Ethical Hacking News
Charon Ransomware attacks Middle East public sector and aviation industry using advanced persistent threat (APT)-style tactics, including DLL side-loading, process injection, and EDR evasion. The campaign highlights the growing convergence of APT methods with ransomware, increasing risks to organizations.
The newly discovered Charon ransomware family has been used in a targeted attack against the Middle East's public sector and aviation industry. The threat actor employed tactics similar to advanced persistent threat (APT) groups, including DLL side-loading and EDR evasion. The ransomware took advantage of a legitimate browser-related file to sideload its payload, using layered encryption and process injection to evade detection. The malware used a driver from the Dark-Kill project to disable endpoint detection and response solutions, and deleted backups and Recycle Bin contents to maximize disruption. The campaign highlights the growing convergence of APT methods with ransomware, increasing risks to organizations. The Charon ransomware features advanced encryption capabilities and operational features, including command-line arguments and target-specific network shares. The attack was targeted, with a ransom note naming the victim organization, suggesting that the threat actor may have been trying to create a false flag or copycat operation.
Charon, a newly discovered ransomware family, has been used in a targeted attack against the Middle East's public sector and aviation industry. According to Trend Micro researchers, the threat actor behind this campaign employed tactics that mirror those of advanced persistent threat (APT) groups, such as DLL side-loading, process injection, and EDR evasion.
The Charon ransomware attack took advantage of a legitimate browser-related file, Edge.exe, to sideload a malicious msedge.dll (SWORDLDR), which subsequently deployed the Charon ransomware payload. This layered encryption and process injection allowed the malware to masquerade as a legitimate Windows service while encrypting files and creating ransom notes.
The ransomware used a driver compiled from the open-source Dark-Kill project designed to disable endpoint detection and response solutions. It also deleted backups and Recycle Bin contents to maximize disruption, utilizing multithreading to speed up the encryption process. Files were partially encrypted with Curve25519 + ChaCha20, avoiding certain extensions, and marked with "Charon" plus an infection tag.
The malware spreads via network shares, drops victim-specific ransom notes, and contains a dormant Dark-Kill-based EDR-disabling driver, suggesting ongoing development. The experts noted that the campaign highlights the growing convergence of APT methods with ransomware, increasing risks to organizations.
One notable aspect of the Charon ransomware is its use of advanced encryption capabilities and operational features, including command-line arguments to log errors, target specific network shares or paths, and change encryption order. It creates a mutex ("OopsCharonHere") and disables security tools, such as endpoint detection and response solutions.
The experts speculate that the campaign was targeted, as shown by a ransom note naming the victim organization, an uncommon tactic in typical ransomware attacks. This suggests that the threat actor may have been trying to create a false flag or copycat operation, but it is unclear whether this is indeed the case.
Overall, the discovery of Charon ransomware highlights the growing sophistication and threat landscape in the world of cybersecurity. As APT methods continue to converge with ransomware, organizations must take proactive measures to protect themselves against these emerging threats.
Related Information:
https://www.ethicalhackingnews.com/articles/New-Charon-Ransomware-Attacks-Middle-East-Public-Sector-and-Aviation-Industry-with-Advanced-Persistent-Threat-APT-Style-Tactics-ehn.shtml
https://securityaffairs.com/181098/malware/charon-ransomware-targets-middle-east-with-apt-attack-methods.html
https://thehackernews.com/2025/08/charon-ransomware-hits-middle-east.html
Published: Wed Aug 13 05:00:52 2025 by llama3.2 3B Q4_K_M
