Charon Ransomware: Stealthy Cyber Threat Hits Middle East

Recently, security researchers from Trend Micro revealed a new and highly sophisticated cyberattack campaign — Charon Ransomware — targeting government agencies and the aviation sector in the Middle East. The ransomware stands out by deploying Advanced Persistent Threat (APT)-style evasion techniques, bringing a level of stealth and complexity far beyond that of typical ransomware operations.

Attack Characteristics and Targets

Charon Ransomware is engineered for targeted attacks rather than random, wide-spread distribution. Each ransom note is custom-tailored to the specific victim, indicating careful reconnaissance and planning.
The most recent wave of attacks focused on government entities and aviation organizations — critical infrastructure sectors in the Middle East.

Advanced Evasion Techniques

What makes Charon particularly dangerous is its combination of APT-level stealth with ransomware payload delivery. Key tactics include:

• DLL Sideloading via a maliciously named Edge.exe to load a malicious module (msedge.dll, codename SWORDLDR) before delivering the ransomware payload.
• Process Injection into legitimate processes to bypass security detection.
• Multithreading + Partial Encryption to accelerate file encryption while minimizing system impact.
• BYOVD (Bring Your Own Vulnerable Driver) — leveraging a vulnerable driver derived from the open-source “Dark-Kill” project to disable or bypass EDR tools (though this feature hasn’t been activated yet in observed campaigns).
• Data Recovery Disruption by disabling security software, deleting shadow copies, and removing backups.

Attribution Possibilities

While certain tactics resemble those used by Earth Baxia — a China-linked threat group — there is no conclusive evidence to confirm a direct connection. Possible explanations include:

• Direct operation by Earth Baxia
• False flag activity to mislead attribution
• A new, independent actor adopting similar techniques

 

Risks and Impact on Organizations

Charon Ransomware represents a growing trend: merging APT-grade intrusion capabilities with the disruptive power of ransomware. This evolution brings several heightened risks:

• Shorter response windows due to rapid encryption
• Difficult data recovery because backups and recovery systems are destroyed
• Severe business impact, especially to critical infrastructure operators

Recommendations for Defense

Organizations can reduce the risk from sophisticated ransomware like Charon by:

1. Implementing multi-layered defense (including EDR/XDR solutions)
2. Regularly patching and mitigating vulnerabilities in drivers and applications
3. Maintaining offline or immutable backups and testing recovery procedures
4. Conducting ransomware-specific incident response drills
5. Leveraging threat intelligence feeds to stay updated on new TTPs and IOCs

Conclusion: Charon Ransomware is not just another encryption-for-ransom threat. It is an example of how nation-state-style stealth and persistence can be blended with financially motivated cybercrime. Its targeted nature and technical sophistication make it a serious concern for any organization, especially those operating in critical infrastructure sectors.