The Federal Bureau of Investigation (FBI) and the U.S. Department of Justice (DOJ) announced that they have successfully deleted and removed PlugX malware from over 4,200 computers in the United States. The PlugX malware is linked and sponsored by the People’s Republic of China hacking groups known as “Mustang Panda” and “Twill Typhoon.” PlugX malware infects, controls a victim’s computer, and exfiltrates data.
With a court order, the DOJ obtained authorization to delete the malware from U.S. computers. The malware was removed in August 2024, but public disclosure was embargoed until January 2025.
PlugX malware used by PRC-sponsored hacking groups since 2014
According to the DOJ, the PRC government paid the Mustang Panda / Twill Typhoon group to infect victims across the United States, including European and Asian governments and businesses and Chinese dissident groups.
The malware was deployed by Mustang Panda in 2014 and is typically deployed without detection.
“This wide-ranging hack and long-term infection of thousands of Windows-based computers, including many home computers in the United States, demonstrates the recklessness and aggressiveness of PRC state-sponsored hackers,” said U.S. Attorney Romero.
“Working alongside both international and private sector partners, the Department of Justice’s court-authorized operation to delete PlugX malware proves its commitment to a ‘whole-of-society’ approach to protecting U.S. cybersecurity,” Romero said.
PlugX malware has China Ministry of State Security origins
According to The Record, PlugX malware was initially developed by front companies linked to China’s Ministry of State Security in 2008. Its first reported target was Japan in 2008. It has been widely used by Chinese espionage groups since.
In 2020, Mustang Panda added capabilities to the malware payload, including its ability to infect USB flash drives. This provides critical access to non-connected networks (also known as “disconnected” or “air-gapped” networks). It’s unknown if U.S. government networks were among the infected devices, which utilize GovCloud regions isolated from the commercial cloud regions.
The Record reported that French authorities worked with French cybersecurity firm Sekoia, who found PlugX malware on thousands of French devices, creating an espionage botnet. Sekoia subsequently found thousands more infected devices worldwide, including Malta, Portugal, Croatia, Slovakia, and Austria.
Sekoia published its findings on its blog in April 2024 and discovered 90,000-100,000 unique IP addresses infected with PlugX malware.
Mustang Panda is known for targeting governments of countries involved in China’s Belt and Road Initiative.
