Charon ransomware targeted attack with APT-style DLL sideloading
Malware Activity
Summary
Hide ▲
Show ▼
The Charon ransomware family has been observed in a targeted attack against Middle East public-sector and aviation organizations, marking its first confirmed appearance in the wild and raising immediate ransomware encryption risk. The operation used APT-style tradecraft rather than simple commodity delivery, including DLL sideloading and process injection. It also employed anti-EDR capabilities to reduce detection and improve persistence. The payload chain shows a more advanced ransomware operator that can blend malicious activity into legitimate Windows processes.
Related Happenings
YiBackdoor malware activity with limited deployments
Malware Activity
First: 24.09.2025 14:28
Last: 24.09.2025 14:28
Sources 1
About this happening:
The newly disclosed **YiBackdoor** malware activity matters because the loader has **limited deployments** but can **execute arbitrary commands**, **collect system information**,...
YiBackdoor malware activity with limited deployments
Malware ActivityAbout this happening: The newly disclosed **YiBackdoor** malware activity matters because the loader has **limited deployments** but can **execute arbitrary commands**, **collect system information**,...
MalTerminal LLM-enabled malware analysis
Technical Analysis
First: 20.09.2025 08:48
Last: 20.09.2025 08:48
Sources 1
About this happening:
Researchers identified **MalTerminal** as the earliest known **LLM-enabled malware**, showing how a Windows sample can generate **ransomware code** or a **reverse shell** at runti...
MalTerminal LLM-enabled malware analysis
Technical AnalysisAbout this happening: Researchers identified **MalTerminal** as the earliest known **LLM-enabled malware**, showing how a Windows sample can generate **ransomware code** or a **reverse shell** at runti...
SnakeDisk USB worm drops Yokai on Thailand IPs
Malware Activity
First: 15.09.2025 21:45
Last: 15.09.2025 21:45
Sources 1
About this happening:
The **SnakeDisk** USB worm now adds a geofenced propagation path that can **drop the Yokai backdoor** on hosts with **Thailand-based IPs**, increasing the risk of localized compro...
SnakeDisk USB worm drops Yokai on Thailand IPs
Malware ActivityAbout this happening: The **SnakeDisk** USB worm now adds a geofenced propagation path that can **drop the Yokai backdoor** on hosts with **Thailand-based IPs**, increasing the risk of localized compro...
The Gentlemen ransomware vendor-specific AV/EDR bypass activity
Malware Activity
First: 11.09.2025 23:42
Last: 11.09.2025 23:42
Sources 1
About this happening:
The **Gentlemen ransomware** gang is now abusing **ThrottleStop.sys** and related tools to kill **AV** and **EDR** defenses, increasing the chance that encrypted attacks reach tar...
The Gentlemen ransomware vendor-specific AV/EDR bypass activity
Malware ActivityAbout this happening: The **Gentlemen ransomware** gang is now abusing **ThrottleStop.sys** and related tools to kill **AV** and **EDR** defenses, increasing the chance that encrypted attacks reach tar...
Timeline
-
12.08.2025 17:45 1 articles · 9mo ago
Charon ransomware disclosed in targeted Middle East attack
Initial DisclosureTrend Micro disclosed Charon as a new ransomware family observed in a targeted attack against organizations in the Middle East public sector and aviation industry, describing APT-style tradecraft that included DLL sideloading, process injection, anti-EDR capabilities, and a custom ransom note referencing the victim organization by name. The campaign used Edge.exe, originally named cookie_exporter.exe, to sideload a malicious msedge.dll (SWORDLDR) that deployed the Charon payload into svchost.exe, and analysis also noted a multistage extraction path involving DumpStack.log plus technical overlap with Earth Baxia, while stopping short of definitive attribution.
Show sources
- Charon Ransomware Emerges With APT-Style Tactics — www.darkreading.com — 12.08.2025 17:45