The operation was led by French law enforcement with assistance from France-based cybersecurity company, Sekoia.io. The company had identified the capability to send commands to delete the malware from infected devices and played a critical role in the disinfection operation, which began in July 2023 and continued for several months. Sekoia had previously reported that the first known version of PlugX was seen during a Chinese campaign targeting government-related users and organizations in Japan. The malware initially targeted victims in Asia but gradually expanded its scope, and by 2012, it began targeting a broader range of global victims.
According to the FBI, the collaboration with French partners allowed for testing and confirming the effectiveness of sending commands to delete PlugX from infected devices. The malware variant spreads through computer USB ports, infecting attached USB devices, and potentially spreading to other Windows-based computers once the USB device is plugged in. After infection, the malware stays on the computer and communicates with a command-and-control server, which has a difficult-to-change IP address. The server can then send commands to the malware on the victim’s device.
