The Federal Bureau of Investigation (FBI) has recently conducted an operation to eliminate the malicious Plugx malware, which was being used by China-backed hackers for data theft. According to the US Department of Justice, the agency hacked approximately 4200 computers within the country to neutralize this threat.
According to a court statement released by the Department of Justice, the hacker group known as “Mustang Panda” is also referred to as “Twill Typhoon”. This group has been using the harmful malware since at least 2012 to target thousands of Windows computers in the USA, Asia, and Europe. The malware infiltrated systems through USB drives and operated in the background, allowing attackers remote access to files and the ability to execute commands on the victims’ devices.
Plugx was linked to a command-control server, with the IP address embedded in the malicious code. This enabled hackers to control the infected computers, view their contents, and gather information, including the owners’ IP addresses. The FBI reported that since September 2023, around 45,000 IP addresses in the United States had connected to this server.
The FBI employed a similar tactic to remove Plugx from the infected devices. In collaboration with law enforcement agencies in France, who were also conducting a parallel operation, American experts gained entry to the server and requested a list of infected IP addresses.
Subsequently, a specific command message was dispatched to the infected computers, prompting Plugx to erase the created files, cease the malicious activities, and completely vanish from the system.
The utilization of such methodologies forms a crucial part of the FBI’s strategy in combating cyber threats. In 2023, the agency executed a similar operation against the QAKBOT botnet, sending a software loading command remotely to the infected devices, effectively eradicating the malicious code. Moreover, in 2021, the FBI took action against hundreds of computers to remove backdoors left by the Chinese hafnium hacker group following the cyber attack exploiting Microsoft Exchange vulnerabilities.