Jan 15, 2025Ravie LakshmananMalware / Threat Intelligence

The U.S. Department of Justice (DoJ) on Tuesday disclosed that a court-authorized operation allowed the Federal Bureau of Investigation (FBI) to delete PlugX malware from over 4,250 infected computers as part of a “multi-month law enforcement operation.”

PlugX, also known as Korplug, is a remote access trojan (RAT) widely used by threat actors associated with the People’s Republic of China (PRC), allowing for information theft and remote control of compromised devices.

An affidavit filed by the FBI noted that the identified PlugX variant is linked to a state-sponsored hacking group called Mustang Panda, which is also referred to as BASIN, Bronze President, Camaro Dragon, Earth Preta, HoneyMyte, RedDelta, Red Lich, Stately Taurus, TA416, and Twill Typhoon.

“Since at least 2014, Mustang Panda hackers then infiltrated thousands of computer systems in campaigns targeting U.S. victims, as well as European and Asian governments and businesses, and Chinese dissident groups,” the DoJ said.

Some of the other targets of the threat actor’s campaigns include Taiwan, Hong Kong, Japan, South Korea, Mongolia, India, Myanmar, Indonesia, the Philippines, Thailand, Vietnam, and Pakistan.

The disruption is part of a larger “disinfection” effort that commenced in late July 2024 to rid compromised systems of the PlugX malware. Details of the activity were previously shared by the Paris Prosecutor’s Office and cybersecurity firm Sekoia.

As previously detailed by Sekoia, this specific variant of PlugX is known to spread to other systems via attached USB devices. The malware, once installed, beacons out to an attacker-controlled server (“45.142.166[.]112”) to await further commands to gather data from the host.

In late April 2024, the company also revealed it spent a mere $7 to sinkhole the server accessible on the IP address in question, thereby opening the door to issue a self-delete command to erase the malware from the infected machines.

The command carried out the steps listed below –

• Delete the files created by the PlugX malware on the victim computer
• Delete the PlugX registry keys used to automatically run the PlugX application when the victim computer is started
• Create a temporary script file to delete the PlugX application after it is stopped
• Stop the PlugX application
• Run the temporary file to delete the PlugX application, delete the directory created on the victim computer by the PlugX malware to store the PlugX files, and delete the temporary file from the victim computer

The FBI said the self-delete command does not affect any legitimate functions or files on the targeted devices located within the U.S. nor transmit any other data from them.

Last month, Sekoia said as many as 59,475 disinfection payloads targeting 5,539 IP addresses were issued as part of a legal framework that was established to conduct the PlugX disinfection process for 10 countries.

“This wide-ranging hack and long-term infection of thousands of Windows-based computers, including many home computers in the United States, demonstrates the recklessness and aggressiveness of PRC state-sponsored hackers,” said Assistant Attorney General Matthew G. Olsen of the Justice Department’s N