Charon ransomware activity targeting Middle East public sector and aviation industry
Malware Activity
Summary
Hide ▲
Show ▼
A previously undocumented Charon ransomware activity is now targeting the Middle East's public sector and aviation industry, increasing the risk of disruptive encryption and EDR evasion. The malware uses DLL side-loading and process injection to deliver its payload through a disguised execution chain. It can terminate security services, delete shadow copies and backups, and speed file locking with multithreading and partial encryption. A customized ransom note that names the victim organization suggests the operation is targeted rather than opportunistic.
Related Happenings
DragonForce campaign expands across multiple victims
Campaign
H score39
First: 03.12.2025 17:05
Last: 03.12.2025 17:05
Sources 1
About this happening:
**DragonForce** is a **ransomware campaign** that pairs follow-on encryption with **Scattered Spider**-linked intrusion tradecraft against **high-value targets**. In **December 20...
DragonForce campaign expands across multiple victims
CampaignAbout this happening: **DragonForce** is a **ransomware campaign** that pairs follow-on encryption with **Scattered Spider**-linked intrusion tradecraft against **high-value targets**. In **December 20...
BADAUDIO first-stage downloader activity
Malware Activity
H score43
First: 21.11.2025 12:42
Last: 21.11.2025 12:42
Sources 1
About this happening:
The **BADAUDIO** malware is now documented as a **first-stage downloader** that can **decrypt and execute AES-encrypted payloads** from a hard-coded **C2 server**, increasing the...
BADAUDIO first-stage downloader activity
Malware ActivityAbout this happening: The **BADAUDIO** malware is now documented as a **first-stage downloader** that can **decrypt and execute AES-encrypted payloads** from a hard-coded **C2 server**, increasing the...
Velociraptor DFIR abuse for ransomware persistence
Malware Activity
H score33
First: 09.10.2025 22:31
Last: 09.10.2025 22:31
Sources 1
About this happening:
The **Velociraptor** DFIR tool is being abused in **ransomware attacks** tied to **Storm-2603** (aka **CL-CRI-1040**/**Gold Salem**), with **ToolShell** used for initial access to...
Velociraptor DFIR abuse for ransomware persistence
Malware ActivityAbout this happening: The **Velociraptor** DFIR tool is being abused in **ransomware attacks** tied to **Storm-2603** (aka **CL-CRI-1040**/**Gold Salem**), with **ToolShell** used for initial access to...
Storm-2603 Velociraptor-abuse ransomware campaign
Campaign
H score41
First: 09.10.2025 22:31
Last: 09.10.2025 22:31
Sources 1
About this happening:
The **Storm-2603** campaign abuses **Velociraptor** as an intrusion enabler during **ransomware attacks**, using an outdated **Velociraptor 0.73.4.0** instance vulnerable to **CVE...
Storm-2603 Velociraptor-abuse ransomware campaign
CampaignAbout this happening: The **Storm-2603** campaign abuses **Velociraptor** as an intrusion enabler during **ransomware attacks**, using an outdated **Velociraptor 0.73.4.0** instance vulnerable to **CVE...
XWorm backdoor with expanded ransomware plugins
Malware Activity
H score28
First: 06.10.2025 14:42
Last: 06.10.2025 14:42
Sources 1
About this happening:
The **XWorm** **Windows backdoor** is being redistributed in **phishing campaigns**, and newer builds **6.0, 6.4, and 6.5** expand its reach from theft to **remote control**, **fi...
XWorm backdoor with expanded ransomware plugins
Malware ActivityAbout this happening: The **XWorm** **Windows backdoor** is being redistributed in **phishing campaigns**, and newer builds **6.0, 6.4, and 6.5** expand its reach from theft to **remote control**, **fi...
Timeline
-
13.08.2025 08:45 1 articles · 11mo ago
Trend Micro discloses Charon ransomware campaign targeting Middle East sectors
Initial DisclosureTrend Micro disclosed a new Charon ransomware campaign targeting the Middle East's public sector and aviation industry, with delivery through Edge.exe (originally cookie_exporter.exe) sideloading malicious msedge.dll (SWORDLDR) to launch the payload. The malware can terminate security-related services and processes, delete shadow copies and backups, and use multithreading and partial encryption, while a Dark-Kill-based BYOVD capability for disabling EDR was present but not triggered. Researchers also noted DLL side-loading and process injection tactics that resemble Earth Baxia, but said the attribution remains uncertain.
Show sources
- Charon Ransomware Hits Middle East Sectors Using APT-Level Evasion Tactics — thehackernews.com — 13.08.2025 08:45