{ "id": "364d07a3-d4ff-4568-bcf0-7d3ffacf2a77", "created_at": "2026-04-06T02:13:10.604745Z", "updated_at": "2026-04-10T03:36:59.126343Z", "deleted_at": null, "sha1_hash": "27435162fcdf840cacfaff2315cc9752341132de", "title": "Justice Department and FBI Conduct International Operation to Delete Malware Used by China-Backed Hackers", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 44223, "plain_text": "Justice Department and FBI Conduct International Operation to\r\nDelete Malware Used by China-Backed Hackers\r\nPublished: 2025-01-14 · Archived: 2026-04-06 01:38:22 UTC\r\nNote: View the affidavit here.\r\nThe Justice Department and FBI today announced a multi-month law enforcement operation that, alongside\r\ninternational partners, deleted “PlugX” malware from thousands of infected computers worldwide. As described in\r\ncourt documents unsealed in the Eastern District of Pennsylvania, a group of hackers sponsored by the People’s\r\nRepublic of China (PRC), known to the private sector as “Mustang Panda” and “Twill Typhoon,” used a version\r\nof PlugX malware to infect, control, and steal information from victim computers.\r\nAccording to court documents, the PRC government paid the Mustang Panda group to, among other computer\r\nintrusion services, develop this specific version of PlugX. Since at least 2014, Mustang Panda hackers then\r\ninfiltrated thousands of computer systems in campaigns targeting U.S. victims, as well as European and Asian\r\ngovernments and businesses, and Chinese dissident groups. Despite previous\r\ncybersecurity\r\nhttps://www.justice.gov/opa/pr/justice-department-and-fbi-conduct-international-operation-delete-malware-used-china-backed\r\nPage 1 of 4\n\nreports\r\n, owners of computers still infected with PlugX are typically unaware of the infection. The court-authorized\r\noperation announced today remediated U.S.-based computers infected with Mustang Panda’s version of PlugX.    \r\n“The Department of Justice prioritizes proactively disrupting cyber threats to protect U.S. victims from harm,\r\neven as we work to arrest and prosecute the perpetrators,” said Assistant Attorney General Matthew G. Olsen of\r\nthe Justice Department’s National Security Division. “This operation, like other recent technical operations against\r\nChinese and Russian hacking groups like Volt Typhoon, Flax Typhoon, and APT28, has depended on strong\r\npartnerships to successfully counter malicious cyber activity. I commend partners in the French government and\r\nprivate sector for spearheading this international operation to defend global cybersecurity.”\r\n“Leveraging our partnership with French law enforcement, the FBI acted to protect U.S. computers from further\r\ncompromise by PRC state-sponsored hackers,” said Assistant Director Bryan Vorndran of the FBI’s Cyber\r\nhttps://www.justice.gov/opa/pr/justice-department-and-fbi-conduct-international-operation-delete-malware-used-china-backed\r\nPage 2 of 4\n\nDivision. “Today’s announcement reaffirms the FBI’s dedication to protecting the American people by using its\r\nfull range of legal authorities and technical expertise to counter nation-state cyber threats.”\r\n“This wide-ranging hack and long-term infection of thousands of Windows-based computers, including many\r\nhome computers in the United States, demonstrates the recklessness and aggressiveness of PRC state-sponsored\r\nhackers,” said U.S. Attorney Jacqueline Romero for the Eastern District of Pennsylvania. “Working alongside both\r\ninternational and private sector partners, the Department of Justice’s court-authorized operation to delete PlugX\r\nmalware proves its commitment to a ‘whole-of-society’ approach to protecting U.S. cybersecurity.”\r\n“The FBI worked to identify thousands of infected U.S. computers and delete the PRC malware on them. The\r\nscope of this technical operation demonstrates the FBI’s resolve to pursue PRC adversaries no matter where they\r\nvictimize Americans,” said Special Agent in Charge Wayne Jacobs of the FBI Philadelphia Field Office.\r\nThe international operation was led by French law enforcement\r\nand Sekoia.io, a France-based private cybersecurity company, which had identified and reported on the capability\r\nto send commands to delete the PlugX version from infected devices. Working with these partners, the FBI tested\r\nthe commands, confirmed their effectiveness, and determined that they did not otherwise impact the legitimate\r\nfunctions of, or collect content information from, infected computers. In August 2024, the Justice Department and\r\nFBI obtained the first of nine warrants in the Eastern District of Pennsylvania authorizing the deletion of PlugX\r\nfrom U.S.-based computers. The last of these warrants expired on Jan. 3, 2025, thereby concluding the U.S.\r\nportions of the operation. In total, this court-authorized operation deleted PlugX malware from approximately\r\n4,258 U.S.-based computers and networks.\r\nThe FBI, through the victims’ internet service providers, is providing notice to U.S. owners of Windows-based\r\ncomputers affected by this court-authorized operation.\r\nThe FBI’s Philadelphia Field Office and Cyber Division, the U.S. Attorney’s Office for the Eastern District of\r\nPennsylvania, and the National Security Cyber Section of Justice Department’s National Security Division led the\r\nhttps://www.justice.gov/opa/pr/justice-department-and-fbi-conduct-international-operation-delete-malware-used-china-backed\r\nPage 3 of 4\n\ndomestic disruption operation. This operation would not have been successful without the valuable collaboration\r\nof to the Cyber Division of the Paris Prosecution Office, French Gendarmerie Cyber Unit C3N, and Sekoia.io.\r\nThe FBI continues to investigate Mustang Panda’s computer intrusion activity. If you believe you have a\r\ncompromised computer or device, please visit the FBI’s Internet Crime Complaint Center (IC3). You may also\r\ncontact your local FBI field office directly. The FBI strongly encourages the use of anti-virus software as well as\r\nthe application of software security updates to help prevent reinfection.\r\nSource: https://www.justice.gov/opa/pr/justice-department-and-fbi-conduct-international-operation-delete-malware-used-china-backed\r\nhttps://www.justice.gov/opa/pr/justice-department-and-fbi-conduct-international-operation-delete-malware-used-china-backed\r\nPage 4 of 4", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://www.justice.gov/opa/pr/justice-department-and-fbi-conduct-international-operation-delete-malware-used-china-backed" ], "report_names": [ "justice-department-and-fbi-conduct-international-operation-delete-malware-used-china-backed" ], "threat_actors": [ { "id": "846522d7-29cb-4a0c-8ebe-ffba7429e2d7", "created_at": "2023-06-23T02:04:34.793629Z", "updated_at": "2026-04-10T02:00:04.971054Z", "deleted_at": null, "main_name": "Volt Typhoon", "aliases": [ "Bronze Silhouette", "Dev-0391", "Insidious Taurus", "Redfly", "Storm-0391", "UAT-5918", "UAT-7237", "UNC3236", "VOLTZITE", "Vanguard Panda" ], "source_name": "ETDA:Volt Typhoon", "tools": [ "FRP", "Fast Reverse Proxy", "Impacket", "LOLBAS", "LOLBins", "Living off the Land" ], "source_id": "ETDA", "reports": null }, { "id": "09031838-56db-4676-a2b2-4bc50d8b7b0b", "created_at": "2024-01-23T13:22:35.078612Z", "updated_at": "2026-04-10T02:00:03.519282Z", "deleted_at": null, "main_name": "Flax Typhoon", "aliases": [ "Ethereal Panda", "Storm-0919" ], "source_name": "MISPGALAXY:Flax Typhoon", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "86c7abc2-1b71-4665-b9e3-1594d6d15a4a", "created_at": "2023-09-07T02:02:47.367254Z", "updated_at": "2026-04-10T02:00:04.698935Z", "deleted_at": null, "main_name": "Flax Typhoon", "aliases": [ "Ethereal Panda", "RedJuliett" ], "source_name": "ETDA:Flax Typhoon", "tools": [ "BadPotato", "CHINACHOPPER", "China Chopper", "JuicyPotato", "LOLBAS", "LOLBins", "Living off the Land", "Metasploit", "Mimikatz", "SinoChopper", "SoftEther VPN" ], "source_id": "ETDA", "reports": null }, { "id": "b69037ec-2605-4de4-bb32-a20d780a8406", "created_at": "2023-01-06T13:46:38.790766Z", "updated_at": "2026-04-10T02:00:03.101635Z", "deleted_at": null, "main_name": "MUSTANG PANDA", "aliases": [ "Stately Taurus", "LuminousMoth", "TANTALUM", "Twill Typhoon", "TEMP.HEX", "Earth Preta", "Polaris", "BRONZE PRESIDENT", "HoneyMyte", "Red Lich", "TA416" ], "source_name": "MISPGALAXY:MUSTANG PANDA", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "a88747e2-ffed-45d8-b847-8464361b2254", "created_at": "2023-11-01T02:01:06.605663Z", "updated_at": "2026-04-10T02:00:05.289908Z", "deleted_at": null, "main_name": "Volt Typhoon", "aliases": [ "Volt Typhoon", "BRONZE SILHOUETTE", "Vanguard Panda", "DEV-0391", "UNC3236", "Voltzite", "Insidious Taurus" ], "source_name": "MITRE:Volt Typhoon", "tools": [ "netsh", "PsExec", "ipconfig", "Wevtutil", "VersaMem", "Tasklist", "Mimikatz", "Impacket", "Systeminfo", "netstat", "Nltest", "certutil", "FRP", "cmd" ], "source_id": "MITRE", "reports": null }, { "id": "6daadf00-952c-408a-89be-aa490d891743", "created_at": "2025-08-07T02:03:24.654882Z", "updated_at": "2026-04-10T02:00:03.645565Z", "deleted_at": null, "main_name": "BRONZE PRESIDENT", "aliases": [ "Earth Preta ", "HoneyMyte ", "Mustang Panda ", "Red Delta ", "Red Lich ", "Stately Taurus ", "TA416 ", "Temp.Hex ", "Twill Typhoon " ], "source_name": "Secureworks:BRONZE PRESIDENT", "tools": [ "BlueShell", "China Chopper", "Claimloader", "Cobalt Strike", "HIUPAN", "ORat", "PTSOCKET", "PUBLOAD", "PlugX", "RCSession", "TONESHELL", "TinyNote" ], "source_id": "Secureworks", "reports": null }, { "id": "49b3063e-a96c-4a43-b28b-1c380ae6a64b", "created_at": "2025-08-07T02:03:24.661509Z", "updated_at": "2026-04-10T02:00:03.644548Z", "deleted_at": null, "main_name": "BRONZE SILHOUETTE", "aliases": [ "Dev-0391 ", "Insidious Taurus ", "UNC3236 ", "Vanguard Panda ", "Volt Typhoon ", "Voltzite " ], "source_name": "Secureworks:BRONZE SILHOUETTE", "tools": [ "Living-off-the-land binaries", "Web shells" ], "source_id": "Secureworks", "reports": null }, { "id": "730dfa6e-572d-473c-9267-ea1597d1a42b", "created_at": "2023-01-06T13:46:38.389985Z", "updated_at": "2026-04-10T02:00:02.954105Z", "deleted_at": null, "main_name": "APT28", "aliases": [ "Pawn Storm", "ATK5", "Fighting Ursa", "Blue Athena", "TA422", "T-APT-12", "APT-C-20", "UAC-0001", "IRON TWILIGHT", "SIG40", "UAC-0028", "Sofacy", "BlueDelta", "Fancy Bear", "GruesomeLarch", "Group 74", "ITG05", "FROZENLAKE", "Forest Blizzard", "FANCY BEAR", "Sednit", "SNAKEMACKEREL", "Tsar Team", "TG-4127", "STRONTIUM", "Grizzly Steppe", "G0007" ], "source_name": "MISPGALAXY:APT28", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "ea4726a4-3b7c-45db-a579-2abd4986941c", "created_at": "2025-11-01T02:04:53.002048Z", "updated_at": "2026-04-10T02:00:03.764362Z", "deleted_at": null, "main_name": "BRONZE FLAXEN", "aliases": [ "Ethereal Panda ", "Flax Typhoon " ], "source_name": "Secureworks:BRONZE FLAXEN", "tools": [ "Bad Potato", "Juicy Potato", "Metasploit", "Mimikatz", "SoftEther VPN" ], "source_id": "Secureworks", "reports": null }, { "id": "4ed2b20c-7523-4852-833b-cebee8029f55", "created_at": "2023-05-26T02:02:03.524749Z", "updated_at": "2026-04-10T02:00:03.366175Z", "deleted_at": null, "main_name": "Volt Typhoon", "aliases": [ "BRONZE SILHOUETTE", "VANGUARD PANDA", "UNC3236", "Insidious Taurus", "VOLTZITE", "Dev-0391", "Storm-0391" ], "source_name": "MISPGALAXY:Volt Typhoon", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "9baa7519-772a-4862-b412-6f0463691b89", "created_at": "2022-10-25T15:50:23.354429Z", "updated_at": "2026-04-10T02:00:05.310361Z", "deleted_at": null, "main_name": "Mustang Panda", "aliases": [ "Mustang Panda", "TA416", "RedDelta", "BRONZE PRESIDENT", "STATELY TAURUS", "FIREANT", "CAMARO DRAGON", "EARTH PRETA", "HIVE0154", "TWILL TYPHOON", "TANTALUM", "LUMINOUS MOTH", "UNC6384", "TEMP.Hex", "Red Lich" ], "source_name": "MITRE:Mustang Panda", "tools": [ "CANONSTAGER", "STATICPLUGIN", "ShadowPad", "TONESHELL", "Cobalt Strike", "HIUPAN", "Impacket", "SplatCloak", "PAKLOG", "Wevtutil", "AdFind", "CLAIMLOADER", "Mimikatz", "PUBLOAD", "StarProxy", "CorKLOG", "RCSession", "NBTscan", "PoisonIvy", "SplatDropper", "China Chopper", "PlugX" ], "source_id": "MITRE", "reports": null }, { "id": "2ee03999-5432-4a65-a850-c543b4fefc3d", "created_at": "2022-10-25T16:07:23.882813Z", "updated_at": "2026-04-10T02:00:04.776949Z", "deleted_at": null, "main_name": "Mustang Panda", "aliases": [ "Bronze President", "Camaro Dragon", "Earth Preta", "G0129", "Hive0154", "HoneyMyte", "Mustang Panda", "Operation SMUGX", "Operation SmugX", "PKPLUG", "Red Lich", "Stately Taurus", "TEMP.Hex", "Twill Typhoon" ], "source_name": "ETDA:Mustang Panda", "tools": [ "9002 RAT", "AdFind", "Agent.dhwf", "Agentemis", "CHINACHOPPER", "China Chopper", "Chymine", "ClaimLoader", "Cobalt Strike", "CobaltStrike", "DCSync", "DOPLUGS", "Darkmoon", "Destroy RAT", "DestroyRAT", "Farseer", "Gen:Trojan.Heur.PT", "HOMEUNIX", "Hdump", "HenBox", "HidraQ", "Hodur", "Homux", "HopperTick", "Hydraq", "Impacket", "Kaba", "Korplug", "LadonGo", "MQsTTang", "McRAT", "MdmBot", "Mimikatz", "NBTscan", "NetSess", "Netview", "Orat", "POISONPLUG.SHADOW", "PUBLOAD", "PVE Find AD Users", "PlugX", "Poison Ivy", "PowerView", "QMAGENT", "RCSession", "RedDelta", "Roarur", "SPIVY", "ShadowPad Winnti", "SinoChopper", "Sogu", "TIGERPLUG", "TONEINS", "TONESHELL", "TVT", "TeamViewer", "Thoper", "TinyNote", "WispRider", "WmiExec", "XShellGhost", "Xamtrav", "Zupdax", "cobeacon", "nbtscan", "nmap", "pivy", "poisonivy" ], "source_id": "ETDA", "reports": null }, { "id": "e3767160-695d-4360-8b2e-d5274db3f7cd", "created_at": "2022-10-25T16:47:55.914348Z", "updated_at": "2026-04-10T02:00:03.610018Z", "deleted_at": null, "main_name": "IRON TWILIGHT", "aliases": [ "APT28 ", "ATK5 ", "Blue Athena ", "BlueDelta ", "FROZENLAKE ", "Fancy Bear ", "Fighting Ursa ", "Forest Blizzard ", "GRAPHITE ", "Group 74 ", "PawnStorm ", "STRONTIUM ", "Sednit ", "Snakemackerel ", "Sofacy ", "TA422 ", "TG-4127 ", "Tsar Team ", "UAC-0001 " ], "source_name": "Secureworks:IRON TWILIGHT", "tools": [ "Downdelph", "EVILTOSS", "SEDUPLOADER", "SHARPFRONT" ], "source_id": "Secureworks", "reports": null }, { "id": "ae320ed7-9a63-42ed-944b-44ada7313495", "created_at": "2022-10-25T15:50:23.671663Z", "updated_at": "2026-04-10T02:00:05.283292Z", "deleted_at": null, "main_name": "APT28", "aliases": [ "APT28", "IRON TWILIGHT", "SNAKEMACKEREL", "Group 74", "Sednit", "Sofacy", "Pawn Storm", "Fancy Bear", "STRONTIUM", "Tsar Team", "Threat Group-4127", "TG-4127", "Forest Blizzard", "FROZENLAKE", "GruesomeLarch" ], "source_name": "MITRE:APT28", "tools": [ "Wevtutil", "certutil", "Forfiles", "DealersChoice", "Mimikatz", "ADVSTORESHELL", "Komplex", "HIDEDRV", "JHUHUGIT", "Koadic", "Winexe", "cipher.exe", "XTunnel", "Drovorub", "CORESHELL", "OLDBAIT", "Downdelph", "XAgentOSX", "USBStealer", "Zebrocy", "reGeorg", "Fysbis", "LoJax" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775441590, "ts_updated_at": 1775792219, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/27435162fcdf840cacfaff2315cc9752341132de.pdf", "text": "https://archive.orkl.eu/27435162fcdf840cacfaff2315cc9752341132de.txt", "img": "https://archive.orkl.eu/27435162fcdf840cacfaff2315cc9752341132de.jpg" } }