The FBI Obtains a Court Order to Fix Malware on Windows Computers.
The FBI has obtained judicial authorization to remove the PlugX malware in the United States, which has affected over 2.5 million devices worldwide by infiltrating infected USB drives.
A malware originating from China has been contained after the FBI obtained a court order allowing it to remove the harmful code from thousands of Windows computers. This malware, known as PlugX, has affected over 2.5 million devices worldwide by infiltrating through contaminated USB drives. In collaboration with the FBI, the Department of Justice has received legal authorization to eradicate the threat from approximately 4,260 devices and networks in the United States to date.
With the solution in progress, the FBI will inform the owners of the infected devices through their internet service providers. This incident is an example of the control that federal institutions have achieved over a serious cyber risk, highlighting the importance of ongoing research in cybersecurity. The Department of Justice has indicated that the group behind the attack is a private hacking organization sponsored by the Chinese state, known as "Mustang Panda," which developed a unique version of the PlugX malware for its mission.
PlugX first appeared in 2008 as unauthorized access for malicious actors to secretly control Windows machines. In 2020, the malware was updated to infiltrate USB drives and connected computers. It is described as "wormable" malware, meaning it can transfer itself between machines through infected peripherals. The French cybersecurity company Sekoia noted that Mustang Panda eventually ran out of resources to maintain control over the high number of systems it had infected with PlugX, leading the group to abandon the project.
Similarly, antivirus provider Sophos also observed multiple PlugX infections originating from a single IP address. In September 2023, Sekoia collaborated with another company to gain access to that IP address and the infected machines for just $7. Further investigations revealed a self-destruct command within the PlugX code. In July 2024, authorities in France allowed the use of this self-destruct mechanism to repair the affected machines. Since then, 22 more countries have followed this same course of action.
Although the method U.S. entities will use to remove the malware from domestic PCs has not been clarified, the FBI stated in a declaration that it has tested this self-destruct command, ensuring that it only disables the malware without harming other device functions or transferring unauthorized code.
