Security News > 2024 > April > Researchers sinkhole PlugX malware server with 2.5 million unique IPs
Researchers have sinkholed a command and control server for a variant of the PlugX malware and observed in six months more than 2.5 million connections from unique IP addresses.
Since September 2023, when Sekoia captured the unique IP address associated with the particular C2, it has logged over 2,495,297 unique IPs from 170 countries interacting with its sinkhole.
Researchers at cybersecurity company Seqoia spent $7 to acquire the IP address 45.142.166[.]112 corresponding to a command and control server for a variant of the PlugX malware that the threat actor no longer uses.
The sinkhole operation revealed that between 90,000 and 100,000 systems were sending requests daily, and over six months more than 2.5 million unique IPs connected to the server from all over the world.
Even if the malware is removed from the host, there is still a risk of re-infection because the malware spreads over USB devices, and cleaning them is not possible this way.
Sequia researchers say that the botnet built with the sinkholed version of PlugX can be considered as "Dead" because the malware operators are no longer in control.