2025-01-15
FBI and French Authorities Delete PlugX Malware from US Devices
An affidavit unsealed in January, 2025 from a Pennsylvania district court authorized and described an operation by the FBI that took place in August, 2024, during which US agents collaborated with French law enforcement and cybersecurity firm Sekoia.io to unilaterally remove PlugX malware from thousands of Windows machines in the US. PlugX is a remote access trojan (RAT) that can spread via contaminated USB devices, maintaining persistence using registry keys that run the malware on startup. The global malware campaign is associated with a Chinese state-sponsored hacking group tracked under various names including Mustang Panda and Twill Typhoon. French authorities seized the PlugX command and control (C2) IP address in 2023, which the FBI then used to send a self-destruct command, which deleted all files created by the malware, deleted the malware's startup registry keys, and stopped and deleted the malware application and its directory. This operation affected any US-based device containing a version of PlugX that contacted the C2 server; any affected device owners will be notified by their internet service providers.
Editor's Note
This is not the first time we have seen governments make this move; however, it does raise the question of what happens when international companies do this. I know this will sound off the wall, but what if you wanted to run PlugX? No one should, but this was forcefully uninstalled. Something rather interesting to consider is the line of delineation. Almost 100% of all users wanted this to occur, yet it is a thought experiment.

Moses Frost
The PlugX takedown follows other actions against Volt Typhoon, Flax Typhoon and Fancy Bear, and it provides hints as to the resources and aggressiveness of these state-sponsored adversaries. For now, we've got a mulligan in that PlugX has been destroyed; what we still have to be aware of is risks of malware spreading via USB drive. I know, that feels very Stuxnet like. Make sure that your EDR is configured to scan USB drives. If possible, limit to only authorized devices, even better, require them to be encrypted.

Lee Neely
Read more in
The Register: FBI wipes Chinese PlugX malware from thousands of Windows PCs in America
DOJ: Affidavit In Support of an Application for a Ninth Search and Seizure Warrant (PDF)
The Record: DOJ deletes China-linked PlugX malware off more than 4,200 US computers
NextGov: FBI deleted Chinese malware from 4,200 US computers