China's Salt Typhoon campaign may have impacted every American.

Summary

By the CyberWire staff

At a glance.

China's Salt Typhoon campaign may have impacted every American.
Extortion group claims responsibility for Jaguar Land Rover attack.
XWorm RAT grows stealthier.

China's Salt Typhoon campaign may have impacted every American.

The New York Times reports on the significance of China's Salt Typhoon campaign, noting that the cyberespionage operation may have gathered information on every American. Cynthia Kaiser, the FBI's former Deputy Assistant Director who oversaw an investigation into Salt Typhoon, told the Times that the scope of the campaign was much broader than typical cyberespionage activity. The widespread operation swept up information from "telecommunications, government, transportation, lodging, and military infrastructure networks."

Western allies—including the US, UK, Canada, Finland, Germany, Italy, Japan, and Spain—issued a "name-and-shame" statement on Salt Typhoon last week, linking the activity to several Chinese technology companies that provide services to Beijing's People's Liberation Army and Ministry of State Security.

Control what runs in your environment. Reduce your attack surface.

ThreatLocker helps organizations reduce risk by allowing trusted applications to run while limiting their access to only the resources they need. It’s a straightforward, default deny approach that gives you more control and visibility—without slowing down operations. Explore how ThreatLocker can help simplify your security strategy.

Extortion group claims responsibility for Jaguar Land Rover attack.

A criminal collective calling itself "Scattered Lapsus$ Hunters" has claimed responsibility for a disruptive attack against Jaguar Land Rover (JLR), the BBC reports. The hackers, who are thought to be English-speaking teenagers, chose the name due to their prior associations with the criminal groups Shiny Hunters, Lapsus$, and Scattered Spider. The group is attempting to extort JLR as they brag about the hack on Telegram. The BBC notes that the UK's National Crime Agency recently arrested four alleged Scattered Spider members accused of hacking M&S, Co-op, and Harrods earlier this year.

JLR is still working to recover operations at its two primary plants in the UK. The Telegraph reports that more than a million drivers are unable to get repairs as dealerships cannot obtain parts for Jaguar or Land Rover vehicles.

DMV Rising, D.C.’s Premier Conference for Cyber Execs.

The Washington, D.C. Maryland, and Virginia (DMV) region has established itself as a top-tier player in the global cyber industry. Join us on September 18, 2025 to celebrate the remarkable accomplishments of the DMV's cybersecurity community, connect with the brilliant minds shaping the future of the field, and experience firsthand why the DMV region is the beating heart of cyber innovation. Register now to secure your spot.

XWorm RAT grows stealthier.

Trellix has published a report on the evolution of the XWorm backdoor's infection chain, noting "a deliberate move towards more deceptive and intricate methods." The researchers explain, "The XWorm malware infection chain has evolved to include additional techniques beyond traditional email-based attacks. While email and .lnk files remain common initial access vectors, XWorm now also leverages legitimate-looking .exe filenames to disguise itself as harmless applications, exploiting user and system trust. This marks a shift towards combining social engineering with technical attack vectors for greater effectiveness."

Notes.

Today's issue includes events affecting Canada, China, Finland, Germany, Italy, Japan, Spain, the United Kingdom, and the United States.

Attacks, Threats, and Vulnerabilities

Sangoma Patches Critical Zero-Day Exploited to Hack FreePBX Servers (SecurityWeek) Tracked as CVE-2025-57819 (CVSS score of 10/10), the bug is described as an insufficient sanitization of user-supplied data.

GhostRedirector poisons Windows servers: Backdoors with a side of Potatoes (ESET) ESET researchers have identified a new threat actor targeting Windows servers with a passive C++ backdoor and a malicious IIS module that manipulates Google search results.

XWorm’s Evolving Infection Chain: From Predictable to Deceptive (Trellix) A sophisticated and evolving prevalent XWorm backdoor campaign has recently been identified by the Trellix Advanced Research Center, marking a significant strategic shift in the malware's deployment.

Litigation, Investigation, and Law Enforcement

US offers $10 million bounty for info on Russian FSB hackers (BleepingComputer) The U.S. Department of State is offering a reward of up to $10 million for information on three Russian Federal Security Service (FSB) officers involved in cyberattacks targeting U.S. critical infrastructure organizations on behalf of the Russian government.

Industry Events

For a complete running list of events, please visit the Event Tracker.

Events

DMV Rising '25 (Washington, DC, USA, Sep 18, 2025) Join us on September 18, 2025 to celebrate the remarkable accomplishments of the DMV's cybersecurity community, connect with the brilliant minds shaping the future of the field, and experience firsthand why the DMV region is the beating heart of cyber innovation. Register now to secure your spot.

HackAICon 2025 (Lisbon, Portugal, Sep 25, 2025) The first conference dedicated to combining AI and Ethical Hacking. We're bringing together OffSec pros, hackers, and leading researchers to find practical ways of using AI to secure the internet. Learn about the latest AI Hacking cosmic trends and connect with fellow professionals in engaging conversations. We banned sales pitches from the event - just knowledge sharing, leadership and technical insights.

Don’t miss Jen Easterly, former CISA Director, headlining HIP Conf 25 (Charleston, SC, USA, Oct 7 - 9, 2025) Jen Easterly, former CISA Director, keynotes HIP Conf 2025. A globally recognized cybersecurity leader, Easterly brings unmatched insight into hybrid identity security and resilience. Register now for this must-attend event.

Uniting Women in Cyber 2025 (Crystal City, Virginia, USA, Oct 9, 2025) UWIC is the premier event for cybersecurity leaders, professionals, and aspiring practitioners. Connect with a vibrant community focused on emerging global trends, technological advancements, and workforce development. Attend UWIC 2025 to learn, share ideas, and expand your professional network!

Sponsor & Support

Grow your brand, generate leads, and fill your funnel.

With the industry’s largest B2B podcast network, popular newsletters, and influential readers and listeners all over the world, companies trust the CyberWire to get the message out. Learn more.

Daily Briefing for 09.04.25

At a glance.

China's Salt Typhoon campaign may have impacted every American.

Extortion group claims responsibility for Jaguar Land Rover attack.

XWorm RAT grows stealthier.

Notes.

Attacks, Threats, and Vulnerabilities

Litigation, Investigation, and Law Enforcement

Events