PHILADELPHIA, PA — The U.S. Department of Justice and the FBI have concluded an extensive international operation that successfully removed PlugX malware from more than 4,200 computers across the United States. The operation, carried out with global partners, targeted a version of the malware deployed by hackers linked to the People’s Republic of China (PRC).
Known as “Mustang Panda” or “Twill Typhoon” in the private sector, the state-sponsored group exploited PlugX to infiltrate computer systems, steal confidential data, and gain control of devices. Victims included individuals, businesses, and governments across the U.S., Europe, and Asia, as well as Chinese dissidents. These activities reportedly stretched back to at least 2014, according to unsealed court documents in the Eastern District of Pennsylvania.
“This wide-ranging hack and long-term infection of thousands of Windows-based computers, including many home computers in the United States, demonstrates the recklessness and aggressiveness of PRC state-sponsored hackers,” said U.S. Attorney Jacqueline C. Romero. “Working alongside both international and private sector partners, the Department of Justice’s court-authorized operation to delete PlugX malware proves its commitment to a ‘whole-of-society’ approach to protecting U.S. cybersecurity.”
To combat the threat, French cyber law enforcement and private cybersecurity firm Sekoia.io joined forces with U.S. authorities. After identifying the potential to eliminate the malware on infected devices, the FBI verified the method’s effectiveness, ensuring it did not disrupt legitimate computer functions.
Beginning in August 2024, the DOJ and FBI obtained nine court warrants authorizing PlugX deletions from U.S.-based computers. The final warrant expired in January 2025, marking the conclusion of the operation in the United States. Domestic efforts resulted in the removal of malware from approximately 4,258 devices.
FBI Philadelphia worked with domestic and international partners during this intricate operation, which included the Cyber Division of the Paris Prosecution Office and the French Gendarmerie Cyber Unit. “The scope of this technical operation demonstrates the FBI’s resolve to pursue PRC adversaries no matter where they victimize Americans,” said FBI Philadelphia Special Agent in Charge Wayne Jacobs.
The FBI is notifying affected computer owners through their internet service providers and continues its investigation into Mustang Panda’s cyber activities. Anyone suspecting a compromised device is encouraged to contact the FBI’s Internet Crime Complaint Center or their local office. FBI Philadelphia can be reached at 215-418-4000.
For the latest news on everything happening in Chester County and the surrounding area, be sure to follow MyChesCo on Google News and MSN.