{ "id": "79b1f3e3-22d5-46f9-a84f-98a2965f8cd5", "created_at": "2026-04-06T00:18:43.85124Z", "updated_at": "2026-04-10T03:36:33.620014Z", "deleted_at": null, "sha1_hash": "56211b1bd4ebb342590afb59bea4a8178068eebd", "title": "FBI deletes Chinese PlugX malware from thousands of US computers", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 2225157, "plain_text": "FBI deletes Chinese PlugX malware from thousands of US computers\r\nBy Sergiu Gatlan\r\nPublished: 2025-01-14 ยท Archived: 2026-04-05 21:13:24 UTC\r\nThe U.S. Department of Justice announced today that the FBI has deleted Chinese PlugX malware from over 4,200\r\ncomputers in networks across the United States.\r\nThe malware, controlled by the Chinese cyber espionage group Mustang Panda (also tracked as Twill Typhoon), infected\r\nthousands of systems using a PlugX variant with a wormable component that allowed it to spread through USB flash drives.\r\nAccording to court documents, the list of victims targeted using this malware includes \"European shipping companies in\r\n2024, several European Governments from 2021 to 2023, worldwide Chinese dissident groups, and governments throughout\r\nthe Indo-Pacific (e.g., Taiwan, Hong Kong, Japan, South Korea, Mongolia, India, Myanmar, Indonesia, Philippines,\r\nThailand, Vietnam, and Pakistan).\"\r\nhttps://www.bleepingcomputer.com/news/security/fbi-deletes-chinese-plugx-malware-from-thousands-of-us-computers/\r\nPage 1 of 4\n\n0:00\r\nhttps://www.bleepingcomputer.com/news/security/fbi-deletes-chinese-plugx-malware-from-thousands-of-us-computers/\r\nPage 2 of 4\n\nVisit Advertiser websiteGO TO PAGE\r\n\"Once it has infected the victim computer, the malware remains on the machine (maintains persistence), in part by creating\r\nregistry keys which automatically run the PlugX application when the computer is started,\" the affidavit reads. \"Owners of\r\ncomputers infected by PlugX malware are typically unaware of the infection.\"\r\nThis court-authorized action is part of a global takedown operation led by French law enforcement and cybersecurity\r\ncompany Sekoia. The operation started in July 2024, when French police and Europol removed the remote access trojan\r\nmalware from infected devices in France.\r\n\"In August 2024, the Justice Department and FBI obtained the first of nine warrants in the Eastern District of Pennsylvania\r\nauthorizing the deletion of PlugX from U.S.-based computers,\" the Justice Department said today.\r\n\"The last of these warrants expired on Jan. 3, 2025, thereby concluding the U.S. portions of the operation. In total, this\r\ncourt-authorized operation deleted PlugX malware from approximately 4,258 U.S.-based computers and networks.\"\r\nThe command sent to infected computers by the FBI told the PlugX malware:\r\n1. Delete the files created by the PlugX malware on the victim's computer,\r\n2. Delete the PlugX registry keys used to automatically run the PlugX application when the victim computer is started,\r\n3. Create a temporary script file to delete the PlugX application after it is stopped,\r\n4. Stop the PlugX application and\r\n5. Run the temporary file to delete the PlugX application, delete the directory created on the victim computer by the\r\nPlugX malware to store the PlugX files, and delete the temporary file from the victim computer.\r\nThe FBI is now notifying the owners of U.S.-based computers that have been cleaned of the PlugX infection through their\r\ninternet service providers and says the action didn't collect information from or impact the disinfected devices in any way.\r\nCybersecurity firm Sekoia previously discovered a botnet of devices infected with the same PlugX variant, taking control of\r\nits command and control (C2) server at 45.142.166[.]112 in April 2024. Sekoia said that, over six months, the botnet's C2\r\nserver received up to 100,000 pings from infected hosts daily and had 2,500,000 unique connections from 170 countries.\r\nPlugX has been used in attacks since at least 2008, mainly in cyber espionage and remote access operations by groups linked\r\nto the Chinese Ministry of State Security. Multiple threat groups have used it to target government, defense, technology, and\r\npolitical organizations, primarily in Asia and later expanding to the rest of the world.\r\nSome PlugX builders have also been detected online, and some security researchers believe the malware's source code\r\nleaked around 2015. This, combined with the tool's multiple updates, makes it very difficult to attribute the malware's\r\ndevelopment and use in attacks to a specific threat actor or agenda.\r\nThe PlugX malware features extensive capabilities, including collecting system information, uploading and downloading\r\nfiles, logging keystrokes, and executing commands.\r\nhttps://www.bleepingcomputer.com/news/security/fbi-deletes-chinese-plugx-malware-from-thousands-of-us-computers/\r\nPage 3 of 4\n\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the\r\nother.\r\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic\r\nquestions for any tool evaluation.\r\nSource: https://www.bleepingcomputer.com/news/security/fbi-deletes-chinese-plugx-malware-from-thousands-of-us-computers/\r\nhttps://www.bleepingcomputer.com/news/security/fbi-deletes-chinese-plugx-malware-from-thousands-of-us-computers/\r\nPage 4 of 4", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://www.bleepingcomputer.com/news/security/fbi-deletes-chinese-plugx-malware-from-thousands-of-us-computers/" ], "report_names": [ "fbi-deletes-chinese-plugx-malware-from-thousands-of-us-computers" ], "threat_actors": [ { "id": "b69037ec-2605-4de4-bb32-a20d780a8406", "created_at": "2023-01-06T13:46:38.790766Z", "updated_at": "2026-04-10T02:00:03.101635Z", "deleted_at": null, "main_name": "MUSTANG PANDA", "aliases": [ "Stately Taurus", "LuminousMoth", "TANTALUM", "Twill Typhoon", "TEMP.HEX", "Earth Preta", "Polaris", "BRONZE PRESIDENT", "HoneyMyte", "Red Lich", "TA416" ], "source_name": "MISPGALAXY:MUSTANG PANDA", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "6daadf00-952c-408a-89be-aa490d891743", "created_at": "2025-08-07T02:03:24.654882Z", "updated_at": "2026-04-10T02:00:03.645565Z", "deleted_at": null, "main_name": "BRONZE PRESIDENT", "aliases": [ "Earth Preta ", "HoneyMyte ", "Mustang Panda ", "Red Delta ", "Red Lich ", "Stately Taurus ", "TA416 ", "Temp.Hex ", "Twill Typhoon " ], "source_name": "Secureworks:BRONZE PRESIDENT", "tools": [ "BlueShell", "China Chopper", "Claimloader", "Cobalt Strike", "HIUPAN", "ORat", "PTSOCKET", "PUBLOAD", "PlugX", "RCSession", "TONESHELL", "TinyNote" ], "source_id": "Secureworks", "reports": null }, { "id": "9baa7519-772a-4862-b412-6f0463691b89", "created_at": "2022-10-25T15:50:23.354429Z", "updated_at": "2026-04-10T02:00:05.310361Z", "deleted_at": null, "main_name": "Mustang Panda", "aliases": [ "Mustang Panda", "TA416", "RedDelta", "BRONZE PRESIDENT", "STATELY TAURUS", "FIREANT", "CAMARO DRAGON", "EARTH PRETA", "HIVE0154", "TWILL TYPHOON", "TANTALUM", "LUMINOUS MOTH", "UNC6384", "TEMP.Hex", "Red Lich" ], "source_name": "MITRE:Mustang Panda", "tools": [ "CANONSTAGER", "STATICPLUGIN", "ShadowPad", "TONESHELL", "Cobalt Strike", "HIUPAN", "Impacket", "SplatCloak", "PAKLOG", "Wevtutil", "AdFind", "CLAIMLOADER", "Mimikatz", "PUBLOAD", "StarProxy", "CorKLOG", "RCSession", "NBTscan", "PoisonIvy", "SplatDropper", "China Chopper", "PlugX" ], "source_id": "MITRE", "reports": null }, { "id": "2ee03999-5432-4a65-a850-c543b4fefc3d", "created_at": "2022-10-25T16:07:23.882813Z", "updated_at": "2026-04-10T02:00:04.776949Z", "deleted_at": null, "main_name": "Mustang Panda", "aliases": [ "Bronze President", "Camaro Dragon", "Earth Preta", "G0129", "Hive0154", "HoneyMyte", "Mustang Panda", "Operation SMUGX", "Operation SmugX", "PKPLUG", "Red Lich", "Stately Taurus", "TEMP.Hex", "Twill Typhoon" ], "source_name": "ETDA:Mustang Panda", "tools": [ "9002 RAT", "AdFind", "Agent.dhwf", "Agentemis", "CHINACHOPPER", "China Chopper", "Chymine", "ClaimLoader", "Cobalt Strike", "CobaltStrike", "DCSync", "DOPLUGS", "Darkmoon", "Destroy RAT", "DestroyRAT", "Farseer", "Gen:Trojan.Heur.PT", "HOMEUNIX", "Hdump", "HenBox", "HidraQ", "Hodur", "Homux", "HopperTick", "Hydraq", "Impacket", "Kaba", "Korplug", "LadonGo", "MQsTTang", "McRAT", "MdmBot", "Mimikatz", "NBTscan", "NetSess", "Netview", "Orat", "POISONPLUG.SHADOW", "PUBLOAD", "PVE Find AD Users", "PlugX", "Poison Ivy", "PowerView", "QMAGENT", "RCSession", "RedDelta", "Roarur", "SPIVY", "ShadowPad Winnti", "SinoChopper", "Sogu", "TIGERPLUG", "TONEINS", "TONESHELL", "TVT", "TeamViewer", "Thoper", "TinyNote", "WispRider", "WmiExec", "XShellGhost", "Xamtrav", "Zupdax", "cobeacon", "nbtscan", "nmap", "pivy", "poisonivy" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434723, "ts_updated_at": 1775792193, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/56211b1bd4ebb342590afb59bea4a8178068eebd.pdf", "text": "https://archive.orkl.eu/56211b1bd4ebb342590afb59bea4a8178068eebd.txt", "img": "https://archive.orkl.eu/56211b1bd4ebb342590afb59bea4a8178068eebd.jpg" } }