The FBI recently used a court order to take down a type of Chinese-developed malware that can spread to Windows PCs via infected USB drives.
The agency shut down a variant of the PlugX malware that spread to 2.5 million devices worldwide. On Tuesday, the Justice Department announced it had secured court authorization to wipe malware from 4,258 US-based computers and networks.
Federal officials described the malware attack as another example of reckless and aggressive Chinese state-sponsored espionage. According to the Department of Justice, the Chinese government allegedly paid a group of domestic cybersecurity researchers known as “Mustang Panda” to develop a specific variant of the PlugX malware.
Since 2008, PlugX has operated as a backdoor to secretly control Windows machines. But in 2020, Mustang Panda developed a variant that could infect not only the computer, but also USB drives connected to the same machine. The result created a “soft” malware capable of easily spreading to entire clusters of computers.
(Credit: Sequoia)
The problem is that PlugX ended up infecting so many machines that it likely overwhelmed the malware’s infrastructure, causing Mustang Panda to abandon it, according to French cybersecurity vendor Sekoia.
“Indeed, the inner workings and management interface of PlugX was not designed to manage thousands of infected hosts,” the company noted in an April blog post.
Antivirus provider Sophos also noticed that PlugX infections were communicating with a single IP address at 45.142.166[.]112, which belonged to hosting provider GreenCloud. This prompted Sekoia to pay just $7 to get the IP address in September 2023, effectively giving it control over machines infected with PlugX.
Sekoia also revealed that the PlugX variant contains a self-delete command, making it possible to remove malware from infected computers. In July 2024, French law enforcement announced that it would begin self-wiping of malware from victims’ machines, which eventually expanded to 22 participating countries.
In addition, Sekoia told PCMag that the self-delete mechanism will delete PlugX from an infected USB drive — but only if it’s connected to the Windows machine when the self-delete payload runs. The FBI court order also suggests that US investigators are trying to wipe the infection from both Windows computers and USB drives.
Recommended by our Editors
“The FBI has tested this self-delete command and confirmed that it does not affect any legitimate functions or files on the TARGET DEVICES, nor does it transmit any information about content from the TARGET DEVICES,” the agency’s statement added.
The Justice Department says it has obtained the “first of nine orders” starting in August to wipe out PlugX infections in the US. “The last of these orders expired on January 3, 2025, thus ending the American parts of the operation,” he added.
The FBI will notify owners of infected machines through their Internet service providers.
Like what you’re reading?
Register for Security Watch newsletter for our best privacy and security stories delivered straight to your inbox.
This newsletter may contain advertisements, deals or affiliate links. By clicking the button, you confirm that you are over 16 years of age and agree to our Terms of Use and Privacy Policy. You can unsubscribe from newsletters at any time.
About Michael Kahn
Senior reporter
