{
	"id": "7b385858-5002-460c-8642-d12f66a2a16c",
	"created_at": "2026-04-06T00:15:24.752871Z",
	"updated_at": "2026-04-10T13:11:54.727884Z",
	"deleted_at": null,
	"sha1_hash": "6b688d10c70383dd153c5584da97c1eba7a2b43a",
	"title": "New Ransomware Charon Uses Earth Baxia APT Techniques to Target Enterprises",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1756319,
	"plain_text": "New Ransomware Charon Uses Earth Baxia APT Techniques to\r\nTarget Enterprises\r\nBy Jacob Santos, Ted Lee, Ahmed Kamal, Don Ovid Ladores ( words)\r\nPublished: 2025-08-12 · Archived: 2026-04-05 22:30:56 UTC\r\nRansomware\r\nWe uncovered a campaign that makes use of Charon, a new ransomware family, and advanced APT-style\r\ntechniques to target organizations with customized ransom demands.\r\nBy: Jacob Santos, Ted Lee, Ahmed Kamal, Don Ovid Ladores Aug 12, 2025 Read time: 8 min (2154 words)\r\nSave to Folio\r\nKey Takeaways:\r\nTrend™ Research uncovered a campaign that makes use of Charon, a new ransomware family, and\r\nadvanced APT-style techniques, including DLL sideloading, process injection, and anti-EDR capabilities,\r\nto target organizations with customized ransom demands.\r\nThis recently identified ransomware campaign poses a significant business risk, leading to potential\r\noperational disruptions, data loss, and financial costs tied to downtime. The ransomware operator’s tactics\r\ncan compromise both local and networked data, hampering recovery efforts.\r\nTrend Vision One™ detects and blocks specific Charon ransomware-linked indicators of compromise\r\n(IOCs) highlighted in this blog. Customers can also access tailored hunting queries, threat insights, and\r\nintelligence reports to better understand and proactively defend against Charon.\r\nWe recently identified a new ransomware family called Charon, deployed in a targeted attack observed in the\r\nMiddle East's public sector and aviation industry. The threat actor employed a DLL sideloading technique notably\r\nsimilar to tactics previously documented in the Earth Baxia campaigns, which have historically targeted\r\ngovernment sectors. The attack chain leveraged a legitimate browser-related file, Edge.exe (originally named\r\ncookie_exporter.exe), to sideload a malicious msedge.dll (SWORDLDR), which subsequently deployed the\r\nCharon ransomware payload.\r\nAnalysis of the msedge.dll component revealed it was designed to load a file named DumpStack.log, which was\r\nabsent from our initial telemetry. Through forensic investigation, we recovered this missing file and confirmed it\r\ncontained encrypted shellcode. Upon decryption, we identified the payload as Charon ransomware—marking the\r\nfirst documented instance of this ransomware family in the wild.\r\nThe ransomware's custom ransom note specifically references the victim organization by name, confirming this\r\nwas a targeted operation rather than opportunistic campaign. This targeted approach, combined with the\r\ndistinctive DLL sideloading methodology, raises questions about potential connections to Earth Baxia. While we\r\nhttps://www.trendmicro.com/en_us/research/25/h/new-ransomware-charon.html\r\nPage 1 of 10\n\nobserve technical overlap—particularly the specific toolchain of using the same binary with a DLL to deploy\r\nencrypted shellcode—we cannot definitively attribute this attack to Earth Baxia. The techniques could represent\r\neither direct involvement, deliberate imitation, or independent development of similar tactics. Without\r\ncorroborating evidence such as shared infrastructure or consistent targeting patterns, we assess this attack\r\ndemonstrates limited but notable technical convergence with known Earth Baxia operations.\r\nThis case exemplifies a concerning trend: the adoption of APT-level techniques by ransomware operators. While\r\nDLL sideloading is not unique to any single group, the specific implementation observed here—matching\r\ntoolchains and encrypted payload delivery—represents a sophistication typically associated with advanced\r\npersistent threats. This convergence of APT tactics with ransomware operations poses an elevated risk to\r\norganizations, combining sophisticated evasion techniques with the immediate business impact of ransomware\r\nencryption.\r\nCharon ransomware attack chain\r\nThe attack chain observed in this incident uses DLL sideloading to facilitate the execution of the Charon\r\nransomware payload. The threat actor initiates the intrusion by executing a legitimate Edge.exe binary, which is\r\nabused to sideload a malicious DLL named msedge.dll, also known as “SWORDLDR”. This loader is responsible\r\nfor decrypting the embedded ransomware payload and injecting it into a newly spawned svchost.exe process. This\r\ntechnique allows the malware to masquerade as a legitimate Windows service, bypassing usual endpoint security\r\ncontrols.\r\nCharon uses a multistage payload extraction technique.During our investigation, DumpStack.log was identified as\r\na critical component of the attack chain. Although it initially appeared to be a benign log file, further analysis\r\nrevealed that it contained an encrypted shellcode responsible for delivering the ransomware payload. Decryption\r\nof the first layer revealed another payload. This additional layer included embedded configuration data,\r\nspecifically indicating the use of svchost.exe for process injection, as highlighted in the Figure 2.\r\nhttps://www.trendmicro.com/en_us/research/25/h/new-ransomware-charon.html\r\nPage 2 of 10\n\nFurther analysis revealed a second layer of encryption within the intermediate payload. After decrypting this layer,\r\nthe final portable executable (PE) file was extracted, which we confirmed to be the Charon ransomware payload\r\nbased on the observed file encryption activity.\r\nTechnical analysis of the Charon ransomware\r\nThe recovered executable, now free from its obfuscation layers, revealed sophisticated encryption capabilities and\r\noperational characteristics.\r\nUpon initialization, Charon accepts several command-line parameters that significantly influence its behavior. The\r\nransomware checks for the following arguments:\r\n--debug=\u003cpath +\r\nfile name \u003e\r\nEnables error logging to specified file path. Logs all errors during encryption\r\n--shares=\u003cnetwork\r\nshares\u003e\r\nLists network server names/IP addresses to target, as well as enumerates and encrypts\r\nall accessible shares on these servers (except ADMIN$)\r\n--paths=\u003cspecific\r\npath\u003e\r\nLists specific paths or drive letters to encrypt, which can be local paths (C:\\folder) or\r\ndrive letters (D:)\r\n--sf\r\nRefers to “Shares First”; when this flag is set, it changes the encryption order, with\r\nnetwork shares prioritized first, then local drives and vice versa\r\nhttps://www.trendmicro.com/en_us/research/25/h/new-ransomware-charon.html\r\nPage 3 of 10\n\nIt creates a mutex named OopsCharonHere.\r\nBefore initiating its main encryption routine, it performs a series of disruptive actions aimed at maximizing its\r\nchances of success and minimizing the potential for recovery or interference. It stops security-related services and\r\nterminates active processes, including security-related services. This ensures that antivirus and endpoint protection\r\nsoftware are disabled, reducing the likelihood of detection or interruption. The list of service and process names\r\ncan be found here.\r\nFollowing this, it systematically deletes all shadow copies on the system, eradicating shadow copies and backups\r\nthat could be used for file restoration. To further hinder recovery efforts, it also empties the contents of the\r\nRecycle Bin, ensuring that recently deleted files cannot be easily recovered.\r\nOnce these are finished, it counts the number of processor cores available on the system and creates multiple\r\nthreads dedicated to file encryption. By utilizing multithreading, it maximizes encryption speed and efficiency,\r\nallowing it to rapidly compromise large volumes of data across the infected host.\r\nhttps://www.trendmicro.com/en_us/research/25/h/new-ransomware-charon.html\r\nPage 4 of 10\n\nDuring its encryption routine, it specifically avoids encrypting the following files with the following extensions\r\nand file names:\r\n.exe\r\n.dll\r\n.Charon\r\nHow To Restore Your Files.txt\r\nhttps://www.trendmicro.com/en_us/research/25/h/new-ransomware-charon.html\r\nPage 5 of 10\n\nThen, it encrypts the files, appends the .Charon extension, then add an infection marker “hCharon is enter to the\r\nurworld!” to the encrypted files.\r\nThe encryption routine employs a hybrid cryptographic scheme that combines the Curve25519 elliptic curve\r\ncryptography with the ChaCha20 stream cipher. It begins by generating a 32-byte random private key using\r\nWindows’ cryptographic functions, which is then properly formatted according to Curve25519 specifications.\r\nThis private key is used to generate a public key, which is combined with the hardcoded public key (embedded in\r\nthe binary) to create a shared secret through elliptic curve cryptography. This shared secret is processed through a\r\ncustom hash function to derive a 256-bit key that initializes a modified ChaCha20 cipher for the actual file\r\nencryption. Each encrypted file receives a 72-byte footer containing the victim’s public key and encryption\r\nmetadata, enabling decryption of files using a private key.\r\nCharon implements the following partial encryption approach to balance speed and effectiveness:\r\nFiles ≤ 64KB: Fully encrypted\r\nFiles 64KB-5MB: Encrypts 3 chunks at beginning (0%), middle (50%), and end (75%)\r\nFiles 5MB-20MB: Encrypts 5 evenly distributed chunks (each 1/5 of file size)\r\nFiles \u003e20MB: Encrypts 7 chunks at positions 0%, 12.5%, 25%, 50%, 75%, 87.5%, and near end\r\nhttps://www.trendmicro.com/en_us/research/25/h/new-ransomware-charon.html\r\nPage 6 of 10\n\nFinally, it drops “How To Restore Your Files.txt” as its ransom note in all drives, networks and directories.\r\nBeyond its core encryption functionality, Charon also exhibits several other notable behaviors. It demonstrates\r\nnetwork propagation capabilities, actively scanning for and encrypting accessible network shares across the\r\ninfrastructure via NetShareEnum and WNetEnumResource. It processes both mapped drives and Universal\r\nNaming Convention (UNC) paths, although it skips ADMIN$ shares during enumeration to avoid detection.\r\nDuring our analysis of the initialization routines, we also uncovered an interesting discovery. Charon’s binary\r\nincludes a package built to slip past endpoint detection and response (EDR) defenses. The ransomware includes a\r\ndriver compiled from the public Dark-Kill projectopen on a new tab, designed to disable endpoint detection and\r\nresponse solutions.\r\nhttps://www.trendmicro.com/en_us/research/25/h/new-ransomware-charon.html\r\nPage 7 of 10\n\nThe malware attempts to drop this driver as %SystemRoot%\\System32\\Drivers\\WWC.sys and register it as the\r\n\"WWC\" service. However, our analysis revealed that while this anti-EDR component exists in the data section, it\r\nremains dormant and is never called during execution. This suggests that the feature is still under development and\r\nhasn't been activated in this variant, possibly reserved for future versions.\r\nDefending against Charon ransomware\r\nhttps://www.trendmicro.com/en_us/research/25/h/new-ransomware-charon.html\r\nPage 8 of 10\n\nGiven the Charon threat actor’s blend of stealth, speed, and evasiveness, a multilayered defense is critical. Here\r\nare some actionable best practices for security teams:\r\nHarden against DLL sideloading and process injection by:\r\nLimiting which executables can run and load DLLs, especially in directories commonly abused for\r\nsideloading (e.g., app folders, temp locations).\r\nAlerting on suspicious process chains, such as Edge.exe or other signed binaries spawning\r\nnonstandard DLLs or svchost.exe instances.\r\nWatching out for unsigned or suspicious DLLs placed next to legitimate binaries.\r\n·Ensure that EDR and antivirus agents are running with capabilities that prevent malware from disabling,\r\ntampering with, or uninstalling the security solutions.\r\nLimit lateral movement by restricting access between workstations, servers, and sensitive shares. Disable\r\nor closely monitor the use of ADMIN$ and other admin shares. Require strong authentication for all remote\r\naccess.\r\nStrengthen backup and recovery capabilities by:\r\nMaintaining offline or immutable backup copies, separate from production systems, so that backups\r\ncan’t be wiped by ransomware.\r\nRegularly validating that backups can be restored and that shadow copy deletion or Recycle Bin\r\nemptying won’t block recovery.\r\nOnly allowing backup, shadow copy, and restore rights to specific, monitored accounts.\r\nReinforce user awareness and privilege management by:\r\nEducating end users and training employees to avoid suspicious attachments, links, and executables,\r\nwhich may initiate the sideloading chain.\r\nLimiting user and service accounts to only the permissions needed for their roles to reduce the\r\nimpact if a system is compromised.\r\nThe Charon ransomware campaign demonstrates the ongoing evolution of ransomware, blending advanced\r\nevasion tactics with highly targeted, disruptive capabilities. The convergence of techniques once reserved for\r\nAPTs compels enterprises to reconsider traditional approaches and strengthen their security posture with layered\r\ndefenses, proactive threat intelligence, and robust incident response. Beyond immediate business disruption,\r\nCharon exposes organizations to data loss, operational downtime, reputational harm, regulatory penalties, and\r\nsubstantial financial costs associated with ransom payments and recovery. The targeted nature of these attacks\r\nmeans that even well-defended networks can be compromised, underscoring the urgent need for resilience and\r\nreadiness at every level of the organization.\r\nProactive security with Trend Vision One™\r\nTrend Vision Oneone-platform™ is the only AI-powered enterprise cybersecurity platform that centralizes cyber\r\nrisk exposure management, security operations, and robust layered protection. This comprehensive approach helps\r\nyou predict and prevent threats, accelerating proactive security outcomes across your entire digital estate. With\r\nTrend Vision One, you’re enabled to eliminate security blind spots, focus on what matters most, and elevate\r\nsecurity into a strategic partner for innovation.\r\nTrend Vision One™ Threat Intelligence\r\nhttps://www.trendmicro.com/en_us/research/25/h/new-ransomware-charon.html\r\nPage 9 of 10\n\nTo stay ahead of evolving threats, Trend customers can access Threat Insightsproducts, which provide the latest\r\ninsights from Trend Research on emerging threats and threat actors. \r\nThreat Insights\r\nThreat Actor: Earth Baxia\r\nEmerging Threats: Threat Actor deploys Charon Ransomware using TTPs previously observed in Earth\r\nBaxia operations\r\nTrend Vision One Intelligence Reports (IOC Sweeping) \r\nThreat Actor deploys Charon Ransomware using TTPs previously observed in Earth Baxia operations\r\n \r\nHunting Queries \r\nTrend Vision One Search App \r\nTrend Vision One customers can use the Search App to match or hunt the malicious indicators mentioned in this\r\nblog post with data in their environment.    \r\nCharon ransomware detection\r\nmalName: *CHARON* AND eventName: MALWARE_DETECTION\r\nMore hunting queries are available for Trend Vision One customers with Threat Insights entitlement enabled. \r\nIndicators of Compromise (IOC)\r\nThe indicators of compromise for this entry can be found here.\r\nTags\r\nSource: https://www.trendmicro.com/en_us/research/25/h/new-ransomware-charon.html\r\nhttps://www.trendmicro.com/en_us/research/25/h/new-ransomware-charon.html\r\nPage 10 of 10",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.trendmicro.com/en_us/research/25/h/new-ransomware-charon.html"
	],
	"report_names": [
		"new-ransomware-charon.html"
	],
	"threat_actors": [
		{
			"id": "f45af9e4-5037-4a5a-82c1-4627845eea49",
			"created_at": "2024-09-26T02:00:04.286721Z",
			"updated_at": "2026-04-10T02:00:03.707415Z",
			"deleted_at": null,
			"main_name": "Earth Baxia",
			"aliases": [],
			"source_name": "MISPGALAXY:Earth Baxia",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "4b7f4f69-7c56-4691-9071-9365884a7f30",
			"created_at": "2024-10-25T02:02:07.672671Z",
			"updated_at": "2026-04-10T02:00:04.660715Z",
			"deleted_at": null,
			"main_name": "Earth Baxia",
			"aliases": [],
			"source_name": "ETDA:Earth Baxia",
			"tools": [
				"Agentemis",
				"Cobalt Strike",
				"CobaltStrike",
				"EAGLEDOOR",
				"cobeacon"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434524,
	"ts_updated_at": 1775826714,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/6b688d10c70383dd153c5584da97c1eba7a2b43a.pdf",
		"text": "https://archive.orkl.eu/6b688d10c70383dd153c5584da97c1eba7a2b43a.txt",
		"img": "https://archive.orkl.eu/6b688d10c70383dd153c5584da97c1eba7a2b43a.jpg"
	}
}