New Ransomware Charon Uses Earth Baxia APT Techniques to Target Enterprises
A new ransomware family called Charon has been identified, targeting the Middle East's public sector and aviation industry. The attack employs sophisticated APT-style techniques, including DLL sideloading, process injection, and anti-EDR capabilities. Charon uses a multistage payload extraction technique and a hybrid cryptographic scheme combining Curve25519 with ChaCha20 cipher. The ransomware exhibits network propagation capabilities and includes a dormant anti-EDR component. The campaign demonstrates a concerning trend of ransomware operators adopting APT-level techniques, posing an elevated risk to organizations. Defending against Charon requires a multilayered approach, including hardening against DLL sideloading, limiting lateral movement, strengthening backup capabilities, and reinforcing user awareness.
AI Analysis
Technical Summary
Charon is a newly identified ransomware family that leverages advanced persistent threat (APT)-style techniques attributed to the Earth Baxia adversary group. It primarily targets enterprises in the Middle East's public sector and aviation industry but demonstrates capabilities that could pose risks globally. The ransomware employs sophisticated evasion tactics such as DLL sideloading, which allows it to load malicious DLLs under the guise of legitimate processes, and process injection to stealthily execute code within trusted processes. It also includes anti-Endpoint Detection and Response (EDR) mechanisms, including a dormant anti-EDR component that can activate to evade detection tools. Charon uses a multistage payload extraction technique, complicating detection and analysis, and employs a hybrid cryptographic scheme combining Curve25519 for key exchange and ChaCha20 for encryption, ensuring strong cryptographic protection of victim data. The ransomware exhibits network propagation capabilities, enabling it to spread laterally within compromised networks, increasing its impact. The campaign reflects a concerning evolution where ransomware operators adopt sophisticated APT-level tactics, increasing the complexity and potential damage of attacks. Defending against Charon requires a multilayered security approach focusing on hardening systems against DLL sideloading, restricting lateral movement through network segmentation and strict access controls, enhancing backup and recovery strategies to mitigate ransomware impact, and reinforcing user awareness to prevent initial infection vectors such as phishing. Indicators of compromise include specific file hashes that can be used for detection and response. Although currently observed primarily in the Middle East, the advanced techniques and targeting of critical sectors like aviation suggest a broader potential threat landscape.
Potential Impact
For European organizations, the emergence of Charon ransomware represents a significant threat, especially for sectors analogous to those targeted in the Middle East, such as public sector entities and aviation companies. The use of advanced evasion techniques and network propagation capabilities means that once inside a network, Charon can spread rapidly, encrypting critical systems and data, leading to operational disruption, financial losses, and reputational damage. The hybrid cryptographic scheme complicates decryption efforts, increasing the likelihood that victims must pay ransoms or suffer permanent data loss. The dormant anti-EDR features pose challenges for detection and incident response teams, potentially allowing the ransomware to remain undetected for extended periods. European organizations with complex IT environments and interconnected systems are particularly vulnerable to lateral movement exploitation. Additionally, the adoption of APT-level tactics by ransomware actors signals a shift towards more targeted, persistent, and sophisticated attacks, requiring European enterprises to elevate their defensive postures. The aviation sector in Europe, a critical infrastructure component, could face severe operational and safety risks if targeted. Public sector organizations may also be at risk of data breaches and service interruptions, impacting citizens and government functions.
Mitigation Recommendations
1. Implement strict application whitelisting and monitor for DLL sideloading attempts by validating DLL signatures and origins. 2. Employ advanced endpoint protection solutions capable of detecting process injection and anomalous behaviors associated with anti-EDR techniques. 3. Enforce network segmentation and zero-trust principles to limit lateral movement, including restricting administrative privileges and using micro-segmentation in critical environments. 4. Maintain robust, immutable, and regularly tested backups stored offline or in isolated environments to ensure recovery without paying ransom. 5. Conduct targeted user awareness training focused on phishing and social engineering tactics, as initial infection vectors often involve user interaction. 6. Monitor network traffic for unusual propagation patterns and implement intrusion detection systems tuned to detect lateral movement techniques. 7. Regularly update and patch systems to reduce attack surface, even though no specific CVEs are currently linked to Charon. 8. Establish incident response plans that include rapid containment and eradication procedures tailored to sophisticated ransomware threats. 9. Collaborate with threat intelligence sharing communities to stay informed about emerging indicators and tactics related to Charon and Earth Baxia.
Affected Countries
United Kingdom, Germany, France, Italy, Spain, Netherlands, Belgium, Sweden, Poland, Czech Republic
Indicators of Compromise
- hash: 21b233c0100948d3829740bd2d2d05dc35159ccb
- hash: 92750eb5990cdcda768c7cb7b654ab54651c058a
- hash: a1c6090674f3778ea207b14b1b55be487ce1a2ab
New Ransomware Charon Uses Earth Baxia APT Techniques to Target Enterprises
Description
A new ransomware family called Charon has been identified, targeting the Middle East's public sector and aviation industry. The attack employs sophisticated APT-style techniques, including DLL sideloading, process injection, and anti-EDR capabilities. Charon uses a multistage payload extraction technique and a hybrid cryptographic scheme combining Curve25519 with ChaCha20 cipher. The ransomware exhibits network propagation capabilities and includes a dormant anti-EDR component. The campaign demonstrates a concerning trend of ransomware operators adopting APT-level techniques, posing an elevated risk to organizations. Defending against Charon requires a multilayered approach, including hardening against DLL sideloading, limiting lateral movement, strengthening backup capabilities, and reinforcing user awareness.
AI-Powered Analysis
Technical Analysis
Charon is a newly identified ransomware family that leverages advanced persistent threat (APT)-style techniques attributed to the Earth Baxia adversary group. It primarily targets enterprises in the Middle East's public sector and aviation industry but demonstrates capabilities that could pose risks globally. The ransomware employs sophisticated evasion tactics such as DLL sideloading, which allows it to load malicious DLLs under the guise of legitimate processes, and process injection to stealthily execute code within trusted processes. It also includes anti-Endpoint Detection and Response (EDR) mechanisms, including a dormant anti-EDR component that can activate to evade detection tools. Charon uses a multistage payload extraction technique, complicating detection and analysis, and employs a hybrid cryptographic scheme combining Curve25519 for key exchange and ChaCha20 for encryption, ensuring strong cryptographic protection of victim data. The ransomware exhibits network propagation capabilities, enabling it to spread laterally within compromised networks, increasing its impact. The campaign reflects a concerning evolution where ransomware operators adopt sophisticated APT-level tactics, increasing the complexity and potential damage of attacks. Defending against Charon requires a multilayered security approach focusing on hardening systems against DLL sideloading, restricting lateral movement through network segmentation and strict access controls, enhancing backup and recovery strategies to mitigate ransomware impact, and reinforcing user awareness to prevent initial infection vectors such as phishing. Indicators of compromise include specific file hashes that can be used for detection and response. Although currently observed primarily in the Middle East, the advanced techniques and targeting of critical sectors like aviation suggest a broader potential threat landscape.
Potential Impact
For European organizations, the emergence of Charon ransomware represents a significant threat, especially for sectors analogous to those targeted in the Middle East, such as public sector entities and aviation companies. The use of advanced evasion techniques and network propagation capabilities means that once inside a network, Charon can spread rapidly, encrypting critical systems and data, leading to operational disruption, financial losses, and reputational damage. The hybrid cryptographic scheme complicates decryption efforts, increasing the likelihood that victims must pay ransoms or suffer permanent data loss. The dormant anti-EDR features pose challenges for detection and incident response teams, potentially allowing the ransomware to remain undetected for extended periods. European organizations with complex IT environments and interconnected systems are particularly vulnerable to lateral movement exploitation. Additionally, the adoption of APT-level tactics by ransomware actors signals a shift towards more targeted, persistent, and sophisticated attacks, requiring European enterprises to elevate their defensive postures. The aviation sector in Europe, a critical infrastructure component, could face severe operational and safety risks if targeted. Public sector organizations may also be at risk of data breaches and service interruptions, impacting citizens and government functions.
Mitigation Recommendations
1. Implement strict application whitelisting and monitor for DLL sideloading attempts by validating DLL signatures and origins. 2. Employ advanced endpoint protection solutions capable of detecting process injection and anomalous behaviors associated with anti-EDR techniques. 3. Enforce network segmentation and zero-trust principles to limit lateral movement, including restricting administrative privileges and using micro-segmentation in critical environments. 4. Maintain robust, immutable, and regularly tested backups stored offline or in isolated environments to ensure recovery without paying ransom. 5. Conduct targeted user awareness training focused on phishing and social engineering tactics, as initial infection vectors often involve user interaction. 6. Monitor network traffic for unusual propagation patterns and implement intrusion detection systems tuned to detect lateral movement techniques. 7. Regularly update and patch systems to reduce attack surface, even though no specific CVEs are currently linked to Charon. 8. Establish incident response plans that include rapid containment and eradication procedures tailored to sophisticated ransomware threats. 9. Collaborate with threat intelligence sharing communities to stay informed about emerging indicators and tactics related to Charon and Earth Baxia.
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Author
- AlienVault
- Tlp
- white
- References
- ["https://www.trendmicro.com/en_us/research/25/h/new-ransomware-charon.html"]
- Adversary
- Earth Baxia
- Pulse Id
- 689b2780c21f5f675ae44730
- Threat Score
- null
Indicators of Compromise
Hash
Value | Description | Copy |
---|---|---|
hash21b233c0100948d3829740bd2d2d05dc35159ccb | — | |
hash92750eb5990cdcda768c7cb7b654ab54651c058a | — | |
hasha1c6090674f3778ea207b14b1b55be487ce1a2ab | — |
Threat ID: 689b65a8ad5a09ad00343049
Added to database: 8/12/2025, 4:02:48 PM
Last enriched: 8/12/2025, 4:19:42 PM
Last updated: 8/17/2025, 12:29:06 PM
Views: 26
Related Threats
ThreatFox IOCs for 2025-08-18
MediumFake ChatGPT Desktop App Delivering PipeMagic Backdoor, Microsoft
MediumPhishing Scam with Fake Copyright Notices Drops New Noodlophile Stealer Variant
MediumMicrosoft 365 Direct Send Abuse: Phishing Risks & Security Recommendations
MediumWarLock Ransomware group Claims Breach at Colt Telecom and Hitachi
HighActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.