The US Justice Department and FBI have revealed a joint operation with international partners was able to delete malware injected by Chinese threat actors to thousands of devices around the world.
Announced on 14 January, the months-long operation was conducted in collaboration with French law enforcement in which the PlugX malware was removed from more than 4,200 computers worldwide.
According to court documents, the group behind the attack, referred to alternatively as Twill Typhoon or Mustang Panda, has been active from around 2014 and was paid by the PRC to develop a specific version of the PlugX malware for the intrusion campaign.
In the affidavit, the FBI stated that the malware was used by the attackers to exfiltrate files and other information held on the computers of government agencies and private enterprises in the US, ostensibly for espionage purposes.
Foreign entities were also targeted, the FBI noted, with notable targets including European shipping companies in 2024 and a number of European governments between 2021 and 2023.
The joint operation was able to remove the malware from the target devices in this instance after a French law enforcement agency gained access to a command-and-control (C2) server that could send commands to infected devices.
French law enforcement identified the malware’s infrastructure included a native ‘self-delete’ functionality which they were able to leverage once they had control of the C2 server.
Once triggered, the mechanism deleted all the files created by the PlugX malware on the target device and all PlugX registry keys used to automatically run the PlugX malware when the system is booted, as well as removing the PlugX application once it is stopped running.
What is PlugX?
The PlugX malware family has been observed in attacks from as early as 2008. It has been leveraged by multiple threat actors but researchers have typically associated its use with espionage-focused groups linked to China, including Mustang Panda.
Chris Jones, incident response analyst at Check Point Software, described PlugX as a modular malware with a variety of capabilities, all suited for espionage objectives.
“PlugX is a powerful remote access Trojan (RAT) often used in targeted cyber-espionage campaigns. Its modular design allows attackers to tailor its capabilities to their specific needs, enabling activities like data theft, keylogging, file manipulation, and executing commands on infected systems,” he explained.
“It is typically spread through spear-phishing campaigns, exploiting vulnerabilities, or using malicious attachments to gain access.”
He added that efforts to neutralize the threat posed from malicious tools like PlugX usually revolve around targeting the infrastructure the malware relies on for execution, much like this most recent operation carried out by US and French law enforcement.
"Law enforcement agencies seizing servers used to facilitate PlugX operations are adding to efforts like the 2019 seizure of servers linked to the Imminent Monitor RAT. These coordinated actions demonstrate an ongoing commitment to dismantling cybercriminal infrastructure and protecting users from sophisticated malware and privacy threats."
Matthew G. Olsen, assistant attorney general of the Justice Department’s National Security Division, said such operations rely on security agencies working together, praising the efforts of the French government in this instance.
“This operation, like other recent technical operations against Chinese and Russian hacking groups like Volt Typhoon, Flax Typhoon, and APT28, has depended on strong partnerships to successfully counter malicious cyber activity. I commend partners in the French government and private sector for spearheading this international operation to defend global cybersecurity.”
