On 12 August 2025, Trend Micro researchers revealed the emergence of Charon, a new ransomware family deploying advanced persistent threat (APT)-level tactics historically linked to the Earth Baxia group. The campaign, detected in the Middle East’s public sector and aviation industry, blends DLL sideloading, process injection, and anti-EDR capabilities – marking a concerning escalation in targeted ransomware sophistication.
Trend Micro’s Trend Vision One platform first detected the Charon campaign in early August 2025 during incident investigations in Middle Eastern public sector and aviation entities. The attack chain echoed Earth Baxia’s prior government-targeting operations, although researchers stopped short of attributing it directly to the APT due to lack of shared infrastructure evidence.
The earliest confirmed incident involved the abuse of a legitimate Edge.exe binary (originally cookie_exporter.exe) to sideload a malicious msedge.dll loader, dubbed SWORDLDR, which decrypted and injected the ransomware into a spawned svchost.exe process.
Technical Analysis: APT Techniques Meet Ransomware
Attack Chain Overview
- Initial Execution – Legitimate signed binary (
Edge.exe) used for DLL sideloading. - Payload Loader (SWORDLDR) – Decrypts encrypted shellcode from
DumpStack.log. - Process Injection – Injects ransomware into
svchost.exeto bypass security tools. - File Encryption – Network shares and local drives encrypted, with
.Charonextension appended. - Ransom Note – Custom note (
How To Restore Your Files.txt) naming the victim organization.
The multistage payload extraction used double encryption layers within DumpStack.log, revealing Charon’s payload only after deep forensic decryption.
Anti-EDR Capabilities
Although dormant in this variant, analysts found an embedded driver (WWC.sys) compiled from the public Dark-Kill project, designed to disable endpoint detection and response (EDR) systems — indicating possible future enhancements.
“The convergence of APT-grade evasion with ransomware’s destructive impact represents a dangerous escalation in threat actor capabilities,” warned Jacob Santos, senior threat researcher at Trend Micro, on 12 August 2025.
Encryption Methodology
Charon’s hybrid cryptography combines Curve25519 elliptic curve with the ChaCha20 stream cipher, delivering:
- Partial encryption for speed efficiency, varying by file size.
- 72-byte metadata footer containing victim-specific keys for decryption.
- Infection marker
"hCharon is enter to the urworld!"appended to encrypted files.
It also:
- Stops security-related services and processes.
- Deletes shadow copies and empties the recycle bin.
- Prioritizes network share encryption if
--sfflag is set.
Targeted Ransom Demands
Unlike opportunistic ransomware, Charon’s ransom notes reference victims by name, reflecting customized extortion. This approach, coupled with its targeted sector choice, suggests detailed reconnaissance before deployment.
“We are witnessing ransomware operators close the gap with nation-state actors in terms of sophistication,” said Don Ovid Ladores, malware analyst at Trend Micro. “This demands a rethink of enterprise defense priorities.”
MEA and Global Context
Regional Impact
The confirmed targeting of Middle Eastern public sector and aviation raises concern for other critical industries in the region. Many MEA nations depend on OT and IT systems susceptible to DLL sideloading and share-based propagation.
Global Trends
Globally, ransomware operators are increasingly borrowing APT TTPs — a shift that:
- Complicates attribution.
- Increases stealth and dwell time.
- Elevates operational disruption risk across critical infrastructure sectors.
MITRE ATT&CK Mapping (Observed TTPs)
| Technique ID | Name | Use in Charon |
|---|---|---|
| T1574.002 | Hijack Execution Flow: DLL Side-Loading | Initial payload loading via Edge.exe |
| T1055.001 | Process Injection: svchost.exe | Ransomware execution masquerading as legitimate process |
| T1486 | Data Encrypted for Impact | Encryption of local and network files |
| T1562.001 | Impair Defenses: Disable or Modify Tools | Stops AV/EDR processes and services |
| T1070.004 | File Deletion: Shadow Copy Deletion | Removes recovery points |
| T1021.002 | Remote Services: SMB/Windows Admin Shares | Lateral movement via network share enumeration |
Actionable Takeaways for Defenders
- Restrict DLL loading paths — prevent unsigned DLLs from running alongside trusted binaries.
- Monitor process spawning patterns — flag signed binaries launching unusual DLLs or
svchost.exeinstances. - Segment networks — limit access to sensitive shares and disable ADMIN$ unless strictly necessary.
- Harden EDR protections — ensure tamper protection is enabled against service and process termination.
- Implement offline/immutable backups — safeguard against shadow copy deletion.
- Limit privileges — enforce least privilege for both users and service accounts.
- Train staff — enhance security awareness on phishing, malicious attachments, and suspicious downloads.
- Audit for Charon IOCs — including the
.Charonextension and “hCharon is enter to the urworld!” file marker. - Enable PowerShell and driver-level logging to detect sideloading or driver drop attempts.
- Review vendor threat feeds — leverage platforms like Trend Vision One™ for up-to-date threat intelligence.
Conclusion
The Charon ransomware campaign underscores a dangerous evolution: APT-level tactics in financially motivated ransomware. By blending Earth Baxia-style sideloading with targeted extortion, Charon raises both the stealth and impact of attacks. Organizations — especially in high-value sectors like aviation and public services — must adapt with layered defenses, proactive threat hunting, and incident readiness. The convergence of nation-state techniques with cybercrime motives makes resilience, not just prevention, the new baseline for enterprise cybersecurity.
