Over the course of several months, the FBI removes PlugX malware from 4,250 compromised computers.

The U.S. Department of Justice (DoJ) revealed on Tuesday that a court-authorized operation enabled the FBI to remove PlugX malware from over 4,250 infected computers as part of a months-long law enforcement effort.

  North America Cyber affairs News   Jan 15, 2025  Add to Reading List
Over the course of several months, the FBI removes PlugX malware from 4,250 compromised computers.

The U.S. Department of Justice (DoJ) revealed on Tuesday that a court-authorized operation enabled the FBI to remove PlugX malware from over 4,250 infected computers as part of a months-long law enforcement effort.

PlugX: A Tool for Cyber Espionage

PlugX, also known as Korplug, is a remote access trojan (RAT) often linked to threat actors associated with the People's Republic of China (PRC). It allows attackers to steal information and remotely control compromised systems. According to an FBI affidavit, the PlugX variant targeted in this operation is connected to Mustang Panda, a state-sponsored hacking group also known by aliases such as Bronze President, RedDelta, and Camaro Dragon.

Since 2014, Mustang Panda has conducted cyber campaigns against thousands of targets, including U.S. entities, governments, businesses in Europe and Asia, and Chinese dissident groups. Other targets include countries such as Taiwan, Japan, South Korea, India, Myanmar, and the Philippines.

The Disinfection Campaign

The malware removal initiative, which began in late July 2024, was part of a broader effort to clean compromised systems. Cybersecurity firm Sekoia and the Paris Prosecutor's Office had previously detailed this campaign. The PlugX variant in question spreads via USB devices and communicates with a remote server controlled by attackers.

In April 2024, Sekoia revealed it spent $7 to "sinkhole" the malware’s server, redirecting its communications and enabling the issuance of self-delete commands to infected systems. This process involved:

  1. Deleting PlugX-related files.
  2. Removing registry keys used for malware persistence.
  3. Creating and executing a temporary script to stop and delete the malware.
  4. Cleaning up directories and temporary files created by PlugX.

The FBI confirmed that this command did not interfere with legitimate files or functions on affected devices within the U.S. nor transmit any additional data.

A Broad International Effort

Sekoia reported that nearly 59,475 disinfection payloads were issued, targeting 5,539 IP addresses across 10 countries. Assistant Attorney General Matthew G. Olsen described the campaign as an example of the "recklessness and aggressiveness" of PRC-sponsored cyber actors, citing the widespread infection of thousands of Windows-based systems, including many U.S. home computers.

This operation underscores the extensive reach of state-sponsored hacking campaigns and the coordinated efforts required to combat them effectively.

Tags