CyberHappenings logo
☰
🏠 Home πŸ“‚ Browse ℹ️ About

Track cybersecurity events as they unfold. Sourced timelines, daily updates. Fast, privacy‑respecting. No ads, no tracking.

Charon Ransomware Leverages APT-Style Tactics in Targeted Attacks

First reported
Last updated
πŸ“° 2 unique sources, 2 articles

Summary

Hide β–²

A new ransomware family, Charon, has been observed using advanced persistent threat (APT)-style tactics in targeted attacks against the Middle East's public sector and aviation industry. Charon employs sophisticated techniques such as DLL sideloading, process injection, and anti-EDR capabilities. The ransomware's attack chain involves using legitimate browser-related files to deploy the ransomware payload, posing a significant risk to operational continuity and data integrity. Charon's tactics include leveraging DLL sideloading to execute the ransomware payload and using multistage payload extraction techniques. The ransomware's custom ransom note, which references the victim organization by name, adds to its sophistication. The potential link to the China-backed Earth Baxia group remains uncertain, but the use of advanced techniques indicates a high level of operational capability. The ransomware terminates security-related services, deletes shadow copies and backups, and employs multithreading and partial encryption techniques to enhance its effectiveness.

Timeline

  1. 13.08.2025 08:45 πŸ“° 1 articles Β· ⏱ 1mo ago

    Charon Ransomware Campaign Exhibits Technical Overlaps with Earth Baxia

    The Charon ransomware campaign exhibits technical overlaps with the Earth Baxia APT group. The potential link to Earth Baxia remains uncertain, but the use of advanced techniques indicates a high level of operational capability. The campaign may involve direct involvement of Earth Baxia, a false flag operation, or a new threat actor. The campaign's targeted nature and the unknown initial access method are also highlighted. The convergence of APT tactics with ransomware operations poses an elevated risk to organizations, combining sophisticated evasion techniques with the immediate business impact of ransomware encryption.

    Show sources
    Open in new tab
  2. 12.08.2025 17:45 πŸ“° 2 articles Β· ⏱ 1mo ago

    Charon Ransomware Targets Middle East Public Sector and Aviation

    Charon ransomware, observed in the wild for the first time, targets the Middle East's public sector and aviation industry. The ransomware uses DLL sideloading, process injection, and anti-EDR capabilities to deploy its payload. The attack chain involves a legitimate Edge.exe binary to sideload a malicious DLL, which then decrypts and injects the ransomware payload. The ransomware's custom ransom note references the victim organization by name, indicating a high level of sophistication. The campaign was targeted, using a customized ransom note that calls out the victim organization by name. The ransomware terminates security-related services and running processes, deletes shadow copies and backups to minimize recovery chances, and employs multithreading and partial encryption techniques. The ransomware uses a driver from the Dark-Kill project to disable EDR solutions via a BYOVD attack. The campaign exhibits technical overlaps with the Earth Baxia APT group, with potential direct involvement, a false flag operation, or a new threat actor.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

New HybridPetya Ransomware Exploits UEFI Secure Boot Bypass Vulnerability

A new ransomware variant, HybridPetya, has been discovered. It resembles the Petya/NotPetya malware but includes the ability to bypass UEFI Secure Boot using the CVE-2024-7344 vulnerability. HybridPetya encrypts the Master File Table (MFT) on NTFS-formatted partitions and can compromise modern UEFI-based systems. The ransomware operates through a bootkit and an installer, with the bootkit managing encryption and decryption processes. The ransomware has been observed in samples uploaded to VirusTotal in February 2025, with no evidence of active use in the wild. The vulnerability exploited by HybridPetya was patched in January 2025. The ransomware encrypts the MFT and displays a fake CHKDSK message to deceive victims. It demands a $1,000 ransom in Bitcoin, with a total of $183.32 received between February and May 2025. The ransom note provides an option for victims to enter a decryption key after payment, which triggers the decryption process. The bootkit also recovers legitimate bootloaders from backups created during installation. The ransomware triggers a system crash during bootloader changes, ensuring the bootkit binary is executed upon reboot. HybridPetya may be a research project, proof-of-concept, or early version of a cybercrime tool under limited testing. HybridPetya combines the destructive capabilities of NotPetya, the recoverable encryption functionality of Petya ransomware, and the ability to bypass Secure Boot protections. It can deploy malicious UEFI payloads directly to the EFI System Partition and encrypt the Master File Table (MFT). HybridPetya's ability to install harmful code directly into a computer's UEFI firmware makes it hard for security teams to detect. The emergence of HybridPetya highlights the growing threat from UEFI bootkits that reside at a computer's startup sequence level.

Open in new tab

Resurfaced ChillyHell macOS Backdoor Discovered

A new version of the ChillyHell modular backdoor malware targeting macOS has been discovered. The malware, first seen in 2022, was used in attacks against Ukrainian officials and has now resurfaced with updated capabilities. ChillyHell provides remote access, payload delivery, and password brute-forcing. The malware was notarized by Apple in 2021 and has been publicly hosted on Dropbox since then. The malware disguises itself as an executable applet and deploys as a persistent backdoor, capable of retrieving sensitive data and evading detection. It employs multiple persistence mechanisms and can communicate over different protocols. It also features timestamping to cover its tracks. Apple has revoked the notarization of the developer certificates associated with the malware after being notified. ChillyHell is written in C++ and targets Intel architectures. It is attributed to an uncategorized threat cluster dubbed UNC4487, which has been active since at least October 2022. UNC4487 is suspected to be an espionage actor targeting Ukrainian government entities.

Open in new tab

AI-Powered Ransomware 'PromptLock' Under Development

A new AI-powered ransomware strain named 'PromptLock' has been discovered by ESET researchers. This ransomware uses an AI model to generate scripts on the fly, making it difficult to detect. The malware is currently in development and has not been observed in active attacks. It is designed to exfiltrate files, encrypt data, and potentially destroy files. The ransomware was uploaded to VirusTotal from the United States and is written in the Go programming language, with variants for Windows, Linux, and macOS systems. The Bitcoin address associated with PromptLock appears to belong to Satoshi Nakamoto. PromptLock uses the SPECK 128-bit encryption algorithm to lock files and can generate custom notes based on the files affected and the type of infected machine.

Open in new tab

MixShell Malware Targets U.S. Supply Chain Manufacturers via Contact Forms

A sophisticated social engineering campaign, codenamed ZipLine, is targeting supply chain-critical manufacturing companies in the U.S. and other countries with MixShell, an in-memory malware. Attackers initiate contact through public 'Contact Us' forms, building trust over weeks before delivering a weaponized ZIP file. The campaign primarily targets industrial manufacturing, hardware, semiconductors, biotechnology, and pharmaceuticals. The malware uses DNS-based command-and-control (C2) channels, in-memory execution, and multi-stage payloads to evade detection. The attack chain involves a Windows shortcut (LNK) triggering a PowerShell loader, which deploys the MixShell implant. The campaign poses risks including intellectual property theft, ransomware attacks, and supply chain disruptions. The attackers use abandoned or dormant domains to increase trust and bypass security filters. The fake company websites used in the campaign are cloned from a single template, featuring stock images of White House butlers. The malicious ZIP file contains real PDF and DOCX files related to the topic of discussion, enhancing credibility. The PowerShell script used in the attack sets up long-term persistence by altering the system registry and periodically checks for the payload's activity.

Open in new tab

HOOK Android Trojan Adds Ransomware Overlays, Expands to 107 Remote Commands

A new variant of the HOOK Android banking trojan has been discovered, featuring ransomware-style overlay screens to display extortion messages. This variant can deploy full-screen ransomware overlays, steal credentials, and execute 107 remote commands, including capturing user gestures and mimicking NFC and Google Pay interfaces. HOOK is distributed through phishing websites, GitHub repositories, and other malicious channels, posing a significant risk to financial institutions and users. The malware is believed to be an offshoot of the ERMAC banking trojan, which had its source code leaked. The new variant includes features to send SMS messages, stream the victim's screen, capture photos, and steal cryptocurrency wallet information. The evolution of HOOK highlights the convergence of banking trojans with spyware and ransomware tactics.

Open in new tab