Charon ransomware adopts APT style tactics to target Middle East public sector and aviation

Threat Group: Suspected China linked Earth Baxia affiliate or imitator
Threat Type: Ransomware
Exploited Vulnerabilities: None confirmed. Suspected spear phishing and DLL sideloading
Malware Used: Ransom.Win64.CHARON.THGBCBE
Threat Score: 🔴 High (7.5/10) – Advanced persistent threat style capabilities, targeted operations, destructive behaviours, and potential state alignment
Last Threat Observation: 13 August 2025

Overview

Charon ransomware was first identified in samples analysed on 22 July 2025. It has evolved from a moderate threat into a highly targeted and sophisticated ransomware operation. New intelligence links its tactics to Earth Baxia which is a China linked advanced persistent threat group known for targeting critical sectors across the Asia Pacific. It is possible the operators are imitating Earth Baxia or are affiliated with them.

Recent campaigns have targeted public sector and aviation organisations in the Middle East. These attacks use multi stage infection chains that include DLL sideloading and process injection into svchost.exe. Charon disables a wide range of backup and security services, deletes shadow copies, and empties the recycle bin before encrypting files. It uses a high speed hybrid cryptographic scheme with Curve25519 key exchange and ChaCha20 encryption.

Although double extortion has not been confirmed there is a strong likelihood that data theft is part of the operational playbook or may be introduced in future variants.

Key Details

Delivery Method:

• Suspected spear phishing with malicious attachments.
• DLL sideloading using a legitimate Edge.exe binary renamed from cookie_exporter.exe.
• Malicious msedge.dll loader decrypts and delivers the ransomware payload through multi stage processing.

Target:

• Public sector and aviation organisations in the Middle East.
• Victim profile aligns with critical infrastructure and government focus.

Functions:

1. Terminates backup, antivirus, and application services such as AcronisAgent, Veeam, Sophos, VSS, and QuickBooks.
2. Deletes Volume Shadow Copies and clears the Recycle Bin.
3. Encrypts files with ChaCha20 using Curve25519 for key exchange.
4. Uses multithreaded and partial file encryption for faster completion.
5. Network aware encryption using the --shares parameter.
6. Custom ransom notes that reference the victim organisation.

Obfuscation:

• Abuse of legitimate signed binaries.
• Process injection into trusted Windows processes.
• Dormant Dark Kill anti EDR driver WWC.sys observed in current samples.

Attack Vectors

• Spear phishing with malicious executable attachments.
• DLL sideloading through legitimate signed binaries.
• Use of encrypted shellcode in disguised files such as DumpStack.log.
• Execution within svchost.exe to avoid behavioural detection.

Known Indicators of Compromise (IoCs)

SHA1 File Hashes

• 21b233c0100948d3829740bd2d2d05dc35159ccb
• 92750eb5990cdcda768c7cb7b654ab54651c058a
• a1c6090674f3778ea207b14b1b55be487ce1a2ab

Mutex:

• OopsCharonHere

Service Terminations (Partial List):

• AcronisAgent
• BackupExecAgentBrowser
• VeeamTransportSvc
• VeeamNFSSvc
• Sophos Endpoint Defense Service
• VSS
• QuickBooksDBXX

File Indicators:

• Encrypted files append .Charon.
• Infection marker in encrypted files: hCharon is enter to the urworld!
• Ransom note: How To Restore Your Files.txt

Artifacts:

• Edge.exe (cookie_exporter.exe) executing msedge.dll loader.
• DumpStack.log with encrypted shellcode.
• Process injection into svchost.exe.
• Dormant anti EDR driver WWC.sys in %SystemRoot%\System32\Drivers\.

Mitigation and Prevention

User Awareness:

• Regular training focused on recognising spear phishing and malicious attachments.
• Clear reporting channels for suspicious content.

Email and Web Filtering:

• Deep content inspection for attachments and links.
• Sandboxing for downloads from external sources.

Advanced Endpoint Security:

• EDR or XDR with anti tampering protection.
• Behavioural monitoring for DLL sideloading, process injection, and critical service termination.

Application Control:

• Restrict DLL loading to approved directories.
• Monitor signed binaries for abnormal process chains.

Resilient Backups:

• Air gapped or immutable backup storage.
• Regular restoration testing and validation.
• MFA for all backup administration accounts.

System Hardening:

• Apply least privilege for all accounts.
• Segment networks to limit lateral movement.
• Disable SMBv1 and remove or rename vssadmin.exe.

Patch Management:

• Prioritise patching of internet facing systems and any known exploited vulnerabilities.

Risk Assessment

Charon ransomware is assessed as a High risk due to its use of advanced persistent threat style tactics, deliberate targeting of high value sectors, and ability to disrupt recovery. Its operational profile suggests both financial and potential geopolitical motivations.

Conclusion

Charon ransomware is a deliberate and highly capable threat that combines ransomware profit motives with advanced persistent threat level tradecraft. It specifically targets strategic sectors such as the public sector and aviation in the Middle East. Organisations in these sectors or in their supply chains should adopt defensive measures aligned with countering nation state capable actors.

Sources

• The Record – New Charon ransomware targets Middle East public sector, aviation firms
• Trend Micro – New Ransomware Charon Uses Earth Baxia APT Techniques to Target Enterprises
• OTX AlienVault - Indicators Of Compromise