The PolySwarm Blog

Analyze suspicious files and URLs, at scale, millions of times per day. Get real-time threat intel from a crowdsourced network of security experts and antivirus companies competing to protect you.

Charon Ransomware Targets Middle East

Aug 18, 2025 1:56:06 PM / by The Hivemind

CHARON2025Verticals Targeted: Public Sector, Aviation
Regions Targeted: Middle East
Related Families: None

Executive Summary

Charon is a new ransomware family employing advanced APT-style techniques, targeting Middle Eastern public sector and aviation organizations with tailored ransom demands. Its sophisticated attack chain, including DLL sideloading and process injection, underscores the growing convergence of ransomware and APT tactics.

Key Takeaways

  • Charon ransomware leverages DLL sideloading via a legitimate Edge.exe binary to deploy its payload.  
  • The attack chain includes process injection into svchost.exe, enhancing evasion capabilities.  
  • Charon uses a hybrid cryptographic scheme combining Curve25519 and ChaCha20 for file encryption.  
  • Targeted attacks in the Middle East show technical similarities to Earth Baxia campaigns. 

What is Charon?

Trend Micro’s recent analysis uncovered a new ransomware family named Charon, which employs advanced persistent threat (APT)-style techniques to target enterprises, specifically in the Middle East’s public sector and aviation sectors. This campaign demonstrates a significant evolution in ransomware tactics, blending sophisticated evasion methods with the disruptive impact of data encryption, posing substantial risks to operational continuity and data security.

The attack begins with a legitimate browser-related executable, Edge.exe, which is exploited to sideload a malicious DLL named msedge.dll, also referred to as SWORDLDR. This DLL sideloading technique, a hallmark of advanced attacks, allows the threat actor to bypass standard security controls by masquerading as a legitimate process. The malicious DLL then decrypts and loads an encrypted shellcode from a file named DumpStack.log. This shellcode, once decrypted, reveals the Charon ransomware payload, marking its first documented appearance in the wild.  

 Charon’s execution flow is meticulously crafted. The ransomware injects its payload into a newly spawned svchost.exe process, a common Windows service, to further evade endpoint detection and response (EDR) solutions. This process injection technique enhances stealth, allowing the malware to operate under the guise of legitimate system activity. The ransomware also employs anti-EDR capabilities, including a driver compiled from the public Dark-Kill project, designed to disable security solutions and maximize its impact.  

Prior to encryption, Charon executes a series of disruptive actions to hinder recovery efforts. It terminates security-related services and processes, deletes all shadow copies to prevent restoration, and empties the Recycle Bin to eliminate recently deleted files. The ransomware then leverages multithreading, creating encryption threads based on the system’s processor core count to rapidly encrypt files across local and networked drives. Files are appended with the .Charon extension.  

The encryption process utilizes a hybrid cryptographic scheme. Charon generates a 32-byte random private key using Windows’ cryptographic functions, formatted for Curve25519 elliptic curve cryptography. This private key, combined with a hardcoded public key, creates a shared secret processed through a custom hash function to initialize a modified ChaCha20 stream cipher. Each encrypted file includes a 72-byte footer with the victim’s public key and metadata, enabling decryption with the corresponding private key. 

Charon’s command-line parameters enhance its flexibility, allowing attackers to specify network shares, local paths, or prioritize encryption order. This customization, coupled with a tailored ransom note referencing the victim organization by name, indicates a highly targeted approach rather than a broad, opportunistic campaign.  

The technical overlap with Earth Baxia, a known China nexus APT group targeting government sectors, raises questions about potential connections. Both share similar toolchains, such as the use of DLL sideloading and encrypted shellcode delivery. However, without shared infrastructure or consistent targeting patterns, attribution to Earth Baxia remains unconfirmed. This convergence of APT tactics with ransomware operations highlights a growing trend in which cybercriminals adopt advanced techniques to amplify their impact.  PolySwarm analysts consider Charon ransomware to be an emerging threat. 

IOCs

PolySwarm has a sample of SWORDLDR, which is part of the Charon ransomware infection chain.

 

e0a23c0d99c45d40f6ef99c901bacf04bb12e9a3a15823b663b392abadd2444e

 

You can use the following CLI command to search for all samples associated with Charon ransomware in our portal:

$ polyswarm link list -f Charon

 

Don’t have a PolySwarm account? Go here to sign up for a free Community plan or subscribe.

Contact us at hivemind@polyswarm.io | Check out our blog | Subscribe to our reports.

 

Topics: Threat Bulletin, Emerging Threat, Charon ransomware, Earth Baxia, APT techniques, process injection, anti-EDR, DLL sideloading, Middle East cyber attacks, public sector malware, aviation industry threats, ransomware defense

The Hivemind

Written by The Hivemind

Subscribe to Email Updates

Lists by Topic

see all

Posts by Topic

See all

Recent Posts

Join the Marketplace

For Enterprises and Businesses

Learn More

For Security Experts and AV Companies

Learn More