CyberHappenings logo
☰
🏠 Home 📂 Browse ℹī¸ About

Charon Ransomware Uses APT-Style Tactics in Targeted Attacks

First reported
Last updated
📰 2 unique sources, 2 articles

Summary

Hide ▲

A new ransomware family, Charon, has emerged, targeting organizations in the Middle East's public sector and aviation industry. Charon employs advanced techniques such as DLL sideloading, process injection, and anti-EDR capabilities, reminiscent of APT tactics. The ransomware leverages legitimate browser files to deploy its payload, posing a significant risk to businesses through operational disruptions, data loss, and financial costs. The attack chain involves a sophisticated method of evading detection and executing the ransomware payload, using encrypted shellcode and multistage payload extraction. Charon terminates security-related services and running processes, deletes shadow copies and backups, and employs multithreading and partial encryption techniques to expedite file-locking. The ransomware's tactics suggest a high level of sophistication, potentially linking it to known APT groups like Earth Baxia, although definitive attribution remains uncertain. The ransomware uses a driver from the Dark-Kill project to disable EDR solutions via a BYOVD attack, though this feature is not currently triggered. The campaign is targeted, using customized ransom notes that reference the victim organization by name.

Timeline

  1. 12.08.2025 17:45 📰 2 articles

    Charon Ransomware Targets Middle East Public Sector and Aviation Industry

    Charon ransomware has been observed in targeted attacks in the Middle East's public sector and aviation industry. The ransomware employs advanced techniques such as DLL sideloading, process injection, and anti-EDR capabilities, reminiscent of APT tactics. The attack chain involves a legitimate Edge.exe binary to sideload a malicious DLL, which deploys the ransomware payload. The ransomware uses multistage payload extraction via an encrypted shellcode within a benign log file, masquerading as a legitimate Windows service to bypass endpoint security controls. The ransomware terminates security-related services and running processes, deletes shadow copies and backups, and employs multithreading and partial encryption techniques to expedite file-locking. The campaign is targeted, using customized ransom notes that reference the victim organization by name. The initial access method for the attacks remains unknown. The ransomware's use of a driver from the Dark-Kill project to disable EDR solutions via a BYOVD attack is noted, although this feature is not currently triggered. The campaign exhibits technical overlaps with Earth Baxia, but definitive attribution remains uncertain.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

ChillyHell macOS Backdoor Resurfaces with New Capabilities

The ChillyHell macOS backdoor malware, initially observed in 2022, has resurfaced with a new version. This modular backdoor allows attackers remote access and the ability to drop payloads, brute-force passwords, and evade detection. The malware, disguised as an executable applet, was discovered on VirusTotal and had been publicly hosted on Dropbox since 2021. The malware employs multiple persistence mechanisms and communicates over various protocols, making it highly flexible. It can exfiltrate data, drop additional payloads, and enumerate user accounts. Apple has revoked the notarization of the developer certificates associated with the malware. The resurgence of ChillyHell highlights the increasing threat landscape for macOS, emphasizing the need for robust security measures. A new Go-based remote access trojan (RAT) named ZynorRAT has been discovered, targeting Windows and Linux systems. ZynorRAT uses a Telegram bot for command and control and supports a wide range of functions, including file exfiltration and system enumeration.

Open in new tab

TAG-150 Expands Operations with CastleRAT in Python and C

The threat actor TAG-150, known for CastleLoader malware, has developed a new remote access trojan named CastleRAT. CastleRAT is available in both Python and C variants, and it is used to collect system information, execute commands, and download additional payloads. CastleRAT's development began in March 2025, and it is part of a multi-tiered infrastructure used by TAG-150. The malware is distributed through phishing attacks, fraudulent GitHub repositories, and other methods. The Python variant, also known as PyNightshade, and the C variant have different capabilities. The C variant includes keylogging, screenshot capture, file upload/download, and cryptocurrency clipper functionality. CastleRAT uses Steam Community profiles as dead drop resolvers for command-and-control (C2) servers. TAG-150 has been active since at least March 2025, using CastleLoader as an initial access vector for various secondary payloads, including remote access trojans, information stealers, and other loaders. TAG-150's operations have targeted critical infrastructure, including U.S. government agencies, and have been linked to a Play Ransomware attack against a French organization. The group's MaaS operation is likely promoted within closed circles, indicating a sophisticated and connected user base. TAG-150 is likely to develop and release additional malware in the near term and expand its distribution efforts.

Open in new tab

AI-Driven Ransomware Strain PromptLock Discovered

A new ransomware strain named PromptLock has been identified by ESET researchers. This strain leverages AI to generate malicious scripts in real-time, making it more difficult to detect and defend against. PromptLock is currently in development and has not been observed in active attacks. It can exfiltrate files, encrypt data, and is being upgraded to destroy files. The ransomware uses the gpt-oss:20b model from OpenAI via the Ollama API and is written in Go, targeting Windows, Linux, and macOS systems. The Bitcoin address associated with PromptLock appears to belong to Satoshi Nakamoto. PromptLock uses Lua scripts generated from hard-coded prompts to enumerate the local filesystem, inspect target files, exfiltrate selected data, and perform encryption. The ransomware can generate custom ransom notes based on the type of infected machine and uses the SPECK 128-bit encryption algorithm to lock files. PromptLock is assessed to be a proof-of-concept (PoC) rather than a fully operational malware deployed in the wild.

Open in new tab

MixShell Malware Targets U.S. Supply Chain Manufacturers via Contact Forms

A sophisticated social engineering campaign dubbed ZipLine targets U.S. supply chain manufacturers with MixShell in-memory malware. Attackers initiate contact through companies' public 'Contact Us' forms, building trust over weeks before delivering malicious ZIP files. The campaign spans multiple sectors and countries, including Singapore, Japan, and Switzerland. The malware uses in-memory execution, DNS-based command-and-control (C2), and advanced evasion techniques. It exploits legitimate services like Heroku to blend with normal network activity, posing severe risks including intellectual property theft and supply chain disruptions. The threat actors use abandoned or dormant domains with legitimate business histories to bypass security filters and gain trust. The fake company websites used by attackers are cloned from a single template, featuring stock images of White House butlers as supposed founders. The malicious ZIP file contains real PDF and DOCX files related to the discussion topic, hosted on a Heroku subdomain.

Open in new tab

HOOK Android Trojan Expands Capabilities with Ransomware Overlays and 107 Remote Commands

A new variant of the HOOK Android banking trojan has been discovered, featuring ransomware-style overlay screens to extort victims. This variant supports 107 remote commands, including new capabilities for capturing user gestures, stealing cryptocurrency wallet information, and displaying fake NFC overlays. The trojan is distributed via phishing websites, bogus GitHub repositories, and malicious APK files, posing a significant threat to financial institutions and users. The HOOK trojan is believed to be an offshoot of the ERMAC banking trojan, which had its source code leaked publicly. The trojan can display fake overlays on financial apps to steal credentials and abuse Android accessibility services for fraud and remote control. The latest version of HOOK includes commands for ransomware overlays, capturing user gestures, and stealing sensitive information like credit card details and lockscreen PINs. It also features transparent overlays to capture user gestures and screen-streaming sessions for real-time monitoring.

Open in new tab