Pierluigi Paganini
August 13, 2025
Cybersecurity researchers have discovered a new campaign that employs a previously undocumented ransomware family called Charon to target the Middle East’s public sector and aviation industry.
The threat actor behind the activity, according to Trend Micro, exhibited tactics mirroring those of advanced persistent threat (APT) groups, such as DLL side-loading, process injection, and the ability to evade endpoint detection and response (EDR) software.
Trend Micro researchers uncovered Charon, a new ransomware targeting the Middle East’s public sector and aviation industry, using advanced persistent threat (APT)-style tactics like DLL side-loading, process injection, and EDR evasion.
The experts found similarities with techniques used by China-linked Earth Baxia operations but could also be a false flag or copycat. Charon uses partial encryption, disables security tools via BYOVD, and issues victim-specific ransom notes, suggesting targeted attacks.
The campaign highlights the growing convergence of APT methods with ransomware, increasing risks to organizations.
“We recently identified a new ransomware family called Charon, deployed in a targeted attack observed in the Middle East’s public sector and aviation industry. The threat actor employed a DLL sideloading technique notably similar to tactics previously documented in the Earth Baxia campaigns, which have historically targeted government sectors.” reads the report published by Trend Micro. “The attack chain leveraged a legitimate browser-related file, Edge.exe (originally named cookie_exporter.exe), to sideload a malicious msedge.dll (SWORDLDR), which subsequently deployed the Charon ransomware payload.”
The Charon ransomware attack used DLL sideloading via a legitimate Edge.exe to load a malicious msedge.dll (“SWORDLDR”), which decrypted and injected the ransomware into svchost.exe to evade detection. A multistage payload extraction involved DumpStack.log, hiding encrypted shellcode that unpacked further layers until the final ransomware executable was obtained. This layered encryption and process injection allowed Charon to masquerade as a legitimate Windows service while encrypting files and creating ransom notes.
The fully deobfuscated Charon ransomware shows advanced encryption and operational capabilities. It accepts command-line arguments to log errors, target specific network shares or paths, and change encryption order. It creates a mutex (“OopsCharonHere”), and disables security tools The ransomware uses a driver compiled from the open-source Dark-Kill project designed to disable endpoint detection and response solutions.
The ransomware deletes backups and Recycle Bin contents to maximize disruption. The malicious code uses multithreading to speed up the encryption process. Files are partially encrypted with Curve25519 + ChaCha20, avoiding certain extensions, and marked with “.Charon” plus an infection tag.
The malware spreads via network shares, drops victim-specific ransom notes, and contains a dormant Dark-Kill–based EDR-disabling driver, suggesting ongoing development.
“Beyond its core encryption functionality, Charon also exhibits several other notable behaviors. It demonstrates network propagation capabilities, actively scanning for and encrypting accessible network shares across the infrastructure via NetShareEnum and WNetEnumResource.” continues the post. “It processes both mapped drives and Universal Naming Convention (UNC) paths, although it skips ADMIN$ shares during enumeration to avoid detection.”
Another notable aspect of the ransomware is the use of a driver compiled from the open-source Dark-Kill project to disable EDR solutions by means of what’s called a bring your own vulnerable driver (BYOVD) attack. However, this functionality is never triggered during the execution, suggesting that the feature is likely under development.
The experts speculate the campaign was targeted, as shown by a ransom note naming the victim organization, an uncommon tactic in typical ransomware attacks.
“Without corroborating evidence such as shared infrastructure or consistent targeting patterns, we assess this attack demonstrates limited but notable technical convergence with known Earth Baxia operations.” concludes the report. “This case exemplifies a concerning trend: the adoption of APT-level techniques by ransomware operators. “
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, Charon ransomware)
