DOJ, FBI Dismantle Malware Used by China-Backed Hackers in Global Operation

In an international effort, the US Department of Justice (DOJ) and the Federal Bureau of Investigation (FBI) have successfully eliminated a sophisticated malware threat known as “PlugX” from over 4,200 computers across the United States.

The malware, used by bad actors sponsored by the People’s Republic of China (PRC), has targeted global victims since 2014.

The multi-month operation, which involved collaboration with French law enforcement and the cybersecurity company Sekoia.io, was authorized by court orders issued in the Eastern District of Pennsylvania. Hackers linked to the PRC, operating under the aliases “Mustang Panda” and “Twill Typhoon,” exploited the PlugX malware to infiltrate computer systems and steal sensitive data from governments, businesses, and dissident groups.

A Powerful RAT

“PlugX is a powerful remote access Trojan (RAT) often used in targeted cyber-espionage campaigns,” explained Chris Jones, Incident Response Analyst at Check Point Software. “Its modular design allows attackers to tailor its capabilities to their specific needs, enabling activities like data theft, keylogging, file manipulation, and executing commands on infected systems. It is typically spread through spear-phishing campaigns, exploiting vulnerabilities, or using malicious attachments to gain access.”

He added that this seizure of servers used to facilitate PlugX operations by law enforcement agencies strengthens initiatives such as the 2019 seizure of servers linked to the Imminent Monitor RAT. “These coordinated actions demonstrate an ongoing commitment to dismantling cybercriminal infrastructure and protecting users from sophisticated malware and privacy threats.”

PRC-Backed Cyber Espionage

According to unsealed court documents, Mustang Panda received funding from the PRC government to develop and deploy this version of PlugX malware. Their attacks targeted entities in the United States, Europe, and Asia. Despite previous cybersecurity warnings, many infected users remained unaware of the malware on their systems until this recent operation.

Assistant Attorney General Matthew Olsen of the DOJ’s National Security Division emphasized the importance of proactive measures in countering cyber threats: “This operation, like other recent technical operations against Chinese and Russian hacking groups like Volt Typhoon, Flax Typhoon, and APT28, has depended on strong partnerships to successfully counter malicious cyber activity. I commend partners in the French government and private sector for spearheading this international operation to defend global cybersecurity.”

Deleting Malware from US Systems

The operation’s success was facilitated by advanced technical capabilities identified by Sekoia.io, enabling law enforcement to send commands to infected systems to delete the malware. The FBI conducted extensive testing to ensure these commands effectively removed the malware without compromising legitimate system functions.

In total, nine court warrants authorized the deletion of PlugX from 4,258 computers across the US. The last warrant expired on 3 January 2025, marking the conclusion of US efforts in this operation.

Assistant Director Bryan Vorndran of the FBI’s Cyber Division highlighted the agency’s commitment: “Today’s announcement reaffirms the FBI’s dedication to protecting the American people by using its full range of legal authorities and technical expertise to counter nation-state cyber threats.”

Collaboration on a Global Scale

This operation exemplifies a “whole-of-society” approach, bringing together law enforcement, the private sector, and international partners. The French Gendarmerie Cyber Unit and the Cyber Division of the Paris Prosecution Office played pivotal roles in leading the international effort.

US Attorney Jacqueline Romero for the Eastern District of Pennsylvania stated: “This wide-ranging hack and long-term infection of thousands of Windows-based computers, including many home computers in the United States, demonstrates the recklessness and aggressiveness of PRC state-sponsored hackers.” 

Ongoing Investigation

The FBI will continue to investigate Mustang Panda’s activities and encourages individuals who suspect their systems may be compromised to report incidents via the FBI’s Internet Crime Complaint Center (IC3) or contact their local FBI field office.

To prevent reinfection, the FBI strongly urges users to update software security patches and deploy anti-virus solutions.