Law enforcement action deletes PlugX malware from thousands of machines | CyberScoop<\/title> <meta name=\"description\" content=\"U.S. and international law enforcement agencies have removed the PlugX malware from thousands of computers worldwide.\"> <link rel=\"canonical\" href=\"https:\/\/cyberscoop.com\/plugx-malware-mustang-panda-doj-takedown\/\"> <meta property=\"og:locale\" content=\"en_US\"> <meta property=\"og:type\" content=\"article\"> <meta property=\"og:title\" content=\"Law enforcement action deletes PlugX malware from thousands of machines\"> <meta property=\"og:description\" content=\"U.S. and international law enforcement agencies have removed the PlugX malware from thousands of computers worldwide.\"> <meta property=\"og:url\" content=\"https:\/\/cyberscoop.com\/plugx-malware-mustang-panda-doj-takedown\/\"> <meta property=\"og:site_name\" content=\"CyberScoop\"> <meta property=\"article:published_time\" content=\"2025-01-14T17:33:19+00:00\"> <meta property=\"article:modified_time\" content=\"2025-01-14T17:33:22+00:00\"> <meta property=\"og:image\" content=\"https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/01\/law-enforcement-action-deletes-plugx-malware-from-thousands-of-machines-2.jpg\"> <meta property=\"og:image:width\" content=\"6000\"> <meta property=\"og:image:height\" content=\"3375\"> <meta property=\"og:image:type\" content=\"image\/jpeg\"> <meta name=\"author\" content=\"Greg Otto\"> <meta name=\"twitter:card\" content=\"summary_large_image\"> <meta name=\"twitter:creator\" content=\"@gregotto\">  <link rel=\"dns-prefetch\" href=\"\/\/securepubads.g.doubleclick.net\">\n<link rel=\"dns-prefetch\" href=\"\/\/use.typekit.net\">\n<link rel=\"alternate\" type=\"application\/rss+xml\" title=\"CyberScoop \u00bb Feed\" href=\"https:\/\/cyberscoop.com\/feed\/\">\n<link rel=\"alternate\" type=\"application\/rss+xml\" title=\"CyberScoop \u00bb Comments Feed\" href=\"https:\/\/cyberscoop.com\/comments\/feed\/\"> <link rel=\"stylesheet\" id=\"all-css-2\" href=\"https:\/\/cyberscoop.com\/wp-includes\/css\/dist\/block-library\/style.min.css?m=1732206022g\" type=\"text\/css\" media=\"all\"> <link rel=\"stylesheet\" id=\"all-css-6\" href=\"https:\/\/cyberscoop.com\/wp-content\/mu-plugins\/search\/elasticpress\/dist\/css\/related-posts-block-styles.min.css?m=1736472020g\" type=\"text\/css\" media=\"all\"> <link rel=\"stylesheet\" id=\"all-css-8\" href=\"https:\/\/cyberscoop.com\/wp-content\/themes\/scoopnewsgroup\/dist\/css\/frontend.css?m=1732010462g\" type=\"text\/css\" media=\"all\">\n<link rel=\"stylesheet\" id=\"typekit-css\" href=\"https:\/\/use.typekit.net\/itk2qbh.css?ver=ddc036fa194c40cf406f\" media=\"all\"> <link rel=\"https:\/\/api.w.org\/\" href=\"https:\/\/cyberscoop.com\/wp-json\/\"><link rel=\"alternate\" title=\"JSON\" type=\"application\/json\" href=\"https:\/\/cyberscoop.com\/wp-json\/wp\/v2\/posts\/83128\"><link rel=\"EditURI\" type=\"application\/rsd+xml\" title=\"RSD\" href=\"https:\/\/cyberscoop.com\/xmlrpc.php?rsd\">\n<meta name=\"generator\" content=\"WordPress 6.7.1\">\n<link rel=\"shortlink\" href=\"https:\/\/cyberscoop.com\/?p=83128\">\n<link rel=\"alternate\" title=\"oEmbed (JSON)\" type=\"application\/json+oembed\" href=\"https:\/\/cyberscoop.com\/wp-json\/oembed\/1.0\/embed?url=https%3A%2F%2Fcyberscoop.com%2Fplugx-malware-mustang-panda-doj-takedown%2F\">\n<link rel=\"alternate\" title=\"oEmbed (XML)\" type=\"text\/xml+oembed\" href=\"https:\/\/cyberscoop.com\/wp-json\/oembed\/1.0\/embed?url=https%3A%2F%2Fcyberscoop.com%2Fplugx-malware-mustang-panda-doj-takedown%2F&format=xml\">   <link rel=\"icon\" href=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=32\" sizes=\"32x32\">\n<link rel=\"icon\" href=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=192\" sizes=\"192x192\">\n<link rel=\"apple-touch-icon\" href=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=180\">\n<meta name=\"msapplication-TileImage\" content=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=270\"> <\/head><body class=\"post-template-default single single-post postid-83128 single-format-standard\" id=\"readabilityBody\"> <a href=\"https:\/\/cyberscoop.com\/plugx-malware-mustang-panda-doj-takedown\/#main\" class=\"skip-to-content-link visually-hidden-focusable\">Skip to main content<\/a> <\/p>\n<div class=\"ad ad--top ad--top-desktop\">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p> <main id=\"main\" role=\"main\" tabindex=\"-1\"> <\/p>\n<div class=\"ad ad--top ad--top-mobile\">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<section id=\"stickybar\" class=\"stickybar stickybar--event js-stickybar\">\n<div class=\"stickybar__details\" readability=\"5.12\">\n<div class=\"stickybar__info js-sticky-bar-content\" readability=\"32\">\n<p>Nominations can be submitted for the 2025 CyberScoop 50 awards!<\/p>\n<\/div>\n<p> <a class=\"stickybar__link button button-tertiary\" href=\"https:\/\/cyberscoop.com\/cyberscoop50\/\">Click here!<\/a> <\/div>\n<p> <button class=\"stickybar__close js-stickybar-close\" aria-controls=\"stickybar\"> <svg class=\"icon icon--close\" width=\"21\" height=\"22\" viewBox=\"0 0 21 22\" fill=\"none\"><path d=\"m.822.518-.805.805L9.695 11 .017 20.678l.805.805 9.678-9.678 9.677 9.678.806-.805L11.305 11l9.678-9.677-.806-.805-9.677 9.677L.822.518Z\" fill=\"currentColor\" \/><\/svg> <span class=\"visually-hidden\">Close<\/span> <\/button> <\/section>\n<article class=\"single-article content\">\n<div class=\"single-article__container js-single-article-content\">\n<header class=\"single-article__header \" readability=\"24.857142857143\">\n<div class=\"single-article__header-content\" readability=\"33.395415472779\">\n<p> The remote access trojan was being used by a Chinese collective operating since 2014. <\/p>\n<p>  <br \/>\n<audio id=\"audio-player\" src=\"https:\/\/wp-tts-cdn.api.scpnewsgrp.com\/cyberscoop\/83128\/english.openai.mp3\"><\/audio> <\/p>\n<div readability=\"11\">\n<div>\n<p>Listen to this article<\/p>\n<p>  <\/p>\n<p>0:00<\/p>\n<\/p><\/div>\n<p>  <\/p>\n<p> <span id=\"tts-tooltip\">Learn more.<\/span> <span> This feature uses an automated voice, which may result in occasional errors in pronunciation, tone, or sentiment. <\/span> <\/p>\n<\/div>\n<p>  <\/div>\n<div class=\"single-article__cover-wrap\">\n<figure class=\"single-article__cover\"> <img data-recalc-dims=\"1\" fetchpriority=\"high\" width=\"640\" height=\"360\" src=\"https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2025\/01\/law-enforcement-action-deletes-plugx-malware-from-thousands-of-machines.jpg?resize=640%2C360&ssl=1\" class=\"single-article__cover-image wp-post-image\" alt=\"FBI, DOJ, FIN7, Methbot\" decoding=\"async\" fetchpriority=\"high\" srcset=\"https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/01\/law-enforcement-action-deletes-plugx-malware-from-thousands-of-machines-2.jpg 6000w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/01\/law-enforcement-action-deletes-plugx-malware-from-thousands-of-machines-2.jpg?resize=300,168 300w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/01\/law-enforcement-action-deletes-plugx-malware-from-thousands-of-machines-2.jpg?resize=768,432 768w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/01\/law-enforcement-action-deletes-plugx-malware-from-thousands-of-machines-2.jpg?resize=1024,576 1024w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/01\/law-enforcement-action-deletes-plugx-malware-from-thousands-of-machines-2.jpg?resize=1536,864 1536w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/01\/law-enforcement-action-deletes-plugx-malware-from-thousands-of-machines-2.jpg?resize=2048,1152 2048w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/01\/law-enforcement-action-deletes-plugx-malware-from-thousands-of-machines-2.jpg?resize=600,337 600w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/01\/law-enforcement-action-deletes-plugx-malware-from-thousands-of-machines-2.jpg?resize=1200,675 1200w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/01\/law-enforcement-action-deletes-plugx-malware-from-thousands-of-machines-2.jpg?resize=1500,843 1500w\" sizes=\"(max-width: 1200px) 100vw, 1200px\"><figcaption> (Getty Images) <\/figcaption><\/figure>\n<\/p><\/div>\n<\/header>\n<div class=\"single-article__content\">\n<div class=\"single-article__content-inner has-drop-cap\"> <html readability=\"40.285791173305\"><body readability=\"81.142997301938\"><\/p>\n<p>U.S. and international law enforcement agencies have removed the PlugX malware from thousands of computers worldwide in a coordinated campaign to blunt the effectiveness of one of the most infamous pieces of malware used by malicious cyber actors.<\/p>\n<p>According to recently unsealed court documents from the Eastern District of Pennsylvania, the U.S. Department of Justice worked alongside international partners, including French law enforcement and the cybersecurity firm Sekoia.io, to dismantle a network that deployed PlugX \u2014 a remote access trojan (RAT) \u2014 targeting U.S. victims, as well as European and Asian governments and businesses, and Chinese dissident groups.<\/p>\n<p>The DOJ pins the malware network\u2019s operations to a collective of hackers reportedly sponsored by the People\u2019s Republic of China (PRC). The group, known as \u201cMustang Panda\u201d or \u201cTwill Typhoon,\u201d has been implicated in numerous cyberattacks since 2014.<\/p>\n<p>The takedown operation, which spanned several months, was facilitated by a series of court-authorized warrants allowing for the elimination of PlugX from approximately 4,258 U.S.-based computers and networks. Additionally, the French Gendarmerie Cyber Unit C3N and the Paris prosecutor\u2019s office initiated a similar investigation, identifying a botnet of several million infected devices. Both operations were aided by French cybersecurity company Sekoia, <a href=\"https:\/\/blog.sekoia.io\/plugx-worm-disinfection-campaign-feedbacks\/\">which developed a tool<\/a> to detect and remove the malware. <\/p>\n<div class=\"ad ad--inline_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p>\u201cLeveraging our partnership with French law enforcement, the FBI acted to protect U.S. computers from further compromise by PRC state-sponsored hackers,\u201d said Assistant Director Bryan Vorndran of the FBI\u2019s Cyber Division. \u201cToday\u2019s announcement reaffirms the FBI\u2019s dedication to protecting the American people by using its full range of legal authorities and technical expertise to counter nation-state cyber threats.\u201d<\/p>\n<p>PlugX is categorized as a Remote Access Trojan (RAT) and has been active since 2008, serving as a sophisticated backdoor to compromised systems. This malware allows attackers to exert full control over an infected machine, enabling them to execute arbitrary commands remotely. It is associated with several threat actors or groups often linked to advanced persistent threats (APTs), such as APT22, APT26, and APT31, which are thought to operate under or in coordination with state-sponsored campaigns. <\/p>\n<p>PlugX possesses an array of advanced capabilities that make it a formidable tool in cyber espionage and criminal activities. The malware can covertly gather critical information by executing commands to retrieve system data, capture screen images, simulate keyboard and mouse activities, and log keystrokes. Additionally, it allows attackers to exert control over the system\u2019s processes and services, manage Windows registry entries, and open a command shell, providing extensive operational control to the infiltrating party. Such functionalities make PlugX capable of conducting comprehensive surveillance and data theft without attracting attention, further complicating efforts to effectively detect and mitigate its presence.<\/p>\n<p>A PlugX variant was <a href=\"https:\/\/www.csoonline.com\/article\/566509\/the-opm-hack-explained-bad-security-practices-meet-chinas-captain-america.html\">used by attackers in the 2015 Office of Personnel Management breach<\/a>, allowing them to move through OPM\u2019s systems, as well as compress and exfiltrate data. <a href=\"https:\/\/unit42.paloaltonetworks.com\/plugx-variants-in-usbs\/\">Cybercriminals have also used PlugX<\/a> variants in ransomware attacks. <\/p>\n<p>Assistant Attorney General Matthew Olsen highlighted the importance of disrupting cyber threats proactively, remarking how this effort parallels recent actions against <a href=\"https:\/\/cyberscoop.com\/treasury-sanctions-chinese-company-flax-typhoon\/\">other Chinese<\/a> and <a href=\"https:\/\/cyberscoop.com\/doj-microsoft-fsb-espionage-star-blizzard\/\">Russian hacking groups<\/a>. <\/p>\n<div class=\"ad ad--inline_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p>\u201cThis operation, like other recent technical operations against Chinese and Russian hacking groups like Volt Typhoon, Flax Typhoon, and APT28, has depended on strong partnerships to successfully counter malicious cyber activity,\u201d Olsen said in a release. \u201cI commend partners in the French government and private sector for spearheading this international operation to defend global cybersecurity.\u201d<\/p>\n<p>You can read the full affidavit on <a href=\"https:\/\/www.justice.gov\/opa\/media\/1384136\/dl\">the department\u2019s website<\/a>. <\/p>\n<p><\/body> <\/p>\n<footer class=\"single-article__footer\" readability=\"4.047619047619\">\n<div class=\"author-card\" readability=\"14\">\n<div class=\"author-card__avatar\">\n<figure class=\"author-card__image-wrap\"> <img data-recalc-dims=\"1\" decoding=\"async\" class=\"author-card__image\" src=\"https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2025\/01\/law-enforcement-action-deletes-plugx-malware-from-thousands-of-machines-1.jpg?w=640&ssl=1\" alt=\"Greg Otto\"> <\/figure>\n<\/p><\/div>\n<p><h4 class=\"author-card__name\">Written by Greg Otto<\/h4>\n<p> Greg Otto is Editor-in-Chief of CyberScoop, overseeing all editorial content for the website. Greg has led cybersecurity coverage that has won various awards, including accolades from the Society of Professional Journalists and the American Society of Business Publication Editors. Prior to joining Scoop News Group, Greg worked for the Washington Business Journal, U.S. News & World Report and WTOP Radio. He has a degree in broadcast journalism from Temple University. <\/p>\n<\/p><\/div>\n<div class=\"single-article__tags-container\">\n<h4 class=\"single-article__tags-title\">In This Story<\/h4>\n<\/p><\/div>\n<\/footer>\n<p> <\/html><\/div>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"single-article__ads js-single-article-sidebar\">\n<div class=\"ad ad--sidebar js-single-article-sidebar-5 ad--rightrail_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<div class=\"ad ad--sidebar js-single-article-sidebar-4 ad--rightrail_2 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<div class=\"ad ad--sidebar js-single-article-sidebar-3 ad--rightrail_3 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div><\/div>\n<\/article>\n<div class=\"popular-stories popular-stories--single-post\">\n<div class=\"popular-stories__container\">\n<h2 class=\"popular-stories__title\"> More Scoops <\/h2>\n<p>  <\/div>\n<p>\n<\/div>\n<p> <\/p>\n<section class=\"latest-podcasts\">\n<h2 class=\"latest-podcasts__title\"> Latest Podcasts\t<\/h2>\n<\/section>\n<div class=\"top-categories\">\n<div class=\"top-categories__container\">\n<h3 class=\"top-categories__category-title\">Government<\/h3>\n<\/p><\/div>\n<div class=\"top-categories__container\">\n<h3 class=\"top-categories__category-title\">Technology<\/h3>\n<\/p><\/div>\n<div class=\"top-categories__container\">\n<h3 class=\"top-categories__category-title\">Geopolitics<\/h3>\n<\/p><\/div>\n<\/p><\/div>\n<p> <\/main> <\/p>\n<div class=\"ad ad--bottom \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<div id=\"interstitial\" class=\"welcome__container\"> <button id=\"close-modal-1\" class=\"welcome__clickable_area\"><\/button> <\/p>\n<div class=\"welcome__ad_wrapper\">\n<p> <button id=\"close-modal-3\" class=\"welcome__continue-button\">Continue to CyberScoop<\/button> <\/p>\n<\/p><\/div>\n<\/p><\/div>\n<p>   <\/body> <a href=\"https:\/\/cyberscoop.com\/plugx-malware-mustang-panda-doj-takedown\/\">Source<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Law enforcement action deletes PlugX malware from thousands of machines<\/p>\n","protected":false},"author":11,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[271,282,1930,117,3478,659,3462,288],"tags":[277,286,1940,119,3479,660,3465,294],"class_list":["post-6909","post","type-post","status-publish","format-standard","hentry","category-china","category-cybercrime","category-department-of-justice","category-government","category-plugx","category-remote-access-trojan","category-sekoia","category-threats","tag-china","tag-cybercrime","tag-department-of-justice","tag-government","tag-plugx","tag-remote-access-trojan","tag-sekoia","tag-threats"],"featured_image_urls":{"full":"","thumbnail":"","medium":"","medium_large":"","large":"","1536x1536":"","2048x2048":"","chromenews-featured":"","chromenews-large":"","chromenews-medium":""},"author_info":{"display_name":"Cyber Scoop","author_link":"https:\/\/ddi.mohflo.net\/index.php\/author\/cyberscoop\/"},"category_info":"<a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/china\/\" rel=\"category tag\">China<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/cybercrime\/\" rel=\"category tag\">cybercrime<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/department-of-justice\/\" rel=\"category tag\">Department of Justice<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/government\/\" rel=\"category tag\">Government<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/plugx\/\" rel=\"category tag\">PlugX<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/remote-access-trojan\/\" rel=\"category tag\">Remote Access Trojan<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/sekoia\/\" rel=\"category tag\">Sekoia<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/threats\/\" rel=\"category tag\">Threats<\/a>","tag_info":"Threats","comment_count":"0","jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts\/6909","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/users\/11"}],"replies":[{"embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/comments?post=6909"}],"version-history":[{"count":0,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts\/6909\/revisions"}],"wp:attachment":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/media?parent=6909"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/categories?post=6909"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/tags?post=6909"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}

{"id":6909,"date":"2025-01-14T11:33:19","date_gmt":"2025-01-14T17:33:19","guid":{"rendered":"https:\/\/cyberscoop.com\/?p=83128"},"modified":"2025-01-14T11:33:19","modified_gmt":"2025-01-14T17:33:19","slug":"law-enforcement-action-deletes-plugx-malware-from-thousands-of-machines","status":"publish","type":"post","link":"https:\/\/ddi.mohflo.net\/index.php\/2025\/01\/14\/law-enforcement-action-deletes-plugx-malware-from-thousands-of-machines\/","title":{"rendered":"Law enforcement action deletes PlugX malware from thousands of machines"},"content":{"rendered":"