"This large-scale hacking and long-term infection of thousands of Windows computers, including many personal computers in the United States, demonstrates the recklessness and aggressiveness of state-sponsored PRC hackers," said U.S. Attorney for the Eastern District of Pennsylvania Jacqueline Romero. . "Working alongside international and private partners, the Department of Justice's court-ordered operation to eliminate the PlugX malware demonstrates its commitment to a 'whole of society' approach to protecting American cybersecurity." »
"The FBI worked to identify thousands of infected American computers and remove the PRC malware from them. "The magnitude of this technical operation demonstrates the FBI's determination to go after PRC adversaries, no matter where they victimize Americans," said Special Agent in Charge Wayne Jacobs of the FBI's Philadelphia Field Office.
The international operation was conducted by French law enforcement and Sekoia.io, a private cybersecurity firm based in France, which had identified and reported the ability to send commands to remove the PlugX version from infected devices. Working with these partners, the FBI tested the commands, confirmed their effectiveness, and determined that they did not affect the legitimate functions of the infected computers or collect information about their contents. In August 2024, the Department of Justice and the FBI obtained the first of nine warrants from the Eastern District of Pennsylvania authorizing the removal of PlugX from U.S.-based computers. The last of these warrants expired on January 3, 2025, ending part of the U.S. operation. In total, this court-authorized operation removed the PlugX malware from approximately 4,258 U.S.-based computers and networks. The FBI, through the victims' Internet service providers, is notifying U.S. owners of affected Windows computers of the court-authorized raid. The FBI's Philadelphia Field Office and Cyber Division, the U.S. Attorney's Office for the Eastern District of Pennsylvania, and the National Cybersecurity Section of the Department of Justice's Homeland Security Division conducted the internal disruption operation. This operation would not have been possible without the valuable collaboration of the cyber division of the Paris Prosecutor's Office, the French Gendarmerie's C3N cyber unit, and Sekoia.io.
The FBI continues to investigate Mustang Panda's computer intrusion activities. If you believe you have a compromised computer or device, please visit the FBI's Cybercrime Complaint Center (IC3). You can also contact your local FBI office directly. The FBI strongly encourages the use of antivirus software and the application of software security updates to help prevent reinfection.
[attachment deleted by admin]