Redazione RHC : 13 August 2025 14:40
Trend Micro has detected a targeted attack on the government and aviation sectors in the Middle East using a new ransomware called Charon. The attackers employed a complex infection chain with DLL sideloading, process injection, and EDR bypass capabilities, typical of both advanced APT operations and regular ransomware.
The attack vector begins with the launch of a legitimate Edge.exe (formerly cookie_exporter.exe) file, which is used to load a malicious msedge.dll library called SWORDLDR. The latter decrypts the encrypted shellcode from the DumpStack.log file and injects the payload, i.e., Charon itself, into the svchost.exe process, masquerading as a Windows system service.
After decrypting all masking layers, experts confirmed that the final executable encrypts data and leaves a distinctive infection signature—”hCharon has entered the real world!”— at the end of each encrypted file. All encrypted files receive the .Charon extension, and a ransom note—How To Restore Your Files.txt—appears in the directories, naming a specific victim, confirming the targeted nature of the attack.
Charon supports a variety of command-line options, from specifying encryption paths to prioritizing network resources. Upon startup, it creates a mutex called OopsCharonHere, terminates protection processes, disables security services, deletes shadow copies, and empties the Recycle Bin. It then proceeds to encrypt in a multi-threaded thread, bypassing system files (.exe, .dll), as well as its own components and the ransom note.
A hybrid encryption scheme is used: Curve25519 for key exchange and ChaCha20 for data encryption. Each file comes with a 72-byte footer containing the victim’s public key and metadata, which allows data decryption if the private key is available.
Additionally, Charon has lateral movement capabilities: it scans the network using NetShareEnum and WNetEnumResource, encrypts accessible shares, and even works with UNC paths, bypassing only ADMIN$ to reduce the chances of detection.
The binary also contains, although inactive, a driver-based component from the open source Dark-Kill project, designed to disable EDR solutions. It should be installed as a WWC service, but it’s not used in the current release—the feature is likely not yet enabled and is being prepared for future iterations.
While the use of tools similar to those of the Chinese group Earth Baxia is suspicious, there is no conclusive evidence of their involvement: perhaps they are borrowing tactics or independently developing the same concepts.
The emergence of Charon is further evidence that ransomware is actively adopting sophisticated APT methods. The combination of advanced evasion techniques with direct business damage in the form of data loss and downtime increases risks and requires organizations to rethink their defense strategy.
Redazione