Researchers have identified a new campaign leveraging a previously unknown ransomware strain dubbed Charon, targeting the Middle East’s public sector and aviation industry. According to Trend Micro, the threat actor demonstrated tactics commonly associated with advanced persistent threat (APT) groups, including DLL side-loading, process injection and techniques to bypass endpoint detection and response (EDR) solutions. The attack starts with a legitimate browser binary loading a malicious DLL, which deploys the ransomware, with additional obfuscation via encrypted shellcode. Encrypted files receive the .Charon extension and a distinctive marker, while tailored ransom notes are issued for each victim.
A newly discovered ransomware variant, Charon, has emerged as a serious cyber threat, specifically targeting the Middle East’s public sector and aviation industry. This campaign combines advanced persistent threat (APT)-level techniques with tailored ransom demands, raising the stakes well beyond typical ransomware operations. Its methods spanning DLL sideloading, process injection, and sophisticated EDR evasion reflect a high level of skill and a clear intent to cause extensive operational disruption. Such attacks carry the potential for severe consequences, including extended downtime, significant financial losses, and irreversible data destruction.
The intrusion sequence starts with the execution of a legitimate browser-related binary, Edge.exe, originally named cookie_exporter.exe. Attackers exploit this trusted file to sideload a malicious DLL, msedge.dll also known internally as SWORDLDR. Once executed, this DLL decrypts and launches the final ransomware payload.
This sideloading technique shares technical traits with past Earth Baxia operations, though researchers have not confirmed any direct link. To further mask their activity, the threat actors employ a seemingly benign file, DumpStack.log, which in reality hides encrypted shellcode. By decrypting two successive layers of this shellcode, the attackers ultimately extract and execute the Charon ransomware binary.
Operators of the Charon ransomware, which tags encrypted files with the .Charon extension, employ tactics typically associated with nation-state threat actors. Unlike opportunistic cybercriminals, Charon’s operators deliberately select their targets, according to Trend Micro. The ransomware’s name draws from Greek mythology, where Charon ferries souls across the river to the underworld.
Regardless of attribution, Trend Micro warns that Charon’s delivery methods exemplify how tools once exclusive to nation-state groups are now in the hands of ransomware operators meaning even well-protected networks remain vulnerable. Other researchers have also noted growing collaboration between nation-state actors and ransomware groups, with the latter sometimes acting as a cover for cyber-espionage operations.
Technically, Charon leverages a blended encryption strategy, utilizing Curve25519 for secure key exchange and ChaCha20 for encrypting files. To boost both speed and efficiency, it employs partial encryption methods. Compromised files are appended with the .Charon extension and embedded with a distinctive marker “hCharon is enter to the urworld!” serving as a clear indicator of infection. The ransom note is uniquely crafted for each victim, explicitly naming the affected organization and specifying a tailored payment demand. This level of customization highlights the operation’s deliberate, targeted nature, setting it apart from random, opportunistic ransomware campaigns.
Charon also demonstrates the ability to spread laterally across networks, probing for accessible shared resources by leveraging Windows APIs such as NetShareEnum and WNetEnumResource, then encrypting any files found. Further examination uncovered an integrated anti-EDR driver based on the publicly available Dark-Kill project, designed to neutralize endpoint detection tools. Although this capability was inactive in the analyzed sample, its inclusion suggests the potential for more aggressive and destructive variants in the future.
Conclusion:
The Charon ransomware campaign represents a highly targeted and sophisticated threat, blending advanced cryptographic methods, stealthy delivery techniques, and selective victim profiling. Its technical overlaps with known APT activity, combined with capabilities such as network propagation and anti-EDR mechanisms, underscore its potential for significant operational disruption. Even though some features observed in current samples remain dormant, their presence signals the likelihood of more destructive iterations ahead. This evolution highlights the growing convergence of nation-state-grade tactics with financially motivated ransomware operations, posing a serious risk even to well-defended organizations.
Charon ransomware has the potential to trigger extensive operational outages, halting critical services and disrupting essential workflows within targeted industries. Victims may suffer permanent data loss, incur substantial recovery expenses, and endure major financial setbacks from ransom demands and prolonged business interruptions. Its precision targeting and sophisticated evasion tactics further heighten the risk of enduring security vulnerabilities and lasting reputational damage.
https://www.trendmicro.com/en_fi/research/25/h/new-ransomware-charon.html
