New Charon ransomware targets Middle East public sector, aviation firms

Researchers say a newly-identified ransomware strain dubbed Charon has been deployed in cyberattacks targeting the public sector and aviation organizations in the Middle East, sharing some similarities with attacks from a China-linked cyber-espionage group.

A report published Tuesday by cybersecurity firm Trend Micro described Charon as having APT-style capabilities. Before encrypting files, the ransomware disables antivirus and other security services, deletes backups and empties the recycle bin to make recovery harder. The ransom note, customized for each victim, includes the organization’s name, a list of encrypted data and payment instructions — a sign of deliberate targeting rather than a broad, opportunistic campaign.

The hacker group behind the campaign used methods similar to those of the China-linked group Earth Baxia, known for targeting government agencies in the Asia-Pacific region, according to Trend Micro.

The similarities could indicate Earth Baxia’s direct involvement, deliberate imitation by the attackers or independent development of similar tactics — making definitive attribution impossible at this time, the researchers said.

Trend Micro did not specify how Charon was delivered in the latest attack. If the hackers followed Earth Baxia’s previous playbook, it may have involved spear-phishing emails.

In earlier campaigns, Earth Baxia has targeted government entities in Taiwan and other Asia-Pacific nations, including the Philippines, South Korea, Vietnam, and Thailand, often using spear-phishing emails to deliver malware. Its primary targets have included government bodies, telecommunications companies and the energy sector.

“This case exemplifies a concerning trend: the adoption of APT-level techniques by ransomware operators,” researchers said, warning that the campaign poses a significant business risk, potentially leading to operational disruptions, data loss and financial costs tied to downtime.