The US Department of Justice (DOJ) and Federal Bureau of Investigation (FBI) conducted a multi-month law enforcement operation aimed at dismantling a Chinese state-sponsored hacking group’s malware campaign. In partnership with international law enforcement and cybersecurity experts, the operation successfully deleted the notorious “PlugX” malware from thousands of compromised computers worldwide.
The malware campaign has been attributed to a China-backed threat actor tracked as Mustang Panda or Twill Typhoon. The group utilized a customized version of PlugX malware to infiltrate and remotely control victim computers, harvesting sensitive data and executing surveillance on targeted systems.
According to court filings, the Chinese government directly funded Mustang Panda's efforts, which began as early as 2014. The group's cyber campaigns primarily focused on government agencies, businesses, and Chinese dissident organizations across the US, Europe, and Asia.
The FBI, in coordination with French law enforcement and the cybersecurity firm Sekoia, coordinated efforts& to remove the malware from infected systems. Cybersecurity experts identified the specific commands needed to delete the malware from compromised devices and subsequently worked with the FBI to test and confirm the deletion methods would not disrupt the functionality of the affected computers or collect further data.
The operation, authorized by a series of court warrants, began in August 2024. By January 3, 2025, the malware had been removed from approximately 4,258 US computers and networks, the authorities said.
While the operation targeted primarily US-based victims, it was part of a broader, global effort to thwart Mustang Panda's ongoing cyber espionage activities.
