The affidavit filed with the case stated that Mustang Panda, also known as “Twill Typhoon,” had been using PlugX malware since at least 2014. The group infiltrated computer systems belonging to both government and private organizations, including in the United States. As of September 2023, at least 45,000 IP addresses in the U.S. had interacted with a specific command-and-control server linked to Mustang Panda.
The malware variant in question includes a “self-delete” command, which instructs the malware to delete files it created on the infected computer and cease its operation. The FBI confirmed that the self-delete command did not affect legitimate files or operations on the victim’s device. Working with French authorities, the FBI was able to send the self-delete command to over 4,200 infected U.S. computers, removing the malware from these networks.
The U.S. Department of Justice and FBI obtained the first of nine court-approved warrants in the Eastern District of Pennsylvania in August 2023. The final warrant expired on January 3, 2024. In total, this court-authorized operation removed PlugX malware from approximately 4,258 U.S.-based computers and networks.
