United States Attorney Jacqueline C. Romero, the Justice Department, and the FBI have announced a significant international operation aimed at eliminating malware known as "PlugX" from thousands of computers worldwide. This effort involved collaboration with international partners to target malware allegedly used by hackers backed by the People's Republic of China (PRC).
Court documents unsealed in the Eastern District of Pennsylvania reveal that a group of hackers sponsored by the PRC, identified as "Mustang Panda" and "Twill Typhoon," utilized PlugX malware to infiltrate and extract information from various computer systems. The Mustang Panda group reportedly received funding from the PRC government to develop this specific version of PlugX. Since 2014, they have targeted numerous systems, including those in the United States, Europe, Asia, and among Chinese dissident groups.
U.S. Attorney Romero highlighted the severity of these cyber intrusions: “This wide-ranging hack and long-term infection of thousands of Windows-based computers, including many home computers in the United States, demonstrates the recklessness and aggressiveness of PRC state-sponsored hackers.” She emphasized that this operation underscores a comprehensive approach to U.S. cybersecurity protection.
FBI Philadelphia Special Agent in Charge Wayne Jacobs stated: “The FBI worked to identify thousands of infected U.S. computers and delete the PRC malware on them. The scope of this technical operation demonstrates the FBI’s resolve to pursue PRC adversaries no matter where they victimize Americans.”
The operation was spearheaded by French law enforcement along with Sekoia.io, a private cybersecurity firm based in France. They identified methods to remove PlugX from infected devices without disrupting legitimate functions or collecting content information.
In August 2024, authorities obtained nine warrants in Pennsylvania's Eastern District authorizing PlugX removal from U.S.-based computers. The final warrant expired on January 3, 2025, marking the conclusion of this phase which successfully removed PlugX from approximately 4,258 U.S.-based systems.
The FBI is notifying affected users through their internet service providers about this court-authorized action. The domestic aspect was led by several U.S. entities including the FBI's Philadelphia Field Office and Cyber Division alongside DOJ's National Security Cyber Section.
French authorities played a crucial role through their Cyber Division within Paris Prosecution Office and Gendarmerie Cyber Unit C3N.
Ongoing investigations continue into Mustang Panda's activities. Individuals suspecting compromised devices are encouraged to contact local FBI offices or visit their Internet Crime Complaint Center (IC3). Use of antivirus software and timely security updates are strongly recommended by authorities for prevention against future threats.