Delete yourself FBI forces Chinese malware to delete itself from thousands of US computers Self-delete commands sent from commandeered server to malware on infected PCs. Jon Brodkin Jan 14, 2025 5:51 pm | 14 Credit: Getty Images | Yuichiro Chino Credit: Getty Images | Yuichiro Chino Story textSizeSmallStandardLargeWidth *StandardWideLinksStandardOrange* Subscribers only Learn moreThe FBI said today that it removed Chinese malware from 4,258 US-based computers and networks by sending commands that forced the malware to use its "self-delete" function.The People's Republic of China (PRC) government paid the Mustang Panda group to develop a version of PlugX malware used to infect, control, and steal information from victim computers, the FBI said. "Since at least 2014, Mustang Panda hackers then infiltrated thousands of computer systems in campaigns targeting US victims, as well as European and Asian governments and businesses, and Chinese dissident groups," the FBI said.The malware has been known for years but many Windows computers were still infected while their owners were unaware. The FBI learned of a method to remotely remove the malware from a French law enforcement agency, which had gained access to a command-and-control server that could send commands to infected computers."When a computer infected with this variant of PlugX malware is connected to the Internet, the PlugX malware can send a request to communicate with a command-and-control ('C2') server, whose IP address is hard-coded in the malware. In reply, the C2 server can send several possible commands to the PlugX malware on the victim computer," stated an FBI affidavit that was made on December 20 and unsealed today.As it turns out, the "PlugX malware variant's native functionality includes a command from a C2 server to 'self-delete.'" This deletes the application, files created by the malware, and registry keys used to automatically run the PlugX application when the victim computer is started."When computers infected with PlugX malware communicate with the C2 server... the FBI (working with the French law enforcement agency) can identify the US-based target devices by sending a command from the C2 server using the PlugX malware's native functionality, requesting each infected computer's IP address," the affidavit said. "Then, the FBI (working with the French law enforcement agency) will send a command from the C2 server through the PlugX malware to self-delete the software from each US-based target device."Sekoia.io, a French security company, "identified and reported on the capability to send commands to delete the PlugX version from infected devices," the FBI said.The affidavit filed in US District Court for the Eastern District of Pennsylvania said the FBI tested the self-delete command and confirmed that it doesn't affect any legitimate functions or files and doesn't transmit any data from the target devices. The FBI said it obtained nine warrants between August and December 2024 authorizing the deletion of PlugX from US-based computers.The FBI said it provided notices to Internet service providers that host the IP addresses used by the victims, and that the notices ask each ISP to inform customers of the malware deletion. The operation was similar to one conducted a year ago on hundreds of infected routers.Jon BrodkinSenior IT ReporterJon BrodkinSenior IT Reporter Jon is a Senior IT Reporter for Ars Technica. He covers the telecom industry, Federal Communications Commission rulemakings, broadband consumer affairs, court cases, and government regulation of the tech industry. 14 Comments