
The FBI has successfully eliminated Chinese PlugX malware from 4,258 infected computers across U.S. networks, as announced by the Department of Justice. The operation targeted malware controlled by Mustang Panda (Twill Typhoon), a Chinese cyber espionage group that deployed a wormable PlugX variant capable of spreading through USB devices.
The malware campaign affected numerous high-profile targets between 2021 and 2024, including European shipping companies, government institutions, and various organizations across the Indo-Pacific region. The infection maintained persistence through registry keys, often operating undetected on victim systems.
This cleanup initiative is part of a broader international operation led by French law enforcement and Sekoia. The U.S. phase began in August 2024 with nine court-authorized warrants in the Eastern District of Pennsylvania, concluding on January 3, 2025.
The FBI’s removal process included:
– Deletion of malware-created files
– Removal of malicious registry keys
– Elimination of PlugX application and associated directories
– Creation and execution of temporary cleanup scripts
Sekoia’s research revealed the malware’s extensive reach, with its command and control server receiving up to 100,000 daily connections from 2.5 million unique hosts across 170 countries.
PlugX, active since 2008, has been primarily associated with Chinese state-sponsored cyber operations, targeting government, defense, and technology sectors. The malware’s capabilities include system surveillance, file manipulation, keystroke logging, and remote command execution.
The FBI is currently notifying affected U.S. device owners through their internet service providers, confirming that the cleanup operation did not compromise user data or system integrity.