Middle Eastern Organizations Targeted With Charon Ransomware

New Ransomware Possibly Linked to Earth Baxia Akshaya Asokan (asokan_akshaya) • August 14, 2025

A previously uncatalogued ransomware strain is targeting public sector and aviation organizations in the Middle East. The threat actor uses techniques similar to a previously documented hacking group likely based in China.

See Also: On Demand | Ransomware in 2025: Evolving Threats, Exploited Vulnerabilities, and a Unified Defense Strategy

Operators of the ransomware, which appends encrypted files with a .Charon extension, use techniques reminiscent of a nation-state threat actor. Charon hackers choose their targets rather than attacking opportunistically, says analysis from Trend Micro. In Greek mythology, Charon ferries dead souls into the underworld.

A "distinctive DLL sideloading methodology" points to potential overlap with a China-based threat actor, tracked by Trend Micro as Earth Baxia. The cybersecurity firm in fall 2024 spotted Earth Baxia deploying ...