Charon Ransomware Hits Middle East Sectors Using APT-Level Evasion Tactics
Charon Ransomware Hits Middle East Sectors Using APT-Level Evasion Tactics — Aug 13, 2025Ravie LakshmananEndpoint Security / Cybercrime Charon Ransomware [h
What’s new: A new ransomware family named Charon has been discovered targeting the public sector and aviation industry in the Middle East. The threat actor employs advanced evasion tactics similar to those used by APT groups, including DLL side-loading and process injection. Charon is capable of disabling security services and deleting backups to hinder recovery efforts. The ransomware utilizes a driver from the open-source Dark-Kill project to potentially disable endpoint detection and response (EDR) solutions, although this feature appears to be under development. The campaign is characterized by a customized ransom note that specifically names the victim organization, indicating a targeted approach.
Who’s affected
Organizations in the public sector and aviation industry in the Middle East are the primary targets of the Charon ransomware campaign.
What to do
- Implement robust endpoint detection and response (EDR) solutions to monitor for suspicious activities.
- Regularly back up data and ensure backups are stored securely and are not accessible from the network.
- Educate staff on recognizing phishing attempts and suspicious links that may lead to ransomware infections.
- Review and update incident response plans to include protocols for ransomware attacks.
