Charon Ransomware Targets Middle East Industries with Advanced Evasion Techniques

Aug 13, 2025
Endpoint Security / Cybercrime

Cybersecurity researchers have unveiled a new campaign featuring an undocumented ransomware variant named Charon, targeting the public sector and aviation industry in the Middle East. According to Trend Micro, the attackers employed tactics reminiscent of advanced persistent threat (APT) groups, including DLL side-loading and process injection, successfully evading endpoint detection and response (EDR) systems. The use of DLL side-loading parallels techniques associated with the China-linked hacking group Earth Baxia, which has previously targeted government entities in Taiwan and the Asia-Pacific region to deploy a backdoor known as EAGLEDOOR, following the exploitation of a now-patched vulnerability in OSGeo GeoServer GeoTools. “The attack chain utilized a legitimate browser-related file, Edge.exe (originally cookie_exporter.exe), to sideload a…”

Charon Ransomware Targets Middle East Sectors with Advanced Evasion Techniques

August 13, 2025
Endpoint Security / Cybercrime

Recent investigations by cybersecurity experts have unveiled a new wave of malicious activity involving a previously unknown ransomware variant named Charon. This campaign has specifically targeted the public sector and aviation industry across the Middle East. According to analysis from Trend Micro, the threat actor behind this operation is utilizing sophisticated tactics akin to those seen in advanced persistent threat (APT) groups, including techniques such as DLL side-loading and process injection, which effectively evade modern endpoint detection and response (EDR) tools.

The methodology associated with this attack draws parallels with tactics linked to the China-affiliated hacking group Earth Baxia. Previous activities attributed to this group involved targeting governmental organizations in Taiwan and the broader Asia-Pacific region. Earth Baxia exploited a security vulnerability in OSGeo GeoServer’s GeoTools to deploy a backdoor dubbed EAGLEDOOR, utilizing legitimate software files to conceal their malicious actions. Notably, the current attack hinges on manipulating a browser-related file, Edge.exe, originally named cookie_exporter.exe, to facilitate the side-loading process.

The intent behind the Charon ransomware campaign remains to disrupt critical services and potentially extort public sector organizations and aviation entities. As these sectors are essential to the functioning of society and the economy, the implications of such attacks can be far-reaching. Cybersecurity professionals are particularly concerned given the attention this campaign has drawn, with its use of APT-level techniques indicating a significant evolution in the tactics employed by cybercriminals.

Employing tactics categorized under the MITRE ATT&CK framework, the attacker likely achieved initial access through sophisticated social engineering or exploit techniques. Once inside the target environment, persistence was maintained through methods like process injection to ensure continued access. Furthermore, privilege escalation tactics may have been deployed to gain higher-level permissions within the compromised networks, allowing for broader access to sensitive data and critical infrastructure.

The ongoing nature of cyber threats in this region necessitates vigilance among organizations in the public sector and aviation industries. As attackers increasingly adopt complex strategies, it is imperative for business owners to not only invest in robust cybersecurity measures but also to foster a culture of awareness and preparedness among their teams.

This incident serves as a reminder of the growing sophistication of ransomware threats and highlights the importance of adhering to comprehensive cybersecurity practices. Organizations are encouraged to review their incident response plans and ensure they are equipped to mitigate against such advanced attacks. The landscape of cyber threats continues to evolve, and remaining informed is crucial to safeguarding critical operations.

Source link

Related Posts

Zoom and Xerox Release Urgent Security Updates to Address Privilege Escalation and RCE Vulnerabilities

Aug 13, 2025
Vulnerability / Software Security

Zoom and Xerox have released critical security updates for Zoom Clients on Windows and FreeFlow Core, addressing significant vulnerabilities that could enable privilege escalation and remote code execution (RCE). The flaw in Zoom Clients for Windows, designated as CVE-2025-49457 (CVSS score: 9.6), involves an untrusted search path that may allow an unauthenticated user to escalate privileges via network access.

According to a security bulletin issued by Zoom, the issue was identified by its Offensive Security team and affects the following products:

  • Zoom Workplace for Windows versions prior to 6.3.10
  • Zoom Workplace VDI for Windows versions prior to 6.3.10 (excluding 6.1.16 and 6.2.12)
  • Zoom Rooms for Windows versions prior to 6.3.10
  • Zoom Rooms Controller for Windows versions prior to 6.3.10
  • Zoom Meeting SDK for Windows versions prior to 6.3.10

This disclosure follows the identification of multiple vulnerabilities in critical software platforms.

New PS1Bot Malware Campaign Utilizes Malvertising for Multi-Stage In-Memory Attacks

Aug 13, 2025
Malvertising / Cryptocurrency

Cybersecurity experts have identified a new malvertising campaign aimed at deploying a multi-stage malware framework known as PS1Bot. Researchers Edmund Brumaghin and Jordyn Dunk from Cisco Talos explained that “PS1Bot features a modular architecture, incorporating various modules for malicious activities such as information theft, keylogging, reconnaissance, and creating persistent access to compromised systems.” The design emphasizes stealth, leaving minimal traces on infected machines and using in-memory execution techniques to run subsequent modules without writing them to disk. Since early 2025, campaigns distributing this PowerShell and C# malware have actively exploited malvertising to propagate, executing modules in-memory to reduce forensic footprints.

CISA Adds Two Vulnerabilities in N-able N-central to Its Known Exploited Vulnerabilities Catalog

Aug 14, 2025 | Vulnerability / Network Security

On Wednesday, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) included two security flaws affecting N-able N-central in its Known Exploited Vulnerabilities (KEV) catalog, due to evidence of active exploitation. N-able N-central is a Remote Monitoring and Management (RMM) platform tailored for Managed Service Providers (MSPs) to effectively manage and safeguard their clients’ Windows, Apple, and Linux endpoints from a centralized platform.

The identified vulnerabilities are as follows:

  • CVE-2025-8875 (CVSS score: N/A): An insecure deserialization vulnerability that may allow for command execution.
  • CVE-2025-8876 (CVSS score: N/A): A command injection vulnerability resulting from improper sanitization of user input.

Both issues have been resolved in N-central versions 2025.3.1 and 2024.6 HF2, released on August 13, 2025. N-able is also advising customers to ensure multi-factor authentication (MFA) is enabled, particularly for admin accounts.

Russian Group EncryptHub Utilizes MSC EvilTwin Vulnerability to Distribute Fickle Stealer Malware

August 16, 2025
Malware / Vulnerability

The cybercriminal organization known as EncryptHub is continuing to take advantage of a recently patched vulnerability in Microsoft Windows to deliver harmful payloads. Trustwave SpiderLabs has reported observing an EncryptHub campaign that combines social engineering tactics with the exploitation of a flaw in the Microsoft Management Console (MMC) framework (CVE-2025-26633, also referred to as MSC EvilTwin), initiating the infection process through a malicious Microsoft Console (MSC) file. According to Trustwave researchers Nathaniel Morales and Nikita Kazymirskyi, “These actions are part of a larger, ongoing wave of malicious activity blending social engineering with technical exploitation to circumvent security defenses and gain control of internal networks.” EncryptHub, also recognized as LARVA-208 and Water Gamayun, is a Russian hacking group that first emerged in mid-2024. Operating at a high pace, this financially motivated team is known for using various strategies, including fraudulent job postings…