Trend Micro has identified a new ransomware strain, Charon, which is being deployed in highly targeted attacks against aviation and public sector entities in the Middle East.
Unlike conventional ransomware, Charon leverages advanced persistent threat (APT)-style techniques, such as DLL sideloading, process injection, and endpoint security evasion, to infiltrate systems, disable defenses, and deliver customized ransom demands. The campaign’s precision and stealth have drawn comparisons to state-sponsored cyber operations, with experts warning that ransomware is entering a new phase of sophistication.
According to Trend Micro’s analysis, attackers deployed DLL sideloading to deliver the Charon ransomware payload. The intrusion began with the execution of a legitimate Edge.exe binary, which was exploited to sideload a malicious DLL file named msedge.dll, also referred to as SWORDLDR. This loader decrypted the embedded ransomware payload and injected it into a newly spawned svchost.exe process. This enabled the malware to impersonate as a legitimate Windows service and bypass endpoint security controls.
“Charon represents the next generation of ransomware, blending the stealth, precision, and persistence we usually associate with state-sponsored APT campaigns,” said Jaspreet Bindra, co-founder at AI&Beyond. “Unlike conventional ransomware that simply encrypts files and demands payment, Charon works patiently and methodically. It slips in quietly, leverages trusted applications to hide its presence, disables security tools, and deliberately destroys backups before locking up data, leaving enterprises with few viable recovery paths.”
The ransom note was customized to include the victim organization’s name, underlining the targeted nature of the campaign rather than a broad, opportunistic attack, Trend Micro acknowledged.
“Charon ransomware demonstrates how APT-level techniques are now being leveraged in ransomware attacks, dramatically increasing the threat to critical sectors such as aviation, healthcare, BFSI, and public services. Plus, custom ransom notes tailored for each victim further raise the psychological pressure on targeted organizations,” said Amit Jaju, senior managing director – India at Ankura Consulting.
Possible Earth Baxia overlap
Trend Micro’s analysis revealed technical similarities between Charon’s methods and tactics previously used by the Earth Baxia group, a threat actor known for targeting government sectors. While the company could not conclusively link Charon to Earth Baxia, they noted an overlap in the use of the same binary/DLL toolchain for encrypted shellcode delivery. This suggests possible direct involvement, deliberate imitation, or independent development of similar techniques.
The Charon incident underscores a growing risk for enterprises as ransomware operators are increasingly adopting APT-level tactics. While DLL sideloading is a common technique, it was implemented using matching toolchains and encrypted payload delivery. This evolution means organizations must harden defenses against threats that now blend criminal intent with APT-grade techniques.
“APT techniques are sophisticated, systematically infiltrating systems by quietly sideloading encrypted malware payloads. These attacks often evade security controls by creating subtle anomalies that are difficult to detect,” said Neil Shah, vice president at Counterpoint Research.
Shah added that threat actors often exploit common vulnerabilities, such as a lack of Multi-Factor Authentication (MFA), the absence of a Zero Trust security model, or poor access control. While addressing these weaknesses is foundational, basic security hygiene is non-negotiable. This includes enforcing stronger compliance policies that limit which executables can run and load DLLs, blocking sideloading attempts, and improving access and privilege policy hygiene.
Experts believe CISOs should rethink their ransomware detection, prevention, and response strategies.
“CISOs should counter APT-style ransomware like Charon with strict binary allowlisting to block non-standard DLL loads, behavioral detection for process injection and suspicious decryption even from trusted binaries, and layered defenses combining EDR, XDR, threat hunting, and anomaly monitoring,” said Pareekh Jain, CEO at EIIRTrend & Pareekh Consulting. They must also strengthen audit and telemetry to flag unusual files, drivers, or trust-chain changes, and run targeted-attack drills simulating Charon’s tactics to ensure rapid recovery and effective network segmentation.
To counter these threats, organizations should also strengthen defenses against bring-your-own-vulnerable-driver (BYOVD) attacks, segment network environments to contain potential compromises, implement strict application allowlisting, and maintain offline immutable backups to ensure recoverability, added Jaju. Additionally, detection efforts should focus on identifying DLL sideloading techniques and patterns of multi-threaded encryption activity to uncover and respond to evolving ransomware threats like Charon promptly.
In July, Trend Micro had tracked BERT, another ransomware group targeting critical infrastructure sectors, including healthcare, technology, and event services, in Asia, Europe, and the US.
No Responses