US takes down China-backed hackers' malware in global cyber operation

Webp tse4u6frg3rgeuzfiaezp8u2w4c8

US takes down China-backed hackers' malware in global cyber operation

ORGANIZATIONS IN THIS STORY

U.S. Attorney Jacqueline C. Romero | U.S. Department of Justice

United States authorities, in collaboration with international partners, have conducted a law enforcement operation to delete malware from thousands of computers globally. The operation targeted "PlugX" malware used by hackers allegedly sponsored by the People’s Republic of China (PRC), identified as "Mustang Panda" and "Twill Typhoon."

According to court documents unsealed in the Eastern District of Pennsylvania, these hackers were reportedly paid by the PRC government to develop and deploy this version of PlugX. Since 2014, they have infiltrated numerous computer systems worldwide, affecting U.S. victims, European and Asian governments and businesses, as well as Chinese dissident groups.

“This wide-ranging hack and long-term infection of thousands of Windows-based computers, including many home computers in the United States, demonstrates the recklessness and aggressiveness of PRC state-sponsored hackers,” stated U.S. Attorney Jacqueline C. Romero. She emphasized the Justice Department's commitment to cybersecurity through this operation.

Wayne Jacobs, FBI Philadelphia Special Agent in Charge, remarked on the scope of the operation: “The FBI worked to identify thousands of infected U.S. computers and delete the PRC malware on them. The scope of this technical operation demonstrates the FBI’s resolve to pursue PRC adversaries no matter where they victimize Americans.”

French law enforcement led the international effort along with Sekoia.io, a France-based cybersecurity company that identified methods to remove PlugX from infected devices. The FBI tested these commands for effectiveness without affecting legitimate computer functions.

In August 2024, U.S. authorities obtained warrants authorizing PlugX deletion from domestic systems; these efforts concluded with approximately 4,258 infections addressed by January 3, 2025.

U.S.-based victims are being notified through their internet service providers about this action by the FBI’s Philadelphia Field Office and other divisions involved in leading domestic operations.

The ongoing investigation into Mustang Panda's activities continues. Individuals suspecting compromised devices are encouraged to report via the FBI’s Internet Crime Complaint Center or contact local field offices directly.

ORGANIZATIONS IN THIS STORY