The FBI hacked about 4,200 computers across the US as part of an operation to find and delete PlugX, a malware used by state-backed hackers in China to steal information from victims, the Department of Justice announced on Tuesday.
In an unsealed affidavit, the FBI says the China-based hacking group known by the monikers “Mustang Panda” and “Twill Typhoon” used PlugX to infect thousands of Windows computers in the US, Asia, and Europe since at least 2012. The malware, which infects computers through their USB ports, operates in the background while allowing hackers to “remotely access and execute commands” on victims’ computers.
To do this, infected computers contact a command-and-control server run by the hackers, which has its IP address hard-coded into the malware. From there, hackers can remotely access users’ files and obtain information about infected computers, such as their IP addresses. At least 45,000 IP addresses in the US have contacted the command-and-control server since September 2023, according to the FBI.
The FBI used this very exploit to remove PlugX from infected computers. In collaboration with French law enforcement, which launched a PlugX deletion operation of its own, the FBI gained access to the command-and-control server and requested the IP addresses of infected computers. It then sent a native command to make PlugX delete the files it created on victims’ computers, stop the PlugX application from running, and delete the malware after it’s stopped.
Last year, the FBI similarly dismantled a network of infected Quakbot computers by instructing devices to download software to uninstall the malware. The agency also remotely hacked hundreds of computers to protect them from the Hafnium hack in 2021.
