CyberHappenings logo
Home Browse About

Track cybersecurity events as they unfold. Sourced timelines, daily updates. Fast, privacy‑respecting. No ads, no tracking.

Charon Ransomware Targets Middle East Public Sector and Aviation with APT-Style Tactics

First reported
Last updated
2 unique sources, 2 articles

Summary

Hide ▲

Charon ransomware, a new threat, has been observed targeting the Middle East's public sector and aviation industry. The ransomware employs advanced techniques such as DLL sideloading, process injection, and anti-EDR capabilities, similar to those used by advanced persistent threat (APT) groups. The attack chain involves the misuse of a legitimate Edge.exe binary to deploy the ransomware payload. The ransomware's tactics pose a significant risk to operational continuity and data integrity. The ransomware's custom ransom note, which references the victim organization by name, suggests a targeted approach. The use of sophisticated techniques indicates a high level of sophistication, potentially linking it to APT groups like Earth Baxia, although definitive attribution remains uncertain. The ransomware terminates security-related services and running processes, deletes shadow copies and backups, and employs multithreading and partial encryption techniques for faster file-locking. The campaign may involve direct involvement of Earth Baxia, a false flag operation, or a new threat actor with similar tactics.

Timeline

  1. 12.08.2025 17:45 2 articles · 1mo ago

    Charon Ransomware Targets Middle East Public Sector and Aviation

    The ransomware terminates security-related services and running processes to minimize recovery chances. It employs multithreading and partial encryption techniques for faster file-locking. The campaign may involve direct involvement of Earth Baxia, a false flag operation, or a new threat actor with similar tactics. The initial access method for Charon ransomware remains unknown. The ransomware uses a driver from the Dark-Kill project to disable EDR solutions via a BYOVD attack, although this functionality is not triggered during execution, suggesting it is under development.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

SonicWall MySonicWall Breach Exposes Firewall Configuration Files

SonicWall has released a firmware update to remove rootkit malware from SMA 100 series devices, following a breach that exposed firewall configuration backup files. The breach, caused by brute-force attacks, affected less than 5% of customers and may have exposed sensitive information. SonicWall has advised customers to reset credentials and update secrets. Additionally, the Akira ransomware group has been targeting unpatched SonicWall devices, exploiting a year-old security flaw (CVE-2024-40766) and bypassing MFA on VPN accounts using previously stolen OTP seeds. There is no evidence that threat actors have leveraged exposed data against impacted customers in attacks at this time. In September 2025, SonicWall disclosed a security breach affecting MySonicWall accounts, resulting in the exposure of firewall configuration backup files for less than 5% of its customers. The breach, caused by a series of brute-force attacks, could facilitate easier exploitation of SonicWall firewalls by threat actors. SonicWall has advised customers to reset credentials, update secrets, and follow detailed guidance to mitigate potential risks. The company has cut off attackers' access and is collaborating with cybersecurity and law enforcement agencies. The exposed files may contain sensitive information, such as credentials and tokens, for services running on SonicWall devices. Additionally, the Akira ransomware group has been targeting unpatched SonicWall devices, exploiting a year-old security flaw (CVE-2024-40766) and bypassing MFA on VPN accounts using previously stolen OTP seeds. SonicWall confirmed that attackers accessed the API service for cloud backup and there is no evidence that threat actors have leveraged exposed data against impacted customers in attacks at this time. The threat actor UNC6148 has been deploying the OVERSTEP malware, a previously unknown persistent backdoor/user-mode rootkit, to maintain persistent access, steal sensitive credentials, and conceal its own components. The malware modifies the appliance's boot process to evade detection and hide files and activity. UNC6148 may have used an unknown zero-day remote code execution vulnerability to deploy OVERSTEP on SonicWall SMA appliances. Potential vulnerabilities exploited by UNC6148 include CVE-2021-20038, CVE-2024-38475, CVE-2021-20035, CVE-2021-20039, and CVE-2025-32819. SonicWall has advised customers to look for signs of compromise, such as gaps or deletions in SMA logs, unexpected appliance reboots, persistent admin sessions, unauthorized configuration changes, and reoccurring access following patching or resets. CISA recommends upgrading firmware, replacing and rebuilding SMA 500v, resetting OTP bindings, enforcing MFA, resetting passwords, and replacing certificates with private keys stored on the appliance.

Open in new tab

HybridPetya Ransomware Bypasses UEFI Secure Boot via CVE-2024-7344

HybridPetya ransomware, which can bypass UEFI Secure Boot via CVE-2024-7344, has been discovered. The ransomware resembles Petya/NotPetya and exploits a flaw in the Howyar Reloader UEFI application to deploy a malicious EFI application. It encrypts the Master File Table (MFT) on NTFS-formatted partitions and includes a bootkit and installer. The ransomware was first uploaded to VirusTotal in February 2025 and has received payments totaling $183.32. HybridPetya incorporates characteristics from both Petya and NotPetya, using a bootkit with three states: ready for encryption, already encrypted, and decrypted after ransom payment. It uses the Salsa20 encryption algorithm and creates a counter file to track encrypted disk clusters. The ransom note demands $1,000 in Bitcoin, and the decryption process involves recovering legitimate bootloaders. The ransomware exploits a flaw in Microsoft-signed applications to bypass Secure Boot and deploy bootkits. It replaces the original Windows bootloader and removes the default bootloader file. The ransomware triggers a BSOD and forces a system reboot to execute the malicious bootkit, displaying a fake CHKDSK message during encryption. Upon completion, it demands a Bitcoin payment and provides a 32-character key for decryption and system restoration. Microsoft fixed CVE-2024-7344 with the January 2025 Patch Tuesday, protecting updated Windows systems from HybridPetya. Offline backups are recommended as a solid practice against ransomware.

Open in new tab

APT28 deploys NotDoor backdoor via Microsoft Outlook

APT28, a Russian state-sponsored threat group, has been identified deploying a new backdoor malware named NotDoor through Microsoft Outlook. This malware exploits Outlook to facilitate covert communication, data exfiltration, and malware delivery. The backdoor is triggered by specific words in incoming emails, allowing attackers to execute commands on the victim's computer. NotDoor is distributed via a legitimate signed binary, Microsoft's OneDrive.exe, which is vulnerable to DLL sideloading. The malware uses PowerShell commands encoded in Base64 to perform various functions, including disabling macro security defenses and enabling macro execution. The backdoor maintains persistent access to the targeted system and can initiate data exfiltration through email attachments or upload malicious files. The malware has been used to target multiple companies from different sectors in NATO member countries. It creates a staging folder at %TEMP%\Temp to store and exfiltrate files, and supports commands for executing commands, exfiltrating files, and uploading files to the victim's computer.

Open in new tab

Akira and Cl0p Lead Most Active Ransomware-as-a-Service Groups in 2025

The first half of 2025 saw a 179% increase in ransomware attacks compared to the same period in 2024. Akira and Cl0p are the most active ransomware-as-a-service (RaaS) groups, targeting manufacturing, technology, and the US. The RaaS model enables lower-skilled actors to launch attacks, contributing to the surge. New tactics include pure extortion, AI-assisted phishing, and exploitation of SonicWall SSL VPN vulnerabilities. Akira has targeted SonicWall devices, exploiting a year-old security flaw (CVE-2024-40766) and misconfigurations, leading to increased threat activity and unauthorized access. The Australian Cyber Security Centre (ACSC) has acknowledged Akira's targeting of vulnerable Australian organizations through SonicWall devices. The recent increase in exploitation of CVE-2024-40766 has been linked to incomplete remediation and misconfigurations, with SonicWall advising immediate patching and security measures. Over the past three months, Akira ransomware attacks have led to a surge in the exploitation of CVE-2024-40766, an improper access control issue in SonicWall firewalls. Akira operators are targeting SSL VPN accounts that use a one-time password (OTP) as the multi-factor authentication (MFA) option. Arctic Wolf observed dozens of incidents tied to VPN client logins from VPS hosting providers, network scanning, Impacket SMB activity, and Active Directory discovery. Akira's dwell times are among the shortest recorded for ransomware, measured in hours. Akira affiliates leveraged pre-installed and legitimate utilities to evade detection, using the Datto RMM tool on a domain controller to execute a PowerShell script and gain full control over the server. The attackers modified registries to evade detection, turned off security features, and dropped various files, including scripts that modified firewall rules.

Open in new tab

Malicious nx Packages Exfiltrate Credentials in 's1ngularity' Supply Chain Attack

The Shai-Hulud attack, a self-replicating malware, has compromised at least 187 npm packages, affecting multiple maintainers. The attack uses a self-propagating mechanism to infect other packages by the same maintainer, modifying package.json, injecting a bundle.js script, repacking the archive, and republishing it. The malware uses TruffleHog to search the host for tokens and cloud credentials, creating unauthorized GitHub Actions workflows within repositories and exfiltrating sensitive data to a hardcoded webhook endpoint. The attack is named 'Shai-Hulud' after the shai-hulud.yaml workflow files used by the malware and follows the 's1ngularity' attack, potentially orchestrated by the same attackers. The attack unfolded in three phases, impacting 2,180 accounts and 7,200 repositories. The first phase, between August 26 and 27, directly impacted 1,700 users, leaking over 2,000 unique secrets and exposing 20,000 files. The second phase, between August 28 and 29, compromised an additional 480 accounts, mostly organizations, and exposed 6,700 private repositories. The third phase, beginning on August 31, targeted a single victim organization, publishing an additional 500 private repositories. The attackers used AI-powered CLI tools like Claude, Q, and Gemini to dynamically scan for high-value secrets, tuning the prompts for better success.

Open in new tab