Trend Micro researchers have identified Charon ransomware, a newly discovered line that employs advanced persistent threat-style techniques previously associated with the Earth Baxia group. The campaign targets enterprises with tailored ransom demands, indicating a high level of reconnaissance and customization designed to maximize pressure on victims. Deployed in a targeted attack against the Middle East’s public sector and aviation industry, the Charon ransomware campaign has been found to pose a significant business risk, leading to potential operational disruptions, data loss, and financial costs tied to downtime. The ransomware operator’s tactics can compromise both local and networked data, hampering recovery efforts.
“The threat actor used a DLL sideloading technique closely resembling tactics previously documented in Earth Baxia campaigns, which have historically focused on government entities,” Trend Micro researchers wrote in a Tuesday research post. “In this case, the attack chain exploited a legitimate browser-related file, Edge[dot]exe (originally named cookie_exporter.exe), to sideload a malicious msedge[dot]dll (SWORDLDR). This malicious library then executed the final payload, deploying the Charon ransomware.”
They added that the ransomware’s custom ransom note specifically references the victim organization by name, confirming this was a targeted operation rather than an opportunistic campaign. “This targeted approach, combined with the distinctive DLL sideloading methodology, raises questions about potential connections to Earth Baxia. While we observe technical overlap—particularly the specific toolchain of using the same binary with a DLL to deploy encrypted shellcode—we cannot definitively attribute this attack to Earth Baxia.”
Furthermore, the techniques could represent either direct involvement, deliberate imitation, or independent development of similar tactics. “Without corroborating evidence such as shared infrastructure or consistent targeting patterns, we assess this attack demonstrates limited but notable technical convergence with known Earth Baxia operations.”
Trend Micro warns that this case underscores a growing concern: ransomware operators are increasingly adopting advanced, APT-grade techniques to enhance the precision and impact of their attacks. “While DLL sideloading is not unique to any single group, the specific implementation observed here—matching toolchains and encrypted payload delivery—represents a sophistication typically associated with advanced persistent threats. This convergence of APT tactics with ransomware operations poses an elevated risk to organizations, combining sophisticated evasion techniques with the immediate business impact of ransomware encryption.”
The post highlighted that the Charon ransomware campaign demonstrates the ongoing evolution of ransomware, blending advanced evasion tactics with highly targeted, disruptive capabilities. The convergence of techniques once reserved for APTs compels enterprises to reconsider traditional approaches and strengthen their security posture with layered defenses, proactive threat intelligence, and robust incident response.
Beyond immediate business disruption, Charon exposes organizations to data loss, operational downtime, reputational harm, regulatory penalties, and substantial financial costs associated with ransom payments and recovery. The targeted nature of these attacks means that even well-defended networks can be compromised, underscoring the urgent need for resilience and readiness at every level of the organization.
The Charon ransomware uses a multistage payload extraction technique. “During our investigation, DumpStack[dot]log was identified as a critical component of the attack chain. Although it initially appeared to be a benign log file, further analysis revealed that it contained an encrypted shellcode responsible for delivering the ransomware payload. Decryption of the first layer revealed another payload. This additional layer included embedded configuration data, specifically indicating the use of svchost[dot]exe for process injection.”
Further analysis revealed a second layer of encryption within the intermediate payload. Once this layer was decrypted, the final portable executable (PE) file was extracted and confirmed as the Charon ransomware payload based on its observed file encryption activity.
Before initiating its main encryption routine, the Charon ransomware performs a series of disruptive actions aimed at maximizing its chances of success and minimizing the potential for recovery or interference. It stops security-related services and terminates active processes, including security-related services. This ensures that antivirus and endpoint protection software are disabled, reducing the likelihood of detection or interruption.
Following this, it systematically deletes all shadow copies on the system, eradicating shadow copies and backups that could be used for file restoration. To further hinder recovery efforts, it also empties the contents of the Recycle Bin, ensuring that recently deleted files cannot be easily recovered.
“Once these are finished, it counts the number of processor cores available on the system and creates multiple threads dedicated to file encryption,” the post added. “By utilizing multithreading, it maximizes encryption speed and efficiency, allowing it to rapidly compromise large volumes of data across the infected host.”
Beyond its core encryption functionality, the Charon ransomware also exhibits several other notable behaviors. “It demonstrates network propagation capabilities, actively scanning for and encrypting accessible network shares across the infrastructure via NetShareEnum and WNetEnumResource. It processes both mapped drives and Universal Naming Convention (UNC) paths, although it skips ADMIN$ shares during enumeration to avoid detection.”
Defending against Charon ransomware requires a multilayered strategy to counter the threat actor’s blend of stealth, speed, and evasiveness. Security teams should harden systems against DLL sideloading and process injection by restricting which executables can run and load DLLs, particularly in directories often abused for sideloading, such as application folders or temporary locations. They should also monitor for suspicious process chains, including signed binaries like Edge[dot]exe spawning nonstandard DLLs or svchost.exe instances, and watch for unsigned or unusual DLLs placed alongside legitimate binaries.
Endpoint detection and response tools, along with antivirus agents, should be configured to prevent malware from disabling, tampering with, or uninstalling security protections. To limit lateral movement, organizations should restrict access between workstations, servers, and sensitive shares, disable or closely monitor the use of ADMIN$ and other administrative shares, and enforce strong authentication for all remote access.
Backup and recovery capabilities must be strengthened by maintaining offline or immutable copies stored separately from production systems to prevent ransomware from wiping them. Backups should be regularly tested to confirm they can be restored, and safeguards should be in place to prevent shadow copy deletion or Recycle Bin emptying from blocking recovery. Access to backup, shadow copy, and restore functions should be limited to specific, monitored accounts.
User awareness and privilege management are also essential. Employees should be trained to recognize and avoid suspicious attachments, links, and executables that could trigger the sideloading chain. Accounts, whether for users or services, should only have the permissions required for their roles to reduce potential impact if a system is compromised.
Last month, Microsoft observed the threat group Octo Tempest, also known as Scattered Spider, Muddled Libra, UNC3944, or 0ktapus, targeting the airline sector, marking a shift from its earlier activity between April and July this year that focused on retail, food service, hospitality, and insurance organizations. The behavior is consistent with the group’s pattern of concentrating on a specific industry for an extended period before pivoting to new targets. Microsoft Security is actively updating its protection coverage in response to these evolving tactics.
