Skip to main content
Mallory
Back to malware
MalwareRansomwareUsed by 3 actors

SWORDLDR

SWORDLDR is a shellcode loader observed in campaigns linked by Trend Micro to Earth Baxia, a China-linked threat actor, and also in the attack chain of the Charon ransomware. It is used as a malicious DLL in DLL side-loading schemes, including cases where a legitimate executable such as Edge.exe (originally named cookie_exporter.exe) sideloads a malicious msedge.dll identified as SWORDLDR. According to the reporting, SWORDLDR decrypts an embedded payload and injects it into a specified process based on embedded configuration; in the Charon intrusion chain, it decrypted and injected the ransomware payload into a newly spawned svchost.exe process. The malware has been associated with campaigns targeting government organizations and other entities in Asia-Pacific countries including Taiwan, South Korea, the Philippines, and Vietnam, as well as with a separate Charon ransomware campaign targeting public sector and aviation organizations in the Middle East. Reported tradecraft around its use includes DLL side-loading and process injection for evasion. One SWORDLDR-related sample hash reported by Trend Micro is db425ce989ff1e2046f5ebddf2472dca8c48ab987e632e66caabf86502bf3ef0.

Share:
For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial
THREAT ACTORS

Groups observed using it

3 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.

View more details
Earth Baxia

The attack chain leveraged a legitimate browser-related file, Edge.exe (originally named cookie_exporter.exe), to sideload a malicious msedge.dll (SWORDLDR), which subsequently deployed the Charon ransomware payload.

via dark readingdarkreading.com
APT41

The attack chain leveraged a legitimate browser-related file, Edge.exe (originally named cookie_exporter.exe), to sideload a malicious msedge.dll (SWORDLDR), which subsequently deployed the Charon ransomware payload.

via dark readingdarkreading.com
Grass Typhoon

The attack chain leveraged a legitimate browser-related file, Edge.exe (originally named cookie_exporter.exe), to sideload a malicious msedge.dll (SWORDLDR), which subsequently deployed the Charon ransomware payload.

via dark readingdarkreading.com
MITRE ATT&CK

Techniques & procedures

2 distinct techniques documented for this family, organized by ATT&CK tactic.

Execution

1 technique
T1574.001DLLEvidence1
TacticsExecutionStealth

The ransomware leverages techniques such as DLL sideloading, process injection, and anti-EDR capabilities... "The attack chain leveraged a legitimate browser-related file, Edge.exe (originally named cookie_exporter.exe), to sideload a malicious msedge.dll (SWORDLDR), which subsequently deployed the Charon ransomware payload."

Stealth

2 techniques
T1027Obfuscated Files or InformationEvidence1
TacticStealth

Charon also uses a multistage payload extraction technique via what appears to be a benign log file, DumpStack.log. Upon closer inspection however, this turns out to be an encrypted shellcode responsible for delivering the ransomware payload... Further analysis also revealed a second layer of encryption within the intermediate payload.

T1574.001DLLEvidence1
TacticsExecutionStealth

The ransomware leverages techniques such as DLL sideloading, process injection, and anti-EDR capabilities... "The attack chain leveraged a legitimate browser-related file, Edge.exe (originally named cookie_exporter.exe), to sideload a malicious msedge.dll (SWORDLDR), which subsequently deployed the Charon ransomware payload."

INDICATORS OF COMPROMISE

IOCs tracked for this family

4 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.

View more in app
Hashes
4 tracked

File hashes (MD5, SHA-1, SHA-256) from samples and reports.

TypeValueLatest sighting
hash.sha256●●●●●●●●●●●●View more in app2 years ago
hash.sha256●●●●●●●●●●●●View more in app2 years ago
hash.sha256●●●●●●●●●●●●View more in app2 years ago
hash.sha256●●●●●●●●●●●●View more in app2 years ago
ACTIVITY FEED

Recent activity

3 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

3 SOURCESView more in app
dark readingNews
Aug 12, 2025
Charon Ransomware Emerges With APT-Style Tactics

A malicious DLL loader delivered via DLL sideloading that decrypts and deploys the Charon ransomware payload, including injection into a spawned svchost.exe process.

Read more
trend micro researchNews
Sep 19, 2024
Earth Baxia Uses Spear-Phishing and GeoServer Exploit to Target APAC

SWORDLDR is a malicious loader used to decrypt and inject Cobalt Strike shellcode into target processes, facilitating in-memory execution and evasion of security controls.

Read more
contagiodump blogNews
Sep 18, 2024
contagio: 2024-09-18 Earth Baxia APT - RIPCOY + SWORDLDR Samples (Spear-Phishing and GeoServer Exploit used to Target APAC)

Referenced as a recent SWORDLDR sample in the file information section, indicating use as a loader in the campaign.

Read more
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.
Start free trial
IOC matching4

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution3

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping2

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.