FBI ‘unplugs’ Chinese malware from thousands of infected machines

On January 14, 2025, the U.S. Department of Justice (DoJ) announced that the Federal Bureau of Investigation (FBI) had successfully concluded a court-authorized operation to delete PlugX malware from 4,250 infected hosts.

PlugX malware is a remote access trojan (RAT) closely associated with the Chinese state-sponsored cyber threat actor Mustang Panda who uses it to facilitate information theft and remote access to compromised devices. It has been responsible for infecting thousands of hosts since it was first observed in 2014.

Stay on top of emerging threats.

Sign up to receive a weekly roundup of our security intelligence feed. You'll be the first to know of emerging attack vectors, threats, and vulnerabilities. 

Sign up

This is the second time law enforcement agencies have targeted PlugX. In July 2024, French authorities and a cybersecurity company conducted a similar operation that saw the removal of a PlugX variant, which spreads via removable media, from infected hosts. It was revealed after the operation that a $7 domain purchase was all that was needed for authorities to issue the self-delete command that erased the malware from the infected machines.

Source: The Hacker News

Analysis

In the past few years, the FBI has become quite adept at disrupting Chinese state-sponsored cyber actors’ malware and botnet operations, proving that it's willing and capable of taking active measures to ensure the U.S.’s cyber sovereignty.

In February 2024, the FBI dismantled the KV-botnet that China-linked threat actor Volt Typhoon used to obscure its origin by transmitting encrypted traffic between the infected SOHO routers. The FBI neutralized the KV-botnet by remotely issuing commands that used the botnet’s communication protocols to delete the KV-botnet payload and prevent it from being re-infected on compromised hosts.

These takedown operations reflect how seriously the U.S. takes China’s efforts to prepare to destroy or degrade civilian critical infrastructure in the event of heightened tensions or open warfare between the two nations.

Not only does the takedown deny China valuable tools to facilitate its malicious cyber activity, but it also serves as a warning to China that the U.S. is aware of its activities and won’t hesitate to take necessary action to mitigate the threat they pose.

Mitigation

Field Effect’s Security Intelligence team constantly monitors the cyber threat landscape for emerging threats emanating from China. This research contributes to the timely deployment of signatures into Field Effect MDR to detect and mitigate the risk these threats pose.

Field Effect MDR users are automatically notified when various types of malicious activities are detected in their environment and are encouraged to review these AROs as quickly as possible via the Field Effect Portal.

Related Articles

• FBI derails Chinese ‘Raptor Train’
• China-linked Mustang Panda adds new malware to its toolset
• Volt Typhoon’s KV-botnet dismantled by US authorities
• Volt Typhoon infiltrates networks of US critical infrastructure