Ddos 
Charon’s customized ransom note | Image: Trend Micro
Trend Research has identified a new ransomware family named Charon, targeting the Middle East’s public sector and aviation industry with a blend of APT-grade tactics and customized ransom demands. The campaign showcases DLL sideloading, process injection, and anti-EDR capabilities—hallmarks of advanced persistent threat operations—deployed in service of high-impact ransomware attacks.
“This recently identified ransomware campaign poses a significant business risk, leading to potential operational disruptions, data loss, and financial costs tied to downtime,” the report states.
The intrusion begins with the execution of a legitimate browser-related file, Edge.exe, originally named cookie_exporter.exe. This binary is abused to sideload a malicious DLL (msedge.dll)—nicknamed SWORDLDR—which decrypts and deploys the ransomware payload.
Trend researchers note that this method mirrors techniques observed in past Earth Baxia campaigns, although attribution remains inconclusive:
“We observe technical overlap… but we cannot definitively attribute this attack to Earth Baxia.”
A critical link in the chain is a seemingly benign file, DumpStack.log, which actually contains encrypted shellcode. Decrypting its two layers reveals the final Charon ransomware executable.
Charon’s capabilities extend well beyond basic file encryption. Once active, it:
- Accepts command-line arguments to control debug logging, target network shares, or prioritize encryption order.
- Stops security services, terminates active security processes, and deletes shadow copies to cripple recovery efforts.
- Encrypts both local and networked data, skipping only critical executables, its own files, and ransom notes.
The ransomware applies a hybrid cryptographic scheme—Curve25519 for key exchange and ChaCha20 for data encryption—paired with partial encryption logic to balance speed with effectiveness. Encrypted files receive the .Charon extension and a unique infection marker:
“hCharon is enter to the urworld!”
Charon’s ransom note is not generic—it is tailored to the victim, referencing the organization by name and demanding payment for decryption. This personalization confirms the operation’s targeted nature, distinguishing it from opportunistic ransomware campaigns.
The ransomware also demonstrates network propagation, actively scanning for and encrypting accessible network shares via Windows APIs like NetShareEnum and WNetEnumResource.
Trend’s analysis uncovered an embedded anti-EDR driver compiled from the public Dark-Kill project, designed to disable endpoint detection. In this sample, the feature was present but dormant—suggesting future variants may activate it.
This aligns with a broader trend noted by Trend researchers:
“The adoption of APT-level techniques by ransomware operators… poses an elevated risk to organizations, combining sophisticated evasion techniques with the immediate business impact of ransomware encryption.”
Related Posts:
- Aviation Industry Alert: 50,000+ Azure AD Records Exposed via Misconfigured API
- Sophisticated Attacks Employ Cobalt Strike, DLL Sideloading, and Evolving Tactics
- Cyberespionage Targets Aviation: ICAO and ACAO Breached
- LockBit Ransomware Evolves: New Stealthy Tactics Use DLL Sideloading & Masquerading to Bypass Defenses
- Python Developers Beware: Attackers Sneak Malware into Popular Package Manager
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
