International cooperation: PlugX malware deleted from US computers

In a coordinated action, the FBI and the US Department of Justice have successfully deleted the malware PlugX from more than 4,200 infected computers in the USA - via remote access. This was announced by the authorities in an official press release. The operation was a court-authorised counter-attack.

PlugX, a remote access Trojan (RAT), was first discovered in 2008 and has since targeted numerous government institutions and companies worldwide. The malware enables attackers to access affected systems without authorisation, steal data and take control of these systems.

Remote access to files via command-and-control server

According to the FBI, at least 45,000 IP addresses in the USA have contacted a command-and-control server operated by the hackers since September 2023. From this server, the hackers can access the files and obtain information about the infected computers.

The US Department of Justice has identified the perpetrators as a hacker group allegedly sponsored by the People's Republic of China and known in the private sector as "Mustang Panda" and "Twill Typhoon". The "Mustang Panda" group in question gained access to the computers of freight companies in Norway, Greece and the Netherlands last March, according to cyber security company ESET.

80 per cent of infections spread across 15 countries

The operation to delete the malware began in August 2024 and was carried out by the US authorities in collaboration with French law enforcement authorities and Sekoia.io, a private cybersecurity company based in France. Sekoia.io has detected the PlugX malware in more than 170 countries. In a one-day analysis of PlugX activity, Sekoia found that more than 80 per cent of infections are spread across about 15 countries, with Nigeria, India, Iran, Indonesia and the United States leading the pack.

Sekoia also eventually discovered the ability to send the necessary commands that forced the malware to self-destruct and disinfect a system.