FBI disrupts Chinese PlugX botnet and charges Silk Typhoon-linked hackers
The FBI said it remotely removed PlugX malware from more than 4,200 U.S. computers after obtaining court authorization to dismantle infrastructure tied to a long-running Chinese cyber campaign. The malware, commonly associated with Chinese state-backed operators, had infected mostly small office and home office devices, and the bureau deleted the malicious files without collecting personal data from victims. Reporting put the total at 4,258 systems, underscoring the scale of the cleanup operation against a botnet that had quietly persisted on U.S. networks.
U.S. authorities later expanded the crackdown by unsealing charges against 12 Chinese nationals and seizing domains linked to a broader espionage and hacker-for-hire ecosystem associated with Silk Typhoon (also tracked as APT27 and formerly Hafnium). Prosecutors alleged that China’s security services used contractors, including i-Soon, to hack U.S. government agencies and other prominent targets, charging state customers roughly $10,000 to $75,000 per compromised email inbox and tying the activity to intrusions spanning more than a decade, including the U.S. Treasury breach. Italian authorities subsequently arrested an alleged Silk Typhoon-linked suspect wanted over cyberespionage tied to COVID-19 vaccine research.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
7 events from the most recent confirmed update back to the earliest known activity.
Italy arrests alleged Silk Typhoon operative tied to vaccine spying
Italian authorities arrested an alleged Silk Typhoon operative accused in cyber-espionage activity related to COVID-19 vaccine targets. The arrest was reported in July 2025 as a new law-enforcement action connected to the campaign.
State Department offers rewards for two alleged Silk Typhoon members
The U.S. State Department offered rewards of up to $2 million for information leading to the arrest or conviction of alleged Silk Typhoon members Yin KeCheng and Zhou Shuai. The reward announcement accompanied the March 2025 law-enforcement disclosures.
Microsoft says Silk Typhoon is still targeting IT and government
Microsoft released a report stating that Silk Typhoon continued targeting IT companies and government agencies. The report coincided with the U.S. indictments and added current technical and attribution context to the campaign.
U.S. seizes domains linked to Silk Typhoon infrastructure
Alongside the indictments, U.S. authorities seized internet domains tied to the Silk Typhoon-linked espionage and hacker-for-hire campaign. The action was part of the broader March 2025 disruption and attribution effort.
U.S. charges 12 Chinese nationals tied to Silk Typhoon campaign
U.S. authorities announced criminal charges against 12 Chinese nationals linked to a long-running Chinese espionage and hacker-for-hire operation associated with Silk Typhoon, also known as APT27/Hafnium. Prosecutors said the campaign involved contractors and i-Soon working on behalf of Chinese security services.
FBI remotely deletes PlugX from 4,200+ U.S. computers
The FBI announced it had removed Chinese PlugX malware from roughly 4,200 to 4,258 infected U.S. computers using a court-authorized operation. The action was publicly disclosed in mid-January 2025.
PlugX malware infects thousands of U.S. computers
A variant of the Chinese-linked PlugX malware infected more than 4,200 U.S. computers, forming the basis for a later FBI court-authorized removal operation. The affected systems were described in January 2025 reporting as 4,200 to 4,258 devices.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
4 references tracked. Mallory keeps watching after this page renders.
Italy arrests alleged Silk Typhoon COVID vaccine cyberspy
theregister.com
Open sourceFeds name and charge alleged Silk Typhoon members
theregister.com
Open sourceFBI removes Chinese PlugX malware from 4,258 U.S. computers | TechTarget
techtarget.com
Open sourceFBI deleted Chinese malware from 4,200 US computers - Nextgov/FCW
nextgov.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Chinese APT Spearphishing Campaign Using Fake Cloudflare Lures to Deploy PlugX Malware
Chinese state-sponsored threat actors have launched a sophisticated spearphishing campaign targeting government and aviation agencies across Europe, including a Serbian aviation agency. The attackers crafted malicious emails that appeared to be related to European government business, enticing recipients to click on links that redirected them to fraudulent Cloudflare verification pages. These fake pages were designed to deliver malware payloads, specifically PlugX, Sogu, and Korplug, which are commonly associated with Chinese cyberespionage groups. The campaign began in late September and has affected organizations in Serbia, Italy, Belgium, Hungary, and the Netherlands. Security researchers have attributed the activity to Chinese APTs, with some overlap in tactics and malware families used by groups such as Mustang Panda and UNC6384. The PlugX malware, a remote access trojan, enables attackers to exfiltrate sensitive data and maintain persistent access within compromised networks. The campaign's use of legitimate-looking Cloudflare lures increases the likelihood of successful credential harvesting and malware deployment. In response to the widespread use of PlugX, U.S. law enforcement, including the Justice Department and FBI, conducted operations to remove the malware from thousands of infected computers in the United States. The campaign demonstrates a high level of operational security, leveraging tailored phishing lures and multi-stage infection chains to evade detection. Security researchers have noted that the attackers continuously adapt their techniques, making use of current events and trusted brands to increase the credibility of their phishing emails. The deployment of multiple malware families in a single campaign suggests a broad espionage objective, targeting both information theft and long-term access. The campaign's cross-border nature highlights the global reach of Chinese cyberespionage operations. Organizations are advised to implement robust email filtering, user awareness training, and endpoint detection to mitigate the risk of similar attacks. The incident underscores the persistent threat posed by Chinese APTs to critical infrastructure and government entities worldwide. Ongoing analysis by cybersecurity firms continues to reveal new indicators of compromise and evolving tactics associated with this campaign. The use of PlugX and related malware remains a hallmark of Chinese cyberespionage, with attackers refining their delivery methods to bypass traditional security controls. The campaign's discovery has prompted increased collaboration between international law enforcement and private sector security teams to disrupt the threat and protect targeted organizations.
Mar 21, 2026
FBI Dismantles 911 S5 Residential Proxy Botnet and Arrests Alleged Operator
U.S. authorities disrupted the **911 S5** residential proxy service, a botnet-backed platform that allegedly compromised millions of Windows devices and sold their IP addresses as proxies to cybercriminals. The FBI and international partners seized infrastructure tied to the service, while prosecutors charged and arrested the alleged administrator, identified as Chinese national YunHe Wang. According to investigators, the service enabled fraud, bomb threats, child exploitation, harassment, and large-scale financial crime by letting users route malicious traffic through unsuspecting victims’ home internet connections. The FBI’s IC3 warned that infected devices were commonly enrolled through VPN or pirated software bundles and urged users to scan for malware, remove suspicious applications, and reinstall operating systems if needed. The operation follows a broader U.S. strategy of court-authorized botnet disruption previously used against state-linked infrastructure, including the 2018 takedown of the **APT28** router botnet, underscoring continued law-enforcement use of technical and legal measures to seize command infrastructure and cut off criminal proxy networks.
May 25, 2026
US Disrupts Volt Typhoon KV Botnet Built on Compromised SOHO Routers
The U.S. Department of Justice said a court-authorized FBI operation disrupted the **KV Botnet**, a network of hundreds of compromised small office and home office routers that the PRC-linked group **Volt Typhoon** used to mask follow-on intrusions against U.S. and foreign targets, including critical infrastructure. Officials said the botnet relied heavily on end-of-life **Cisco** and **NetGear** devices, and that the FBI removed malware from affected U.S.-based routers and severed communications with botnet controllers without disrupting legitimate router functions or collecting content. The government tied the activity to broader Chinese pre-positioning against sectors including communications, energy, transportation, and water, while warning that unsupported devices remain vulnerable to reinfection unless replaced or fully remediated. Reporting on the takedown said the action mirrored earlier U.S. botnet disruptions such as the 2022 operation against **Cyclops Blink**, the **Sandworm/GRU** botnet that abused WatchGuard and ASUS devices as command-and-control infrastructure. Subsequent research from Censys found that KV Botnet control infrastructure evolved after the December 2023 disruption, with operators in the **JDY** cluster largely retaining the same infrastructure patterns while shifting hosting providers and continuing activity linked to vulnerable `Cisco RV320/RV325` routers. The researchers said the botnet’s comparatively exposed infrastructure did not fully match Volt Typhoon’s usual stealthy tradecraft, raising questions about whether the KV Botnet was operated directly by Volt Typhoon or by a separate but related actor.
May 25, 2026