marry 08.01.2025, 14:00 PM
Sekoia’s threat detection and research team, in cooperation with international authorities, conducted a disinfection campaign to remove the PlugX malware. The operation disinfected compromised systems in several countries.
The PlugX botnet, often associated with the Mustang Panda APT group, can spread via infected flash drives, which is why it is so widespread. After taking control of the key command and control (C2) server in 2023, Sekoia researchers analyzed the malware and proposed two potential disinfection methods – a self-delete command and a more advanced code execution method to clean the system and connected drives. The campaign primarily used a simpler, less intrusive approach to mitigate risk.
Responding to a public call for help, 34 countries requested logs to identify compromised networks, while 22 countries expressed interest in active disinfection.
Finally, disinfection operations were carried out in ten countries under the supervision of the Paris Public Prosecutor’s Office and the National Cyber Unit of the French Gendarmerie.
In order to simplify operations, a dedicated portal for disinfection was created. This platform allowed participating countries to log in, access detailed statistics on infected systems, and initiate disinfection campaigns by selecting specific networks or IP ranges, with minimal system disruption. During the campaign, 59,475 disinfection codes were sent to 5,539 IP addresses.
Although technically simple, from a legal point of view the operation was complex. The active participation of law enforcement and judicial authorities was key to aligning with the laws of individual countries.
Source: www.informacija.rs
