PlugX USB worm Infected Over 2.5M Devices

In Cybersecurity News - Original News Source is by Blog Writer

Post Sharing

A new menace has emerged, affecting millions of devices worldwide.

The PlugX USB worm, a sophisticated malware, has been reported to have infected over 2.5 million devices, posing a significant threat to global cybersecurity.

The PlugX malware, initially identified several years ago, has gained fame for its resilience and ability to spread through USB drives.

In March 2023, cybersecurity experts at Sophos highlighted a variant of PlugX with enhanced worming capabilities that could jump borders and infiltrate networks undetected.

Is Your Network Under Attack? - Read CISO’s Guide to Avoiding the Next Breach - Download Free Guide

Infection Spread

By September 2023, the situation escalated when researchers successfully sinkhole a command and control (C2) server associated with the PlugX worms.

For a mere $7, they acquired a unique IP address linked to the worm variant, which revealed a staggering number of infected public IP addresses.

A graphic visualizing the spread of the PlugX USB worm across the globe, with hotspots indicating areas of high infection rates. (Source: Sekoia)

According to Sekoia’s findings, Despite the malware’s inception years prior, daily requests from approximately 90,000 to 100,000 unique IPs were still being sent to the sinkhole.

Over six months, more than 2.5 million unique IPs connected to it, indicating the worm’s extensive reach.


Integrate ANY.RUN in Your Company for Effective Malware Analysis

Are you from SOC, Threat Research, or DFIR departments? If so, you can join an online community of 400,000 independent security researchers:

  • Real-time Detection
  • Interactive Malware Analysis
  • Easy to Learn by New Security Team members
  • Get detailed reports with maximum data
  • Set Up Virtual Machine in Linux & all Windows OS Versions
  • Interact with Malware Safely

If you want to test all these features now with completely free access to the sandbox:


The battle against PlugX took a turn when experts cracked the cryptography of its communications.

This breakthrough allowed the development of disinfection commands that could be sent to compromised workstations.

Two methods were devised: one that cleanses the workstation and another, more intrusive technique that also purges the USB drive.

In an unprecedented move, a concept of sovereign disinfection was proposed. Law enforcement agencies and national Computer Emergency Response Teams were offered the tools to remove the malware from infected hosts remotely.

This approach aims to empower nations to take control of their cybersecurity by eliminating the threat from within their digital borders.

The PlugX USB worm’s vast infection rate is a stark reminder of the persistent threat cybercriminals pose.

While the worm cannot be entirely eradicated, the collaborative efforts of cybersecurity communities have opened a path to mitigating its impact.

The sovereign disinfection process is a novel strategy that offers a glimmer of hope in the fight against pervasive cyber threats.

The PlugX USB worm saga underscores the importance of global cooperation in cybersecurity and the need for continuous vigilance in an ever-changing threat landscape.

As the world becomes increasingly interconnected, resilient and adaptable cybersecurity measures will be paramount in safeguarding our digital future.

Indicators of compromise

Files Hashes


Combat Email Threats with Easy-to-Launch Phishing Simulations: Email Security Awareness Training -> Try Free Demo