Charon Ransomware Hits Middle East Sectors Using APT-Level Evasion Tactics - The Hacker News

Charon Ransomware Hits Middle East Sectors Using APT-Level Evasion Tactics Ravie LakshmananAug 13, 2025Endpoint Security / Cybercrime Cybersecurity researchers have discovered a new campaign that employs a previously undocumented ransomware family called Charon to target the Middle East's public sector and aviation industry. The threat actor behind the activity, according to Trend Micro, exhibited tactics mirroring those of advanced persistent threat (APT) groups, such as DLL side-loading, process injection, and the ability to evade endpoint detection and response (EDR) software. The DLL side-loading techniques resemble those previously documented as part of attacks orchestrated by a China-linked hacking group called Earth Baxia, which was flagged by the cybersecurity company as targeting government entities in Taiwan and the Asia-Pacific region to deliver a backdoor known as EAGLEDOOR following the exploitation of a now-patched security flaw affecting OSGeo GeoServer GeoTools. "The attack chain leveraged a legitimate browser-related file, Edge.exe (originally named cookie_exporter.exe), to sideload a malicious msedge.dll (SWORDLDR), which subsequently deployed the Charon ransomware payload," researchers Jacob Santos, Ted Lee, Ahmed Kamal, and Don Ovid Ladore said. Like other ransomware binaries, Charon is capable of disruptive actions that terminate security-related services and running processes, as well as delete shadow copies and backups, thereby minimizing the chances of recovery. It also employs multithreading and partial encryption techniques to make the file-locking routine faster and more efficient. Another notable aspect of the ransomware is the use of a driver compiled from the open-source Dark-Kill project to disable EDR solutions by means of what's called a bring your own vulnerable driver (BYOVD) attack. However, this functionality is never triggered during the execution, suggesting that the feature is likely under development. There is evidence to suggest that the campaign was targeted rather than opportunistic. This stems from the use of a customized ransom note that specifically calls out the victim organization by name, a tactic not observed in traditional ransomware attacks. It's currently not known how the initial access was obtained. Despite the technical overlaps with Earth Baxia, Trend Micro has emphasized that this could mean one of three things - Direct involvement of Earth Baxia A false flag operation designed to deliberately imitate Earth Baxia's tradecraft, or A new threat actor that has independently developed similar tactics "Without corroborating evidence such as shared infrastructure or consistent targeting patterns, we assess this attack demonstrates limited but notable technical convergence with known Earth Baxia operations," Trend Micro pointed out. Regardless of the attribution, the findings exemplify the ongoing trend of ransomware operators increasingly adopting sophisticated methods for malware deployment and defense evasion, further blurring the lines between cybercrime and nation-state activity. "This convergence of APT tactics with ransomware operations poses an elevated risk to organizations, combining sophisticated evasion techniques with the immediate business impact of ransomware encryption," the researchers concluded. The disclosure comes as eSentire detailed an Interlock ransomware campaign that leveraged ClickFix lures to drop a PHP-based backdoor that, in turn, deploys NodeSnake (aka Interlock RAT) for credential theft and a C-based implant that supports attacker-supplied commands for further reconnaissance and ransomware deployment. "Interlock Group employs a complex multi-stage process involving PowerShell scripts, PHP/NodeJS/C backdoors, highlighting the importance of monitoring suspicious process activity, LOLBins, and other TTPs," the Canadian company said. The findings show that ransomware continues to be an evolving threat, even as victims continue to pay ransoms to quickly recover access to systems. Cybercriminals, on the other hand, have begun resorting to physical threats and DDoS attacks as a way of putting pressure on victims. Statistics shared by Barracuda show that 57% of organizations experienced a successful ransomware attack in the last 12 months, of which 71% that had experienced an email breach were also hit with ransomware. What's more, 32% paid a ransom, but only 41% of the victims got all their data back. Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post. SHARE     Tweet Share Share SHARE  Advanced Persistent Threat, Cybercrime, cybersecurity, data breach, endpoint security, Malware, ransomware Trending News Anthropic Finds 22 Firefox Vulnerabilities Using Claude Opus 4.6 AI Model Coruna iOS Exploit Kit Uses 23 Exploits Across Five Chains Targeting iOS 13–17.2.1 ThreatsDay Bulletin: DDR5 Bot Scalping, Samsung TV Tracking, Reddit Privacy Fine and More 149 Hacktivist DDoS Attacks Hit 110 Organizations in 16 Countries After Middle East Conflict APT28 Tied to CVE-2026-21513 MSHTML 0-Day Exploited Before Feb 2026 Patch Tuesday Cisco Confirms Active Exploitation of Two Catalyst SD-WAN Manager Vulnerabilities New Chrome Vulnerability Let Malicious Extensions Escalate Privileges via Gemini Panel Microsoft Reveals ClickFix Campaign Using Windows Terminal to Deploy Lumma Stealer ClawJacked Flaw Lets Malicious Sites Hijack Local OpenClaw AI Agents via WebSocket Open-Source CyberStrikeAI Deployed in AI-Driven FortiGate Attacks Across 55 Countries Starkiller Phishing Suite Uses AitM Reverse Proxy to Bypass Multi-Factor Authentication Google Confirms CVE-2026-21385 in Qualcomm Android Component Exploited ⚡ Weekly Recap: Qualcomm 0-Day, iOS Exploit Chains, AirSnitch Attack and Vibe-Coded Malware OpenAI Codex Security Scanned 1.2 Million Commits and Found 10,561 High-Severity Issues Load More ▼ Popular Resources 19,053 Confirmed Breaches in 2025 – Key Trends and Predictions for 2026 Self-Hosted WAF: Block SQLi, XSS, and Bots Before They Reach Your Apps Identity Controls Checklist: Find Missing Protections in Apps Read CYBER360 2026: From Zero Trust Limits to Data-Centric Security Paths