FBI Wraps Up Eradication Effort of Chinese 'PlugX' Malware

The US Justice Department and the FBI said on Jan. 14 that they were able to delete "PlugX" malware from thousands of devices globally as part of a cooperative effort.
The operation spanned a series of months, targeting the work of a group of China-sponsored hackers known as "Mustang Panda" and "Twill Typhoon." The group used PlugX malware to infect victims' computers and steal their information.
According to court documents, the Chinese government paid the hacking group to develop their strain of PlugX.
Since 2014, the group has targeted thousands of victims across the US, Europe, and Asia, as well as Chinese dissident groups. Many victims are still unaware their devices remain infected with the malware.
"This wide-ranging hack and long-term infection of thousands of Windows-based computers, including many home computers in the United States, demonstrates the recklessness and aggressiveness of [People's Republic of China] state-sponsored hackers," said US Attorney Jacqueline Romero.
French law enforcement led the international operation, and a French cybersecurity company, Sekoia.io, was able to identify and report on the capability to send commands to delete the PlugX version from infected devices.
The tactic was tested and deemed viable by the FBI, leading the organization to obtain nine warrants to begin deleting PlugX from US-based computers.
CVE-2025-22224 VMware ESXi and Workstation TOCTOU Race Condition Vulnerability
CVE-2020-29574 CyberoamOS (CROS) SQL Injection Vulnerability
CVE-2022-43769 Hitachi Vantara Pentaho BA Server Special Element Injection Vulnerability
CVE-2018-19410 Paessler PRTG Network Monitor Local File Inclusion Vulnerability
CVE-2022-43939 Hitachi Vantara Pentaho BA Server Authorization Bypass Vulnerability
CVE-2024-40890 Zyxel DSL CPE OS Command Injection Vulnerability
CVE-2025-2783 Google Chromium Mojo Sandbox Escape Vulnerability
CVE-2024-49035 Microsoft Partner Center Improper Access Control Vulnerability
CVE-2017-0148 Microsoft SMBv1 Server Remote Code Execution Vulnerability
CVE-2018-8639 Microsoft Windows Win32k Improper Resource Shutdown or Release Vulnerability
InformationalContent-Type Header Missing
MediumX-Frame-Options Defined via META (Non-compliant with Spec)
InformationalUser Controllable HTML Element Attribute (Potential XSS)
InformationalInformation Disclosure - Information in Browser localStorage
InformationalCookie Slack Detector
InformationalEmail address found in WebSocket message
MediumProxy Disclosure
MediumBuffer Overflow
Free online web security scanner