Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Government

FBI Uses Malware’s Own ‘Self-Delete’ Trick to Erase Chinese PlugX From US Computers

Law enforcement turns the PlugX malware’s own self-delete mechanism against it, nuking the China-linked trojan from thousands of US machines.

China hacks Verizon and AT&T

The FBI, working in tandem with law enforcement authorities in France, have turned the PlugX malware’s own self-delete mechanism against it, erasing the China-linked remote access trojan from more than 4,200 infected computers in the United States.

Using court-approved access to a command-and-control (C2) server, investigators sent self-delete commands embedded within the malware’s functionality, wiping it clean without disrupting legitimate files or functions. 

The FBI operation, conducted alongside French law enforcement and the cybersecurity company Sekoia.io, targeted a version of the malware deployed by Mustang Panda, a hacking group linked to the Chinese government.

The PlugX malware, in circulation since at least 2008, has been publicly documented as a RAT (Remote Access Trojan) used as a backdoor to take full control of infected computers. Once the device is infected, PlugX allows Chinese hackers to harvest data, capture screenshots and keystrokes, reboot the system and manage processes, services and Windows registry entries.

In a published affidavit, the US Justice Department said French authorities gained access to a PlugX command-and-control server and hijacked the malware’s own “self-delete” mechanism to neutralize the threat.

“The international operation was led by French law enforcement and Sekoia.io, a France-based private cybersecurity company, which had identified and reported on the capability to send commands to delete the PlugX version from infected devices,” the agency said in a statement.

“Working with these partners, the FBI tested the commands, confirmed their effectiveness, and determined that they did not otherwise impact the legitimate functions of, or collect content information from, infected computers,” it added.

Notably, the owners of the infected computers had no knowledge of the operation. The FBI said it was working with ISPs to provide notice to US owners of Windows-based computers affected by the court-authorized operation.

Advertisement. Scroll to continue reading.

“In August 2024, the Justice Department and FBI obtained the first of nine warrants in the Eastern District of Pennsylvania authorizing the deletion of PlugX from US-based computers. The last of these warrants expired on Jan. 3, 2025, thereby concluding the U.S. portions of the operation. In total, this court-authorized operation deleted PlugX malware from approximately 4,258 U.S.-based computers and networks,” the department said.

According to court documents, the Mustang Panda group behind the PlugX malware was paid by the Chinese government to manage cyber operations and develop this specific version of the malware.

“Since at least 2014, Mustang Panda hackers then infiltrated thousands of computer systems in campaigns targeting U.S. victims, as well as European and Asian governments and businesses, and Chinese dissident groups,” the Justice Department said, noting that despite multiple disclosures, owners of computers still infected with PlugX were typically unaware of the infection. 

Related: Video Game Firms Targeted With “Paranoid” PlugX Malware

Related: PlugX Malware Adopts New Tactic in India Attack Campaign

Related: PlugX RAT Distributed Via Official Game Installers

Related: PlugX RAT Used to Gather Intel on Afghan, Russian Military

Written By

Ryan Naraine is Editor-at-Large at SecurityWeek and host of the popular Security Conversations podcast series. He is a security community engagement expert who has built programs at major global brands, including Intel Corp., Bishop Fox and GReAT. Ryan is a founding-director of the Security Tinkerers non-profit, an advisor to early-stage entrepreneurs, and a regular speaker at security conferences around the world.

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Discover strategies for vendor selection, integration to minimize redundancies, and maximizing ROI from your cybersecurity investments. Gain actionable insights to ensure your stack is ready for tomorrow’s challenges.

Register

Dive into critical topics such as incident response, threat intelligence, and attack surface management. Learn how to align cyber resilience plans with business objectives to reduce potential impacts and secure your organization in an ever-evolving threat landscape.

Register

People on the Move

Software giant Atlassian has named David Cross as its new CISO.

Dan Pagel has been named the new CEO of risk management and remediation firm Brinqa.

The City of Phoenix has promoted Mitch Kohlbecker to the role of Chief Information Security Officer.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.