Charon Ransomware Emerges With APT-Style Tactics - Dark Reading

Threat IntelligenceCyberattacks & Data BreachesCyber RiskVulnerabilities & ThreatsNewsBreaking cybersecurity news, news analysis, commentary, and other content from around the world, with an initial focus on the Middle East & Africa and the Asia PacificCharon Ransomware Emerges With APT-Style TacticsThe first documented deployment of the novel malware in a campaign against the Middle Eastern public sector and aviation industry may be tied to China's state-sponsored actor Earth Baxia.Elizabeth Montalbano,Contributing WriterAugust 12, 20254 Min ReadSource: Niday Picture Library via Alamy Stock PhotoAn emerging ransomware actor is using sophisticated techniques in the style of an advanced persistent threat group (APT) to target organizations with customized ransom demands, posing a significant risk to businesses.Charon is a new ransomware family (named for the ferryman from Greek mythology who carried souls across the River Styx to Hades); Trend Micro observed it being deployed in a targeted attack in the Middle East's public sector and aviation industry — the first such record of Charon observed in the wild, according to new research from the firm.The ransomware leverages techniques such as DLL sideloading, process injection, and anti-EDR capabilities, which are typically the hallmark of advanced threat actors and — in this case — reminiscent of campaigns by the group Earth Baxia, according to a Trend Micro blog post published today."The attack chain leveraged a legitimate browser-related file, Edge.exe (originally named cookie_exporter.exe), to sideload a malicious msedge.dll (SWORDLDR), which subsequently deployed the Charon ransomware payload," Trend Micro threat researchers wrote in the post.Related:China Uses Dual-Method Cyberattack on Czech OrgsCharon Ransomware's Potential Link to China-Backed ActorResearchers observed techniques in the campaign that overlapped with those of Earth Baxia — an advanced persistent threat (APT) group also tracked as APT41, Wicked Panda, and Grass Typhoon — that is one of several APTs working at the behest of the People's Republic of China (PRC). However, the attack also featured a custom ransom note that specifically referenced the victim organization by name, which calls into question this potential connection, the researchers noted."While we observe technical overlap — particularly the specific toolchain of using the same binary with a DLL to deploy encrypted shellcode — we cannot definitively attribute this attack to Earth Baxia," the researchers wrote. "The techniques could represent either direct involvement, deliberate imitation, or independent development of similar tactics."No matter, the entrance of Charon and its advanced tactics and techniques to the ransomware scene represents "a significant business risk, leading to potential operational disruptions, data loss, and financial costs tied to downtime," they added. "The ransomware operator's tactics can compromise both local and networked data, hampering recovery efforts," they wrote.Charon's Malware Attack ChainCharon's attack chain demonstrates a sophisticated threat actor who knows how to move evasively and efficiently around a network. One notable tactic is the use of DLL sideloading to facilitate the execution of the Charon ransomware payload, the researchers observed.Related:Chinese APTs Share Linux Backdoor in Central Asia Telco Attacks"While DLL sideloading is not unique to any single group, the specific implementation observed here — matching toolchains and encrypted payload delivery — represents a sophistication typically associated with advanced persistent threats," they wrote.Initial intrusion comes by way of executing a legitimate Edge.exe binary, which is abused to sideload the malicious DLL. That DLL is then responsible for decrypting the embedded ransomware payload and injecting it into a newly spawned svchost.exe process. "This technique allows the malware to masquerade as a legitimate Windows service, bypassing usual endpoint security controls," the researchers observed.Charon also uses a multistage payload extraction technique via what appears to be a benign log file, DumpStack.log. Upon closer inspection however, this turns out to be an encrypted shellcode responsible for delivering the ransomware payload, the researchers noted. Further analysis also revealed a second layer of encryption within the intermediate payload.Keeping Advanced Ransomware Actors at BayAll in all, Charon's attack flow points to "a concerning trend," which is "the adoption of APT-level techniques by ransomware operators," according to Trend Micro. This convergence of APT tactics with ransomware operations poses "an elevated risk to organizations, combining sophisticated evasion techniques with the immediate business impact of ransomware encryption," the researchers wrote.Related:Tropic Trooper APT Takes Aim at Home Routers, Japanese TargetsGiven the actor’s "blend of stealth, speed, and evasiveness" in an already dangerous threat landscape — in which new ransomware actors emerge as soon as others are disrupted — Trend Micro recommends that organizations take a multilayered approach to defense, especially to combat the specific DLL sideloading tactic they observed in the attack.Some tactics to combat this particular hallmark of the actor include hardening against DLL sideloading and process injection by limiting which executables can run and load DLLs, especially in directories commonly abused for sideloading. Those include app folders and temporary locations, the researchers noted.Defenders also should create alerts for suspicious process chains, such as Edge.exe or other signed binaries spawning nonstandard DLLs or svchost.exe instances. And, they should watch out for unsigned or suspicious DLLs placed next to legitimate binaries, according to Trend Micro.Further defense tactics that organizations can adopt to combat advanced ransomware tactics include ensuring that EDR and antivirus agents are running with capabilities that prevent malware from disabling, tampering with, or uninstalling the security solutions, and limiting lateral movement by restricting access between workstations, servers, and sensitive shares.Read more about:DR Global Middle East & AfricaAbout the AuthorElizabeth MontalbanoContributing WriterElizabeth Montalbano is freelance writer, editor, and  journalist with 30 years of professional experience and a master's degree from Arizona State University. Her areas of expertise include enterprise technology, cybersecurity, business, and culture. During her long career, Elizabeth has lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City. She specializes in news coverage and analysis, using her years of experience to look at the current state of cybersecurity with a critical gaze. She currently resides in a village on the southwest coast of Portugal, where in her free time she enjoys surfing, hiking with her dogs, growing plants, and playing and performing as a singer and musician.See more from Elizabeth MontalbanoWant more Dark Reading stories in your Google search results?Add Us NowMore InsightsIndustry ReportsHow Organizations Are Managing Incident ResponseHow Enterprises Are Developing Secure ApplicationsInside RSAC 2026: security leaders reveal the risks redefining your defense strategyEssential News & Insights from Black Hat USA 2025How Enterprises Are Harnessing Emerging Technologies in CybersecurityAccess More ResearchWebinarsThe Frontier AI Era: Why Cybersecurity Must Move at Machine SpeedBuild vs. Buy: The Hidden Cost of Building Your Own AI Security StackDefending in the Shadow Era: When the CVE Feed Goes DarkBuilding SecOps That Make the Most of Every DollarAI-Powered Cybersecurity for Resource-Constrained OrganizationsMore WebinarsEditor's ChoiceCybersecurity Operations20 Leaders Who Built the CISO Era: 2 Decades of Change20 Leaders Who Built the CISO Era: 2 Decades of ChangebyDark Reading Editorial TeamMay 12, 202641 Min ReadApplication SecurityIt's Patch Tuesday for Microsoft & Not a Zero-Day In SightIt's Patch Tuesday for Microsoft & Not a Zero-Day In SightbyJai VijayanMay 12, 20265 Min ReadWant more Dark Reading stories in your Google search results?Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.SubscribeWebinarsThe Frontier AI Era: Why Cybersecurity Must Move at Machine SpeedTuesday, June 23, 2026 1:00 PM EDTBuild vs. Buy: The Hidden Cost of Building Your Own AI Security StackThurs, June 25, 2026, at 1pm ESTDefending in the Shadow Era: When the CVE Feed Goes DarkTues, June 16, 2026 at 1pm ESTBuilding SecOps That Make the Most of Every DollarThurs, July 9, 2026 at 1pm ESTAI-Powered Cybersecurity for Resource-Constrained OrganizationsThurs, June 18, 2026, at 1pm ESTMore WebinarsBlack Hat USA | Mandalay Bay, Las VegasThe premier cybersecurity event of the year returns to Mandalay Bay with a re‑engineered, six‑day program built to ignite innovation, push boundaries, and bring the global security community together like never before. Use code: DARKREADING to save $200 on a Briefings pass or $100 on a Business pass.GET YOUR PASSGISEC GLOBAL 2026GISEC GLOBAL is the most influential and the largest cybersecurity gathering in the Middle East & Africa, uniting global CISOs, government leaders, technology buyers, and ethical hackers for three power-packed days of innovation, strategy, and live cyber drills.📌 Book Your Space