New Ransomware Charon Uses Earth Baxia APT Techniques to Target Enterprises
Essential information
- Published
- 12/08/2025 11:37
- Modified
- 12/08/2025 15:49
- Tags
- 2025-08-12 apt aviation charon dll sideloading encryption evasion middle east network-propagation ransomware
- Related entities
- 1 intrusion sets (apt), 11 techniques (mitre), 1 malware, 2 others
Description
A new ransomware family called Charon has been identified, targeting the Middle East's public sector and aviation industry. The attack employs sophisticated APT-style techniques, including DLL sideloading, process injection, and anti-EDR capabilities. Charon uses a multistage payload extraction technique and a hybrid cryptographic scheme combining Curve25519 with ChaCha20 cipher. The ransomware exhibits network propagation capabilities and includes a dormant anti-EDR component. The campaign demonstrates a concerning trend of ransomware operators adopting APT-level techniques, posing an elevated risk to organizations. Defending against Charon requires a multilayered approach, including hardening against DLL sideloading, limiting lateral movement, strengthening backup capabilities, and reinforcing user awareness.