Charon
Charon is a newly documented ransomware family first observed in the wild by Trend Micro in a targeted campaign against organizations in the Middle East, specifically in the public sector and aviation industry. Reporting describes it as a highly targeted operation, with customized ransom notes that explicitly name victim organizations.
Charon employs advanced tradecraft more commonly associated with APT operations, including DLL sideloading, process injection, anti-EDR capabilities, and multistage encrypted payload delivery. In the observed attack chain, a legitimate binary named Edge.exe (originally cookie_exporter.exe) was used to sideload a malicious msedge.dll identified as SWORDLDR. That DLL decrypted an embedded ransomware payload and injected it into a newly spawned svchost.exe process to masquerade as a legitimate Windows service. Researchers also observed use of DumpStack.log as part of a multistage payload extraction flow; the file contained encrypted shellcode used to deliver the ransomware, with an additional intermediate encryption layer.
The malware is described as performing disruptive actions such as disabling security services and deleting backups, and Trend Micro warned that its tactics can compromise both local and networked data. The combination of ransomware objectives with APT-style evasion and execution techniques increases operational disruption, data loss, downtime, and financial recovery costs for victims.
Researchers identified technical overlaps between the Charon campaign and activity associated with Earth Baxia, also tracked as APT41, Wicked Panda, and Grass Typhoon. However, definitive attribution was not established; Trend Micro stated the overlap could indicate direct involvement, deliberate imitation, or independent development of similar tactics.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
3 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
Charon is a new ransomware family ... Trend Micro observed it being deployed in a targeted attack in the Middle East's public sector and aviation industry — the first such record of Charon observed in the wild.
Charon is a new ransomware family ... Trend Micro observed it being deployed in a targeted attack in the Middle East's public sector and aviation industry — the first such record of Charon observed in the wild.
Charon is a new ransomware family ... Trend Micro observed it being deployed in a targeted attack in the Middle East's public sector and aviation industry — the first such record of Charon observed in the wild.
Techniques & procedures
5 distinct techniques documented for this family, organized by ATT&CK tactic.
Execution
1 techniqueThe ransomware leverages techniques such as DLL sideloading, process injection, and anti-EDR capabilities... "The attack chain leveraged a legitimate browser-related file, Edge.exe (originally named cookie_exporter.exe), to sideload a malicious msedge.dll (SWORDLDR), which subsequently deployed the Charon ransomware payload."
Privilege Escalation
1 techniqueThat DLL is then responsible for decrypting the embedded ransomware payload and injecting it into a newly spawned svchost.exe process. "This technique allows the malware to masquerade as a legitimate Windows service, bypassing usual endpoint security controls," the researchers observed.
Stealth
4 techniquesCharon also uses a multistage payload extraction technique via what appears to be a benign log file, DumpStack.log. Upon closer inspection however, this turns out to be an encrypted shellcode responsible for delivering the ransomware payload... Further analysis also revealed a second layer of encryption within the intermediate payload.
This technique allows the malware to masquerade as a legitimate Windows service, bypassing usual endpoint security controls.
That DLL is then responsible for decrypting the embedded ransomware payload and injecting it into a newly spawned svchost.exe process. "This technique allows the malware to masquerade as a legitimate Windows service, bypassing usual endpoint security controls," the researchers observed.
The ransomware leverages techniques such as DLL sideloading, process injection, and anti-EDR capabilities... "The attack chain leveraged a legitimate browser-related file, Edge.exe (originally named cookie_exporter.exe), to sideload a malicious msedge.dll (SWORDLDR), which subsequently deployed the Charon ransomware payload."
Other
1 techniqueThe ransomware leverages techniques such as DLL sideloading, process injection, and anti-EDR capabilities... Further defense tactics that organizations can adopt to combat advanced ransomware tactics include ensuring that EDR and antivirus agents are running with capabilities that prevent malware from disabling, tampering with, or uninstalling the security solutions.
Recent activity
5 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Ransomware targeting Middle East public sector and aviation; uses APT-like evasion (DLL sideloading, process injection) (per summary).
CHARON is a ransomware family that uses advanced evasion techniques such as DLL sideloading and process injection. It targets public sector and aviation organizations in the Middle East, disables security services, deletes backups, and customizes ransom notes for each victim. It shows technical overlap with the China-linked Earth Baxia group.
Ransomware using advanced persistent threat (APT) techniques to target enterprises in the Middle East.
Ransomware used in targeted attacks, particularly against the Middle East's public sector and aviation industry, with advanced APT-style techniques.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.