Cybersecurity researchers have identified a campaign using a previously undocumented ransomware family known as Charon to target the Middle East’s public sector and the region’s aviation industry, according to Trend Micro. Trend Micro described the operation as sophisticated, with attack workflows that mirror advanced persistent threat (APT) tradecraft in its stealth and reach.
Analysts note that Charon employs techniques commonly associated with state-aligned threat groups, including DLL side-loading, process injection, and attempts to evade endpoint detection and response (EDR) systems. The researchers detailed a chain in which a legitimate browser-related file is sideloaded to load a malicious component (Edge.exe sideloading msedge.dll, known as SWORDLDR) that ultimately delivers the Charon payload. Trend Micro highlighted these execution stages and the overall disruptive behavior typical of modern ransomware, including the termination of security services and deletion of shadow copies and backups to hinder recovery.
Charon’s operation also includes a driver component built from the open-source Dark-Kill project to disable security tools through a bring-your-own-vulnerable-driver (BYOVD) technique. The driver’s use appears to be under development, as researchers noted the trigger for this capability was not activated during observed incidents. The Dark-Kill project is publicly available on GitHub.
Trend Micro emphasized that the campaign appears targeted rather than opportunistic, pointing to a customized ransom note that explicitly references the victim organization by name. The initial access vector remains unknown, complicating attribution and remediation efforts. In discussing attribution, Trend Micro outlined three possibilities: direct involvement by Earth Baxia, a false-flag operation designed to imitate Earth Baxia, or a new threat actor independently adopting similar techniques. Trend Micro stressed that, without corroborating evidence, the attack shows limited but notable convergence with known Earth Baxia operations.
Beyond Charon, researchers highlighted the broader ransomware landscape, noting ongoing evolution and increasing use of high-end evasion tactics. In a related assessment, Canadian security firm eSentire described the Interlock ransomware group as employing a multi-stage process involving PowerShell scripts, PHP/NodeJS/C backdoors, and LOLBins to complicate detection and response.
Publicly available industry data reinforce the rising risk. In Barracuda’s 2025 Ransomware Insights report, 57% of organizations surveyed experienced a successful ransomware attack within the last year, and 71% of those with prior email breaches were also hit by ransomware. Among victims who paid, only 41% recovered all of their data. Barracuda noted these trends as part of a broader shift toward increasingly costly and disruptive incidents.
Analysts also cited research from Semperis on ransomware statistics, underscoring the need for robust identity and security controls in the face of evolving threats. Semperis concluded that the threat landscape remains dynamic and threats are diversifying in capability and impact.