A newly discovered ransomware family named Charon is making waves in the cybersecurity world — and not for good reasons. Targeting government agencies and the aviation industry in the Middle East, Charon blends the disruptive financial motives of ransomware with the stealth and persistence usually reserved for Advanced Persistent Threat (APT) operations. This dangerous hybrid approach is raising alarms among researchers and security teams alike.
Charon’s operators are running highly targeted campaigns, crafting victim-specific ransom notes that call out organizations by name. Once inside a network, the malware uses partial encryption to speed up attacks — locking critical files with a mix of Curve25519 and ChaCha20 encryption, while leaving enough system function intact to keep victims on the hook. Files receive the “.Charon” extension and a signature marker declaring, “hCharon has entered the real world!”
Technically, Charon’s infection chain is complex. It leverages DLL sideloading via a trojanized Edge.exe file to load a malicious msedge.dll (SWORDLDR), which then injects the ransomware payload into svchost.exe. It can also scan for and encrypt files across network shares — even working with UNC paths — while strategically skipping ADMIN$ to reduce detection risk. Though dormant in current samples, Charon’s binary already contains code from the Dark-Kill project, a tool designed to disable endpoint detection and response (EDR) systems through a Bring Your Own Vulnerable Driver (BYOVD) attack.
While attribution remains uncertain, analysts note technical overlaps with Earth Baxia, a China-linked APT known for government-targeted espionage. Whether this is direct involvement, a false-flag operation, or simply the work of a new group borrowing proven tactics is still unclear. What is certain is that Charon exemplifies a growing trend: ransomware actors adopting APT-grade techniques to bypass defenses, spread laterally, and evade detection.
For the Middle East — already a hotspot for state-aligned hacking, cybercrime, and hacktivism — Charon’s arrival heightens the risk profile for critical infrastructure and sensitive industries. Its ability to combine stealth, speed, and tailored extortion means potential victims face not only operational downtime and data loss, but also the possibility of deeper compromises that could aid future espionage or sabotage.
#CharonRansomware #APTTechniques #DLLSideloading #PartialEncryption #EDREvasion #MiddleEastCybersecurity #EarthBaxia #APTOverlap #AviationCyberThreats #PublicSectorCybersecurity #BYOVD #TargetedRansomware #CybercrimeTrends
