Charon ransomware activity targeting Middle East public sector and aviation industry
Malware Activity
Summary
Hide ▲
Show ▼
A previously undocumented Charon ransomware activity is now targeting the Middle East's public sector and aviation industry, increasing the risk of disruptive encryption and EDR evasion. The malware uses DLL side-loading and process injection to deliver its payload through a disguised execution chain. It can terminate security services, delete shadow copies and backups, and speed file locking with multithreading and partial encryption. A customized ransom note that names the victim organization suggests the operation is targeted rather than opportunistic.
Related Happenings
BADAUDIO first-stage downloader activity
Malware Activity
First: 21.11.2025 12:42
Last: 21.11.2025 12:42
Sources 1
About this happening:
The **BADAUDIO** malware is now documented as a **first-stage downloader** that can **decrypt and execute AES-encrypted payloads** from a hard-coded **C2 server**, increasing the...
BADAUDIO first-stage downloader activity
Malware ActivityAbout this happening: The **BADAUDIO** malware is now documented as a **first-stage downloader** that can **decrypt and execute AES-encrypted payloads** from a hard-coded **C2 server**, increasing the...
Velociraptor DFIR abuse for ransomware persistence
Malware Activity
First: 09.10.2025 22:31
Last: 09.10.2025 22:31
Sources 1
About this happening:
The **Velociraptor** DFIR tool is being abused in **ransomware attacks** tied to **Storm-2603** (aka **CL-CRI-1040**/**Gold Salem**), with **ToolShell** used for initial access to...
Velociraptor DFIR abuse for ransomware persistence
Malware ActivityAbout this happening: The **Velociraptor** DFIR tool is being abused in **ransomware attacks** tied to **Storm-2603** (aka **CL-CRI-1040**/**Gold Salem**), with **ToolShell** used for initial access to...
Storm-2603 Velociraptor-abuse ransomware campaign
Campaign
First: 09.10.2025 22:31
Last: 09.10.2025 22:31
Sources 1
About this happening:
The **Storm-2603** campaign abuses **Velociraptor** as an intrusion enabler during **ransomware attacks**, using an outdated **Velociraptor 0.73.4.0** instance vulnerable to **CVE...
Storm-2603 Velociraptor-abuse ransomware campaign
CampaignAbout this happening: The **Storm-2603** campaign abuses **Velociraptor** as an intrusion enabler during **ransomware attacks**, using an outdated **Velociraptor 0.73.4.0** instance vulnerable to **CVE...
XWorm backdoor with expanded ransomware plugins
Malware Activity
First: 06.10.2025 14:42
Last: 06.10.2025 14:42
Sources 1
About this happening:
The **XWorm** **Windows backdoor** is being redistributed in **phishing campaigns**, and newer builds **6.0, 6.4, and 6.5** expand its reach from theft to **remote control**, **fi...
XWorm backdoor with expanded ransomware plugins
Malware ActivityAbout this happening: The **XWorm** **Windows backdoor** is being redistributed in **phishing campaigns**, and newer builds **6.0, 6.4, and 6.5** expand its reach from theft to **remote control**, **fi...
SnakeDisk USB worm drops Yokai on Thailand IPs
Malware Activity
First: 15.09.2025 21:45
Last: 15.09.2025 21:45
Sources 1
About this happening:
The **SnakeDisk** USB worm now adds a geofenced propagation path that can **drop the Yokai backdoor** on hosts with **Thailand-based IPs**, increasing the risk of localized compro...
SnakeDisk USB worm drops Yokai on Thailand IPs
Malware ActivityAbout this happening: The **SnakeDisk** USB worm now adds a geofenced propagation path that can **drop the Yokai backdoor** on hosts with **Thailand-based IPs**, increasing the risk of localized compro...
Timeline
-
13.08.2025 08:45 1 articles · 9mo ago
Trend Micro discloses Charon ransomware campaign targeting Middle East sectors
Initial DisclosureTrend Micro disclosed a new Charon ransomware campaign targeting the Middle East's public sector and aviation industry, with delivery through Edge.exe (originally cookie_exporter.exe) sideloading malicious msedge.dll (SWORDLDR) to launch the payload. The malware can terminate security-related services and processes, delete shadow copies and backups, and use multithreading and partial encryption, while a Dark-Kill-based BYOVD capability for disabling EDR was present but not triggered. Researchers also noted DLL side-loading and process injection tactics that resemble Earth Baxia, but said the attribution remains uncertain.
Show sources
- Charon Ransomware Hits Middle East Sectors Using APT-Level Evasion Tactics — thehackernews.com — 13.08.2025 08:45