Threat Advisories:
Noodlophile Stealer Advances with Obfuscation, Social Media Deception PS1Bot: The Modular Malware Lurking Behind Malvertising Microsoft’s August 2025 Patch Tuesday Roundup Charon Ransomware Encrypts Files Belonging to Middle East Industries CVE-2025-25256: Fortinet Rushes to Patch High-Risk FortiSIEM Vulnerability Efimer Trojan: From Fake Lawsuits to Crypto Heists Zero-Day in WinRAR Actively Weaponized by Multiple Threat Groups DarkCloud Uses Fileless Techniques Turning into a Nightmare for Windows CastleBot Rising: The Evolving Malware-as-a-Service Threat MedusaLocker Uses ThrottleStop.sys Flaw to Kill AV on Windows Malicious npm Packages Target WhatsApp Developers with Kill Switch Trend Micro Warns of Active Exploits in Apex One Console SafePay Ransomware’s Rapid Ascent to the Top of the Cybercrime Scene Adobe Patches Three Critical Flaws in AEM Forms on JEE Plague in the Shadows: Unmasking a Silent Linux Backdoor RoKRAT Resurfaces: APT37’s Fileless Shortcut to Espionage Secret Blizzard Strikes Moscow with ApolloShadow Alone Theme Vulnerability Puts WordPress Sites at Risk Scattered Spider’s Hypervisor Attack on VMware vSphere Operation GhostChat and PhantomPrayers Breach Tibetan Trust
🎧 Podcast: This Month's Threats in 10 Min! Emerging Threat Intel Audio Briefing - Listen & Defend Now →
👥 Play Count: Loading...
Partner Program
Platform
Comprehensive Threat Exposure Management Platform
Uni5 Xposure PlatformUni5 Xposure leverages exposure assessment and adversarial exposure validation to deliver a unified view of your cyber risks and all actionable pathways to resolve them.
IntegrationsSync with an abundant number of out-of-the-box integrations.
HiveForce LabsStrategic intelligence and operational expertise to ensure comprehensive security readiness at all levels.
Solutions
By Use Case
Total Attack Surface Management
Multi-Environment Security Scanners
Complete Exposure Assessment
Comprehensive Security Intelligence
Vulnerability & Threat Prioritization
Adversarial Exposure Validation
By Role
CISO
Vulnerability Management
Security Operations
DevOps
Industry
Telecommunications
Healthcare
Financial Services
Government & Public Sector
Retail & E-Commerce
Educational Institutions
Resources
Advisories & Digests
Threat Advisories
Threat Digests
Content Library
learn
Blog
Case Studies
Whitepapers
Press Releases
connect
Webinars & Videos
Company
About Us
Careers
Our Leadership
Contact Us
Book a DemoThreat Digest - Subscribe
Platform
Platform
Comprehensive Threat Exposure Management Platform
Uni5 Xposure PlatformUni5 Xposure leverages exposure assessment and adversarial exposure validation to deliver a unified view of your cyber risks and all actionable pathways to resolve them.
IntegrationsSync with an abundant number of out-of-the-box integrations.
HiveForce LabsStrategic intelligence and operational expertise to ensure comprehensive security readiness at all levels.
Solutions
Solutions
By Use Case
Total Attack Surface Management
Multi-Environment Security Scanners
Complete Exposure Assessment
Comprehensive Security Intelligence
Vulnerability & Threat Prioritization
Adversarial Exposure Validation
By Role
CISO
Vulnerability Management
Security Operations
DevOps
Industry
Industry
Telecommunications
Healthcare
Financial Services
Government & Public Sector
Retail & E-Commerce
Educational Institutions
Resources
Resources
Advisories & Digests
Threat Advisories
Threat Digests
Content Library
learn
Blog
Case Studies
Whitepapers
Press Releases
connect
Webinars & Videos
Company
Company
About Us
Careers
Our Leadership
Contact Us
Book a DemoThreat Digest - Subscribe

Charon Ransomware Encrypts Files Belonging to Middle East Industries

Red | Attack Report
Download PDF

Charon Ransomware Threat Advisory Report (TA2025250)

A Sophisticated Ransomware Attack Targeting Windows, Public Sector, and Aviation in the Middle East

Charon ransomware is a newly discovered advanced persistent threat (APT)-style ransomware that is increasingly targeting the public sector and aviation industry in the Middle East. This malware, leveraging DLL sideloading, process injection, and EDR evasion, highlights how modern ransomware attacks blur the line between cybercrime and state-sponsored operations. Organizations running Windows environments are at significant risk.

Attack Details and Malware Techniques

DLL Sideloading, Process Injection, and Encrypted Payload Delivery

Charon ransomware uses DLL sideloading with Edge.exe and malicious msedge.dll (SWORDLDR) to load its payload. It employs process injection via svchost.exe to impersonate legitimate Windows services, enabling bypass of conventional security controls. The ransomware disrupts systems by terminating security processes, deleting backups, and shutting down services, while using partial encryption and multithreading for speed and efficiency.

Advanced Ransomware Capabilities

BYOVD Attacks, EDR Disruption, and Custom Ransom Demands

One of Charon’s standout features is a BYOVD (Bring Your Own Vulnerable Driver) attack, adapted from the Dark-Kill project, to disable endpoint detection and response (EDR) solutions. Once encryption is complete, files receive the .Charon extension with an infection marker and a ransom note titled How To Restore Your Files.txt placed across all directories, shares, and drives. This indicates a highly targeted and financially motivated ransomware campaign.

Impacted Regions and Industries

Middle East Public Sector and Aviation Cybersecurity Threats

Recent campaigns show Charon ransomware specifically targeting Middle Eastern government networks and aviation infrastructure. These sectors are attractive due to their sensitivity, geopolitical importance, and operational disruption potential. The attack chain demonstrates a sophisticated toolchain with encrypted payload delivery, pointing toward high-level adversaries.

Defensive Recommendations

Cybersecurity Best Practices Against Charon Ransomware

  • Defend Against DLL Sideloading & Process Injection – Restrict executables and DLL loading from common abuse locations. Monitor suspicious Edge.exe and svchost.exe behavior.

  • Implement the 3-2-1 Backup Rule – Maintain three copies of data, with two stored on separate devices and one offsite or cloud-based.

  • Harden Backup & Recovery Strategies – Use offline, immutable, and regularly tested backups that align with RTO and RPO standards.

  • Limit Lateral Movement – Enforce Zero Trust architecture, strong multi-factor authentication (MFA), and restricted access between workstations, servers, and file shares.

  • User Awareness & Privilege Management – Train staff to recognize phishing emails, malicious links, and executable traps while enforcing least privilege access policies.

MITRE ATT&CK Mapping

Techniques Used by Charon Ransomware

Charon aligns with MITRE ATT&CK tactics and techniques, including:

  • Execution (TA0002) – User Execution (T1204), Malicious Files (T1204.002).

  • Persistence & Privilege Escalation – Exploitation (T1068), Masquerading (T1036).

  • Defense Evasion – Obfuscation (T1027), Process Injection (T1055), Disable Tools (T1562.001).

  • Impact – Data Encryption (T1486), Service Stop (T1489), Inhibit Recovery (T1490).

Indicators of Compromise (IOCs)

File Hashes and Infection Markers

  • SHA256 Hashes: 80711e37f226ef1dc86dc80a8cbc0b2ec895b361e9ade85da793d94b1d876be8, 739e2cac9e2a15631c770236b34ba569aad1d1de87c6243f285bf1995af2cdc2, e0a23c0d99c45d40f6ef99c901bacf04bb12e9a3a15823b663b392abadd2444e

  • SHA1 Hashes: 92750eb5990cdcda768c7cb7b654ab54651c058a, a1c6090674f3778ea207b14b1b55be487ce1a2ab, 21b233c0100948d3829740bd2d2d05dc35159ccb

  • MD5 Hashes: dc2d94043269f661bb83f0a0d4a754e7, 966a8a32fee80bba5fcf4f83cd6180fe, a1a0fd18382769745592226f1f652632

  • Filename: How To Restore Your Files.txt

What’s new on HivePro

Get through updates and upcoming events, and more directly in your inbox