{"id":4365,"date":"2025-08-13T12:14:37","date_gmt":"2025-08-13T12:14:37","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=4365"},"modified":"2025-08-13T12:14:37","modified_gmt":"2025-08-13T12:14:37","slug":"new-ransomware-charon-uses-dll-sideloading-to-breach-critical-infrastructure","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=4365","title":{"rendered":"New ransomware \u2018Charon\u2019 uses DLL sideloading to breach critical infrastructure"},"content":{"rendered":"
\n
\n
\n
\n
<\/div>\n

Trend Micro has identified a new ransomware strain, Charon, which is being deployed in highly targeted attacks against aviation and public sector entities in the Middle East. <\/p>\n

Unlike conventional ransomware, Charon leverages advanced persistent threat (APT)-style techniques, such as DLL sideloading, process injection, and endpoint security evasion, to infiltrate systems, disable defenses, and deliver customized ransom demands. The campaign\u2019s precision and stealth have drawn comparisons to state-sponsored cyber operations, with experts warning that ransomware is entering a new phase of sophistication.<\/p>\n

According to Trend Micro\u2019s analysis, attackers deployed DLL sideloading to deliver the Charon ransomware payload. The intrusion began with the execution of a legitimate Edge.exe binary, which was exploited to sideload a malicious DLL file named msedge.dll, also referred to as SWORDLDR. This loader decrypted the embedded ransomware payload and injected it into a newly spawned svchost.exe process. This enabled the malware to impersonate as a legitimate Windows service and bypass endpoint security controls.<\/p>\n

\u201cCharon represents the next generation of ransomware, blending the stealth, precision, and persistence we usually associate with state-sponsored APT campaigns,\u201d said Jaspreet Bindra, co-founder at AI&Beyond. \u201cUnlike conventional ransomware that simply encrypts files and demands payment, Charon works patiently and methodically. It slips in quietly, leverages trusted applications to hide its presence, disables security tools, and deliberately destroys backups before locking up data, leaving enterprises with few viable recovery paths.\u201d<\/p>\n

The ransom note was customized to include the victim organization\u2019s name, underlining the targeted nature of the campaign rather than a broad, opportunistic attack, Trend Micro acknowledged.<\/p>\n

\u201cCharon ransomware demonstrates how APT-level techniques are now being leveraged in ransomware attacks, dramatically increasing the threat to critical sectors such as aviation, healthcare, BFSI, and public services. Plus, custom ransom notes tailored for each victim further raise the psychological pressure on targeted organizations,\u201d said Amit Jaju, senior managing director \u2013 India at Ankura Consulting.<\/p>\n

Possible Earth Baxia overlap<\/strong><\/h2>\n

Trend Micro\u2019s analysis revealed technical similarities between Charon\u2019s methods and tactics previously used by the Earth Baxia group, a threat actor known for targeting government sectors. While the company could not conclusively link Charon to Earth Baxia, they noted an overlap in the use of the same binary\/DLL toolchain for encrypted shellcode delivery. This suggests possible direct involvement, deliberate imitation, or independent development of similar techniques.<\/p>\n

The Charon incident underscores a growing risk for enterprises as ransomware operators<\/a> are increasingly adopting APT-level tactics. While DLL sideloading is a common technique, it was implemented using matching toolchains and encrypted payload delivery. This evolution means organizations must harden defenses against threats that now blend criminal intent with APT-grade techniques.<\/p>\n

\u201cAPT techniques are sophisticated, systematically infiltrating systems by quietly sideloading encrypted malware payloads. These attacks often evade security controls by creating subtle anomalies that are difficult to detect,\u201d said Neil Shah, vice president at Counterpoint Research.<\/p>\n

Shah added that threat actors often exploit common vulnerabilities, such as a lack of Multi-Factor Authentication (MFA), the absence of a Zero Trust security model, or poor access control. While addressing these weaknesses is foundational, basic security hygiene is non-negotiable. This includes enforcing stronger compliance policies that limit which executables can run and load DLLs, blocking sideloading attempts, and improving access and privilege policy hygiene.<\/p>\n

Experts believe CISOs should rethink their ransomware detection, prevention, and response strategies.<\/p>\n

\u201cCISOs should counter APT-style ransomware like Charon with strict binary allowlisting to block non-standard DLL loads, behavioral detection for process injection and suspicious decryption even from trusted binaries, and layered defenses combining EDR, XDR, threat hunting, and anomaly monitoring,\u201d said Pareekh Jain, CEO at EIIRTrend & Pareekh Consulting. They must also strengthen audit and telemetry to flag unusual files, drivers, or trust-chain changes, and run targeted-attack drills simulating Charon\u2019s tactics to ensure rapid recovery and effective network segmentation.<\/p>\n

To counter these threats, organizations should also strengthen defenses against bring-your-own-vulnerable-driver (BYOVD)<\/a> attacks, segment network environments to contain potential compromises, implement strict application allowlisting, and maintain offline immutable backups to ensure recoverability, added Jaju. Additionally, detection efforts should focus on identifying DLL sideloading techniques and patterns of multi-threaded encryption activity to uncover and respond to evolving ransomware threats like Charon promptly. <\/p>\n

In July, Trend Micro had tracked BERT<\/a>, another ransomware group targeting critical infrastructure sectors, including healthcare, technology, and event services, in Asia, Europe, and the US.<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"

Trend Micro has identified a new ransomware strain, Charon, which is being deployed in highly targeted attacks against aviation and public sector entities in the Middle East. Unlike conventional ransomware, Charon leverages advanced persistent threat (APT)-style techniques, such as DLL sideloading, process injection, and endpoint security evasion, to infiltrate systems, disable defenses, and deliver customized […]<\/p>\n","protected":false},"author":0,"featured_media":4366,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-4365","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/4365"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=4365"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/4365\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/4366"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=4365"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=4365"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=4365"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}