US Feds Deleted Chinese-Implanted PlugX Malware From Thousands of Systems

Don't miss my latest CSO piece that examines the draft cybersecurity executive order the Biden White House is expected to release this week.

Please consider upgrading your subscription if you value Metacurity's daily delivery of the most critical infosec developments you and your colleagues should know. Thank you.

The US Department of Justice and FBI said they disrupted the operations of a Chinese state-backed hacking group, Twill Typhoon or Mustang Panda, which infiltrated millions of computers worldwide to steal data as part of a years-long espionage campaign, with the feds successfully deleting the malware planted by the group, PlugX, from thousands of infected systems across the US during a court-authorized operation in August 2024.

French authorities led the operation with assistance from Paris-based cybersecurity company Sekoia.

Sekoia said it developed the capability to send commands to infected devices to delete the PlugX malware. US authorities said the operation was used to delete the malware from more than 4,200 infected computers in the United States. 

In court records filed in the federal court in Pennsylvania, the FBI said it had observed the malware, typically installed on a target’s device through a computer’s USB port, as early as 2012 and that Chinese state-backed hackers had used it since 2014. 

Once installed, the PlugX malware " collects and stages the victim’s computer files for exfiltration,” the FBI said. French authorities say the malware is “used in particular for espionage purposes.”

While specific victims of this hacking campaign have not been named, the FBI says that Twill Typhoon infiltrated the systems of “numerous’ government and private organizations, including in the United States. Significant targets include European shipping companies, several European governments, Chinese dissident groups, and various governments throughout the Indo-Pacific region, according to the FBI.

The US Justice Department accused the Chinese government of paying the Twill Typhoon group to develop the PlugX malware. China has long denied these hacking allegations. (Carly Page / TechCrunch)

Related: Justice Department, Justice Department, Sekoia, BleepingComputer, CyberScoop, The Record, PCMag, The Register, Reuters, Gizmodo, Engadget, Dark Reading, The Verge, DeviceSecurity.io, Nextgov/FCW, r/cybersecurity, The Stack, CSO Online, Cybernews, UPI, Digital Trends, The Cyber Express

President Joe Biden's outgoing administration is finalizing rules that will effectively bar nearly all Chinese cars and trucks from the US market as part of a crackdown on vehicle software and hardware from China.

"It's really important because we don't want two million Chinese cars on the road and then realize ... we have a threat," Commerce Secretary Gina Raimondo said, citing national security concerns.

In September, her department proposed a sweeping ban on key Chinese software and hardware in connected vehicles on American roads, with software prohibitions to take effect in the 2027 model year and those on hardware in 2029. They also bar Chinese car companies from testing self-driving cars on US roads.

In the final rules, the US Commerce Department said it was making some changes, such as exempting vehicles heavier than 10,000 pounds from the requirements, which would let China's BYD continue to assemble electric buses in California.

The department said it planned to propose soon rules barring Chinese software and hardware in larger commercial vehicles, including trucks and buses. A final decision will be up to the incoming Trump administration. (David Shepardson/ Reuters)

Related: White House, Bureau of Industry and Security, Land Line, MeriTalk, Debbie Dingell, TechCrunch, The Record, Cybernews, VOA News, ABC News, South China Morning Post

In a rare joint statement, Japan, South Korea, and the United States said North Korean-backed hackers stole at least $659 million through multiple cryptocurrency heists in 2024 while also deploying IT workers to infiltrate blockchain companies as insider threats.

The announcement provided the first official confirmation that North Korea was behind July’s $235 million hack of WazirX, India’s largest cryptocurrency exchange. The July 2024 breach forced WazirX to suspend trading and later restructure the firm.

According to the joint statement, other significant attacks included a $308 million theft from Japan’s DMM Bitcoin, $50 million each from Upbit and Radiant Capital, and $16.13 million from Rain Management.

The statement says the Lazarus Group, a known threat group of North Korean hackers, conducted social engineering attacks and deployed cryptocurrency-stealing malware like TraderTraitor to breach exchanges while infiltrating companies by having North Korean IT workers pose as job candidates. (Manish Singh / TechCrunch)

Related: State Department, Mofa.go.jp, The Verge, BleepingComputer, Inc42 Media, Coinspeaker, The Economic Times, Business Today, PCMag, The Crypto Times, Moneycontrol, Security Week, Bitcoinist, Cointelegraph, Korea Times

In its first Patch Tuesday updates for the year, Microsoft released fixes for a whopping 161 security vulnerabilities in Windows and related software, including three “zero-day” weaknesses that are already under active attack,

Microsoft flaws already seen in active attacks include CVE-2025-21333, CVE-2025-21334, and CVE-2025-21335. These are sequential because they all reside in Windows Hyper-V, a component heavily embedded in modern Windows 11 operating systems and used for security features such as device guard and credential guard.

Little is known about the in-the-wild exploitation of these flaws, apart from the fact that they are all “privilege escalation” vulnerabilities. Narang said we tend to see a lot of elevation of privilege bugs exploited in the wild as zero-days in Patch Tuesday because it’s not always initial access to a system that’s a challenge for attackers as they have various avenues in their pursuit.

Several of the addressed bugs earned CVSS (threat rating) scores of 9.8 out of a possible 10, including CVE-2025-21298, a weakness in Windows that could allow attackers to run arbitrary code by getting a target to open a malicious .rtf file, documents typically opened on Office applications like Microsoft Word. Microsoft has rated this flaw “exploitation more likely.”

One interesting flaw (CVE-2025-21210) that Microsoft fixed is its full disk encryption suite Bitlocker, which the software giant dubbed “exploitation more likely.” Specifically, this bug holds out the possibility that, in some situations, the hibernation image created when one closes the laptop lid on an open Windows session may not be fully encrypted and could be recovered in plain text.

The software giant also fixed a trio of vulnerabilities in Microsoft Access, which were credited to Unpatched.ai, a security research effort aided by artificial intelligence that looks for vulnerabilities in code.

Tracked as CVE-2025-21186, CVE-2025-21366, and CVE-2025-21395, these are remote code execution bugs that can be exploited if an attacker convinces a target to download and run a malicious file through social engineering. Unpatched.ai was also credited with discovering a flaw in the December 2024 Patch Tuesday release (CVE-2024-49142). (Brian Krebs / Krebs on Security)

Related: Microsoft, Microsoft, Bleeping Computer, The Stack, Neowin, Help Net Security, XDA, The Register, Security Week, Zero Day Initiative, CRN, Forbes, Ask Woody, SANS Internet Storm Center, Patch Tuesday, Bleeping Computer, Infosecurity Magazine, Crowdstrike,  SecurityBrief New Zealand, Tenable

Security product maker Fortinet confirmed that a critical-rated vulnerability in its FortiGate firewalls tracked as CVE-2024-55591, is “being exploited in the wild.”

Fortinet made patches available, but security researchers at Arctic Wolf have warned that hackers have been mass-exploiting the vulnerability as a zero-day, meaning before Fortinet was aware of the vulnerability and made fixes available — since December.

This is the latest example of hackers exploiting a vulnerability in a popular enterprise security product designed to protect corporate networks from intruders.

The Fortinet bug was discovered days after it was revealed that attackers were exploiting a separate zero-day flaw in Ivanti VPN servers that allows access to customers’ networks.

It's unclear who is behind the attacks on Fortinet firewalls, but cybersecurity researcher Kevin Beaumont said that the vulnerability is “under exploitation by a ransomware operator.” (Carly Page / TechCrunch)

Related: Fortiguard Labs, Arctic Wolf, Dark Reading, Tech Radar, Techzine, The Cyber Express

The US Cybersecurity and Infrastructure Security Agency (CISA) released an AI cybersecurity collaboration playbook that provides guidance to public-private partners on disclosing AI incidents and vulnerabilities while detailing the agency's steps to bolster collective defense with shared information.

CISA said it developed the Joint Cyber Defense Collaborative AI Cybersecurity Collaboration Playbook with federal partners, including the FBI, National Security Agency AI Security Center, and industry partners such as AWS, Nvidia, IBM, Microsoft, and OpenAI.

The playbook calls for proactive information sharing about malicious activity to help detect critical threats early. AI developers and private-sector companies can coordinate within JCDC and voluntarily report cyber incidents to CISA.

The guidance comes after the Department of Homeland Security Office of Inspector General found the agency's top threat-sharing initiative faced significant hurdles, from mounting security concerns and plummeting participation to lacking a recruitment strategy. (Chris Riotta / BankInfoSecurity)

Related: JCDC, The Mainstream

A French woman named Anne told the "Seven to Eight" program on the TF1 channel that she had believed she was in a romantic relationship with Hollywood star Brad Pitt, leading her to divorce her husband and transfer 830,000 euros ($850,000) to a deepfake AI scammer posing as Pitt.

To extract money, they pretended that the 61-year-old actor needed money to pay for kidney treatment, with his bank accounts supposedly frozen because of divorce proceedings with his ex-wife Angelina Jolie.

Anne, a 53-year-old interior decorator with mental health problems, spent a year and a half believing she was communicating with Pitt. She only realized she had been scammed when news emerged of Pitt's real-life relationship with girlfriend, Ines de Ramon. (AFP)

Related: Hollywood Reporter, Men's Journal, Telegraph, National Post, CNA, Entertainment Weekly, Newsweek, Roger Grimes

Best Thing of the Day: Always Be Prepared

The CEO of the Calgary Public Library in Canada said his organization was “well prepared” to handle a ransomware attack in October and has now fully restored services.

Worst Thing of the Day: Lies, Damn Lies, and Facebook

In addition to jettisoning its fact-checking services, fading former social media giant Facebook has also decided to stop penalizing blatant lies and misinformation.

Closing Thought