Panda, a hacking group believed to have ties to the Chinese government.
The move, announced on January 14, 2025, highlights the FBI’s increasing reliance on proactive cyber defense tactics.
Nine warrants secured for malware removal
The Department of Justice (DoJ) revealed that the operation began in August 2024, after a warrant was issued in the Eastern District of Pennsylvania. The FBI obtained nine warrants in total, the last of which expired on January 3, 2025.
These warrants authorized the FBI to access infected systems and delete malware without disrupting the normal functions of the computers.
PlugX: A longstanding cybersecurity threat
PlugX, active since 2014, is a sophisticated malware capable of taking control of systems and stealing sensitive information. It is often used by cybercriminals and state-sponsored groups to target government agencies, corporations, and critical infrastructure.
The malware’s ability to bypass security measures and its potential to cause widespread damage made it a priority for U.S. cybersecurity efforts.
FBI ensures careful execution of the operation
The FBI confirmed that the operation involved taking control of PlugX’s command-and-control server and using the malware’s built-in self-delete feature to remove it from infected machines. Officials stated that all actions were tested beforehand to ensure they would not interfere with legitimate system functions or collect any user data.
“The FBI acted to protect U.S. computers from further compromise by PRC state-sponsored hackers,” said Bryan Vorndran, Assistant Director of the FBI’s Cyber Division. He emphasized that the operation was part of the FBI’s broader mission to safeguard national security from foreign cyber threats.
Mustang panda’s ties to China highlighted
Court documents revealed that Mustang Panda, also known as Twill Typhoon, used this version of PlugX to infiltrate thousands of systems, targeting U.S. organizations in particular. The group is believed to have received backing from the Chinese government, raising concerns about state-sponsored cyberattacks.
🇺🇸 DOJ wipes Chinese PlugX malware from 4,200 U.S. computers in a court-approved cyber operation.
Used by hacker groups Mustang Panda & Twill Typhoon, the malware infected systems globally.
U.S. owners will be notified via ISPs. pic.twitter.com/EvUYswWwcw
— Alfred Lanning (@alfred_lanning1) January 15, 2025
Global collaboration key to success
The FBI’s collaboration with French cybersecurity agencies was instrumental in the success of the operation. Chris Henderson, senior director of threat operations at Huntress, praised the effort, calling it a prime example of international cooperation.
“The FBI’s coordinated effort with French agencies to disrupt PlugX demonstrates the power of international collaboration in combating cyber threats,” Henderson said.
“By gaining control of the malware’s command-and-control server and leveraging its native self-delete functionality, they’ve successfully removed a significant threat from thousands of infected machines.”
Henderson highlighted the importance of careful planning, noting that the inclusion of affidavits assessing potential risks before file deletions set a high standard for similar operations in the future. This thoughtful approach, he said, minimized unintended consequences and ensured the protection of affected systems.
Proactive measures against evolving threats
As cyber threats continue to evolve, the FBI’s actions serve as a reminder of the growing need for proactive measures to counter malicious activity. The PlugX removal operation not only addressed a significant security risk but also demonstrated how careful planning and international collaboration can effectively combat cybercrime.