The Federal Bureau of Investigation (FBI) and the U.S. Department of Justice (DOJ) have confirmed the successful removal of PlugX malware from over 4,258 U.S.-based computers in a court-authorized operation.
According to the FBI and DOJ, the operation involved remotely accessing the infected computers to remove the malware files.
In collaboration with French law enforcement and the cybersecurity firm Sekoia.io, the operation specifically targeted a version of PlugX developed by Mustang Panda, also known as Twill Typhoon, which is believed to be sponsored by the Chinese government.
PlugX, a Remote Access Trojan in use since 2008, provides unauthorized access to infected systems, allowing hackers to harvest data, record keystrokes, capture screenshots, and manage system processes and registry entries.
According to the Justice Department, Mustang Panda hackers have been infiltrating thousands of computer systems since 2014, focusing on U.S. victims as well as governments, businesses, and dissident groups in Europe, Asia, and China.
The international operation to remove the malware files in infected computers began in August 2024 when the FBI obtained the first of nine warrants from the Eastern District of Pennsylvania to delete PlugX from infected computers. These warrants allowed investigators to use the malware’s built-in self-delete command to neutralize it without affecting legitimate files or system functions.
The operation was concluded earlier this month. Since its inception, the FBI has been working with internet service providers to notify affected individuals and organizations outside the United States about PlugX.