FBI removes Chinese PlugX malware from 4,258 US computers

An international law enforcement operation deleted malware used by Chinese threat actors from 4,200 computers in what has become a common practice for the FBI and U.S. Justice Department.

A state-sponsored threat actor known as "Mustang Panda" and "Twill Typhoon" infected thousands of devices with PlugX, a remote access Trojan that has been in use since at least 2008. According to the FBI's press release, the People's Republic of China paid Mustang Panda to develop a custom version of PlugX to "infect, control, and steal information from victim computers," with this specific software in use since at least 2014.

The operation, which was led by French law enforcement and French cybersecurity vendor Sekoia.io, seemingly began when the latter had identified and reported "the capability to send commands to delete the PlugX version from infected devices." The FBI tested the commands, confirmed their effectiveness, and in August 2024 gained the first of nine warrants to authorize the deletion of PlugX from U.S.-based computers. The warrants led to the deletion of PlugX from approximately 4,258 U.S.-based computers and networks.

According to the affidavit, this version of PlugX spreads through a computer's USB port, infects attached devices, and then attempts to spread to other Windows computers the infected device is later plugged into. Once PlugX successfully infects a computer, it maintains persistence "in part by creating registry keys which automatically run the PlugX application when the computer is started."

"Owners of computers infected by PlugX malware are typically unaware of the infection. 10. When a computer infected with this variant of PlugX malware is connected to the internet, the PlugX malware can send a request to communicate with a command-and-control ("C2") server, whose IP address is hard-coded in the malware. In reply, the C2 server can send several possible commands to the PlugX malware on the victim computer," the affidavit read.

Such commands include requesting for information regarding the victim's computer and file system exploration, as well as uploading, downloading, moving and deleting files from the victim machine. "Based on my training and experience, I know that these functionalities allow the controller of the C2 server to identify a targeted victim, and then collect and stage the victim’s computer files for exfiltration," an unidentified FBI agent wrote.

The FBI and DOJ have used similar tactics in recent years to disrupt botnets and nation-state malware campaigns. In 2022, the FBI disrupted a Russian state-sponsored botnet known as Cyclops Blink by removing malware from infected systems that were used for C2 purposes. In 2023, the FBI and DOJ conducted "Operation Duck Hunt," which dismantled the Qakbot botnet that had infected as many as 700,000 systems worldwide.

As with previous malware removal operations, the FBI and DOJ acted without notifying users of infected systems or obtaining their consent prior to the operation. According to the affidavit, the FBI requested a delay to inform the public until Jan. 11 due to concerns of tampering with or destruction of evidence.

"Here, the facts justify a delay of up to January 11, 2025, because it may take multiple weeks to remediate the malware," the affidavit read. "Premature disclosure to the public at large or to individual owners of the TARGET DEVICES could result in publicity that would then give the hackers the opportunity to make changes to the malware, enabling continued or additional damage to remaining victims' devices."

After the operation was carried out, the FBI began providing notice through the victims' internet service providers that it had removed the malware.

Informa TechTarget's SearchSecurity contacted the FBI for additional information, but the bureau has not responded at press time.

Andrew Crocker, surveillance litigation director at digital rights nonprofit the Electronic Frontier Foundation, expressed concern about such law enforcement operations in a statement shared with Informa TechTarget.

"Warrants like these are an extremely powerful and potentially dangerous tool, allowing the government access to thousands of innocent people's computers to remove files, without prior notice, and with only a very rough sense that they are located in the United States," he said.

"For that reason, EFF continues to believe Congress should not have allowed the loosening of rules for issuing warrants for remote searches under Rule 41 of the Federal Rules of Criminal Procedure. In this case, however, the DOJ sought extremely limited remote access, only targeting a small bit of malicious software, allegedly without searching or seizing the rest of the computer, or interfering with its operation. It's good that the DOJ unsealed this promptly, and it's true that eliminating the malware was beneficial, but it remains deeply disturbing to see a court authorize government agents to access your computer based on the government's idea of what is best for you."

Dustin Childs, head of threat awareness of Trend Micro's Zero Day Initiative, declined to weigh in directly but was wary of entities fixing security issues via other means of intrusion.

"There have been instances in the past where someone, not necessarily law enforcement, has used a vulnerability to patch a vulnerability. While it sounds great on the surface, it just takes one error to go from bad to worse," he said. "What if the 'patch' breaks other critical features the 'good guys' weren't aware of? You could end up in a situation where the cure is worse than the disease."

Alexander Culafi is a senior information security news writer and podcast host for Informa TechTarget.