According to court documents, a CCP-linked hacking group used PlugX to infiltrate and control targeted computers, stealing information from infected systems.
The FBI and Department of Justice (DOJ) have removed China-linked malware from more than 4,200 U.S. computers in a court-authorized operation targeting a Beijing-sponsored hacking group.
The court-authorized operation, conducted with French law enforcement and French cybersecurity firm Sekoia.io, targeted a variant of PlugX malware deployed by hackers backed by the Chinese Communist Party.
According to court documents from the Eastern District of Pennsylvania, the hacking group known as “Mustang Panda” or “Twill Typhoon” used PlugX to infiltrate and control targeted computers, stealing information from infected systems.
Authorities stated in court documents that the Chinese regime paid this group to develop and deploy the malware as part of broader computer intrusion campaigns.
The FBI said it has noticed the malware’s activities since at least 2012.
An FBI investigator said the malware spread through a computer’s USB port by infecting attached USB devices and potentially spreading to other Windows-based computers that later connected to the device.
The malware will stay on the infected machine, and through the registry key it generates, the PlugX application automatically runs upon the start of the computer, according to a court filing.
Once the target computer connects to the internet, the malware can remotely issue commands to get details about the victim computer, such as its unique IP address, allowing it to determine the computer’s physical location, as well as upload, download, move, and delete files.
The malware appears to have interacted with more than 45,000 U.S. IP addresses since September 2023, the filing indicates.
The operation, which ran from August 2024 to January, resulted in the removal of PlugX malware from approximately 4,258 U.S.-based computers and networks, the agencies said. The FBI obtained a series of warrants authorizing remote access and the deletion of malware from infected devices.
According to the agencies, the Mustang Panda group has been active since at least 2014, targeting not only U.S. victims but also European and Asian governments, businesses, and Chinese dissident groups. Many owners of infected computers were reportedly unaware of the malware’s presence on their systems.
The hacking operation targeted various entities, including European shipping companies in 2024, several European governments between 2021 and 2023, and multiple Indo–Pacific governments, such as Taiwan, Hong Kong, Japan, South Korea, Mongolia, India, Burma (Myanmar), Indonesia, Philippines, Thailand, Vietnam, and Pakistan.
The investigator has identified at least five federal districts impacted by the malware, including the Eastern District of Pennsylvania.
The last operation for the authorities to remove the malware took place on Jan. 3.
U.S. Attorney Jacqueline Romero of the Eastern District of Pennsylvania said the hack was “wide-ranging” and “long-term,” impacting thousands of computers, including the home computers of Americans.
She said that such brazen acts demonstrate “the recklessness and aggressiveness of PRC state-sponsored hackers,” according to a Jan. 14 statement, referring to communist China’s official name, the People’s Republic of China.
She said the efforts to remove the malware proves the Justice Department’s commitment to “a ‘whole-of-society’ approach to protecting U.S. cybersecurity.”
This operation follows similar recent efforts by U.S. law enforcement to disrupt cyber threats from Chinese and Russian hacking groups.
In early January, the United States sanctioned a Beijing-based Chinese cybersecurity company, Integrity Technology Group, for its role in the hacking campaign by another Chinese cyber group, Flax Typhoon.
Salt Typhoon, a separate Chinese hacking group, has infiltrated dozens of nations and targeted major telecom companies such as AT&T and Verizon.
Last month, Chinese hackers breached the Treasury Department and stole documents from its workstations.
The FBI is in the process of notifying affected U.S. computer owners through their internet service providers, according to the press release. The bureau encourages individuals who believe their computers may have been compromised to contact the FBI’s Internet Crime Complaint Center or their local FBI field office.
Authorities also remind Americans to maintain up-to-date anti-virus software and apply security updates to prevent reinfection.
The FBI “continues to monitor Mustang Panda’s computer intrusion activity,” the release said.