DOJ deletes China-linked PlugX malware off more than 4,200 US computers

Malware used by Chinese state-backed hackers has been removed from thousands of U.S. computers in an operation launched by the FBI and Justice Department.

U.S law enforcement accused the People’s Republic of China of paying hackers that are part of a well-known group called Mustang Panda to deploy the PlugX malware — which allows them to “infect, control, and steal information from victim computers.”

Through a court order in the Eastern District of Pennsylvania, the DOJ obtained authorization to delete the malware off U.S. computers in August and they were able to delay public disclosure of the operation until January. The DOJ worked alongside French authorities and French cybersecurity firm Sekoia.io on the months-long effort to remove the malware.

“This wide-ranging hack and long-term infection of thousands of Windows-based computers, including many home computers in the United States, demonstrates the recklessness and aggressiveness of PRC state-sponsored hackers,” said U.S. Attorney Jacqueline Romero. 

“Working alongside both international and private sector partners, the Department of Justice’s court-authorized operation to delete PlugX malware proves its commitment to a ‘whole-of-society’ approach to protecting U.S. cybersecurity.”

FBI Philadelphia Special Agent in Charge Wayne Jacobs said they spent months identifying U.S. computers infected with the malware in preparation for the deletion effort. The malware is typically placed on victim devices without them knowing and has been used by a variety of Chinese espionage hackers since 2014.

U.S. officials credited experts at Sekoia with creating a method for identifying and deleting a specific version of PlugX off of infected devices. The FBI tested the tactic and confirmed it did not “impact the legitimate functions of, or collect content information from, infected computers” before deploying it alongside French authorities. 

The DOJ said it obtained nine rolling warrants in August 2024 before taking action against the PlugX malware on approximately 4,258 U.S.-based computers and networks.

The owners of the devices have been notified of the action through their internet service providers. 

USB spreader

The malware was initially developed by front companies linked to China’s Ministry of State Security in 2008 and has been used widely among the country’s espionage groups. In 2020, hackers within Mustang Panda added a capability to the malware that allowed it to infect USB flash drives — with the goal of gaining access to non-connected networks. 

After infecting a device, the malware remains on the machine and allows hackers to communicate with the device whenever it is turned on. 

French authorities said Sekoia contacted the Paris Prosecutor’s Office and other cybersecurity agencies in the country about a botnet created by Chinese hackers using the PlugX malware. Hackers allegedly took over thousands of devices in France and many more around the world, using the malware for espionage purposes. 

Experts at Sekoia were able to identify and take over a command and control server that managed thousands of infected machines. Through this takeover, the company was able to develop a method of remotely “disinfecting” machines and presented the tactic to several countries through Europol. 

The disinfection effort was launched on July 18 and French authorities said it will continue for several months. They noted that devices in Malta, Portugal, Croatia, Slovakia and Austria as well as France have already had PlugX removed. 

Sekoia previously published its own blog in April 2024 confirming its actions, noting that it found between 90,000 and 100,000 unique IP addresses infected with PlugX. The malware was spread through infected USB drives and from there propagated across networks. 

“While studying the cryptography of PlugX’s communications, we discovered that it was possible to send disinfection commands to the compromised workstations. Two approaches can be implemented: one that disinfects only the workstation, and a more intrusive one that disinfects both the workstation and the USB drive,” Sekoia experts said. 

“Despite the fact that this worm cannot be completely stopped, we are offering the affected countries the possibility of disinfection, with a concept of sovereign disinfection process.”

In the April 2024 report, Sekoia was open about concerns they had with respect to proactively disinfecting devices themselves without legal authority or jurisdiction. They opted at the time to approach law enforcement agencies, national Computer Emergency Response Teams (CERTs) and cybersecurity agencies with their findings. 

The FBI and DOJ have also acknowledged the potential privacy issues of past operations to remove Russian and Chinese malware from unsuspecting U.S. devices.

But officials from both agencies have said in the past that they took painstaking steps to get court approval for the operations and released troves of cybersecurity advisories to publicize their actions so no one was caught off guard. 

Belt and Road targeting

PlugX has long been the malware of choice for Chinese state-backed hacking groups, first emerging in attacks on Japan in 2008. It was deployed mainly against nations in Asia until 2012, when it started to be used in attacks targeting the U.S. and Europe. 

Sekoia noted that the management interface of PlugX allows its operators to manage several infected devices with backdoors and enables file downloads, system exploration and more. The company said a PlugX builder was “shared between several intrusion sets, most of them attributed to front companies linked to the Chinese Ministry of State Security.”

In 2024, Sekoia said it found PlugX infections in more than 170 countries and in a one-day snapshot of PlugX activity, they found that around 15 countries account for over 80% of the total infections — led by Nigeria, India, Iran, Indonesia and the United States.

Mustang Panda is also well-known for targeting the governments of countries involved in China’s Belt and Road Initiative. 

“The FBI’s multi-year investigation of Mustang Panda has confirmed that this group of computer hackers has infiltrated the computer systems of numerous government and private organizations, including in the United States,” the DOJ said in court documents this week. 

“Significant foreign targets include European shipping companies in 2024, several European Governments from 2021 to 2023, worldwide Chinese dissident groups, and governments throughout the IndoPacific (e.g., Taiwan, Hong Kong, Japan, South Korea, Mongolia, India, Myanmar, Indonesia, Philippines, Thailand, Vietnam, and Pakistan).”

Some of the other victims of Mustang Panda were redacted from the legal filing.