Find notable cyber news and cases, enriched with sources, timelines, and signals.

Charon ransomware activity targeting Middle East public sector and aviation industry

Malware Activity
First reported
Last updated
Happening score
H score 23
1 unique sources, 1 articles

Summary

Hide ▲

A previously undocumented Charon ransomware activity is now targeting the Middle East's public sector and aviation industry, increasing the risk of disruptive encryption and EDR evasion. The malware uses DLL side-loading and process injection to deliver its payload through a disguised execution chain. It can terminate security services, delete shadow copies and backups, and speed file locking with multithreading and partial encryption. A customized ransom note that names the victim organization suggests the operation is targeted rather than opportunistic.

Related Happenings

DragonForce campaign expands across multiple victims

Campaign
H score39 First: 03.12.2025 17:05 Last: 03.12.2025 17:05 Sources 1

About this happening: **DragonForce** is a **ransomware campaign** that pairs follow-on encryption with **Scattered Spider**-linked intrusion tradecraft against **high-value targets**. In **December 20...

BADAUDIO first-stage downloader activity

Malware Activity
H score43 First: 21.11.2025 12:42 Last: 21.11.2025 12:42 Sources 1

About this happening: The **BADAUDIO** malware is now documented as a **first-stage downloader** that can **decrypt and execute AES-encrypted payloads** from a hard-coded **C2 server**, increasing the...

Velociraptor DFIR abuse for ransomware persistence

Malware Activity
H score33 First: 09.10.2025 22:31 Last: 09.10.2025 22:31 Sources 1

About this happening: The **Velociraptor** DFIR tool is being abused in **ransomware attacks** tied to **Storm-2603** (aka **CL-CRI-1040**/**Gold Salem**), with **ToolShell** used for initial access to...

Storm-2603 Velociraptor-abuse ransomware campaign

Campaign
H score41 First: 09.10.2025 22:31 Last: 09.10.2025 22:31 Sources 1

About this happening: The **Storm-2603** campaign abuses **Velociraptor** as an intrusion enabler during **ransomware attacks**, using an outdated **Velociraptor 0.73.4.0** instance vulnerable to **CVE...

XWorm backdoor with expanded ransomware plugins

Malware Activity
H score28 First: 06.10.2025 14:42 Last: 06.10.2025 14:42 Sources 1

About this happening: The **XWorm** **Windows backdoor** is being redistributed in **phishing campaigns**, and newer builds **6.0, 6.4, and 6.5** expand its reach from theft to **remote control**, **fi...

Timeline

  1. 13.08.2025 08:45 1 articles · 11mo ago

    Trend Micro discloses Charon ransomware campaign targeting Middle East sectors

    Initial Disclosure

    Trend Micro disclosed a new Charon ransomware campaign targeting the Middle East's public sector and aviation industry, with delivery through Edge.exe (originally cookie_exporter.exe) sideloading malicious msedge.dll (SWORDLDR) to launch the payload. The malware can terminate security-related services and processes, delete shadow copies and backups, and use multithreading and partial encryption, while a Dark-Kill-based BYOVD capability for disabling EDR was present but not triggered. Researchers also noted DLL side-loading and process injection tactics that resemble Earth Baxia, but said the attribution remains uncertain.

    Show sources