Skip to main content

New Ransomware Charon Uses Earth Baxia APT Techniques to Target Enterprises

Medium
Published: Tue Aug 12 2025 (08/12/2025, 11:37:36 UTC)
Source: AlienVault OTX General

Description

A new ransomware family called Charon has been identified, targeting the Middle East's public sector and aviation industry. The attack employs sophisticated APT-style techniques, including DLL sideloading, process injection, and anti-EDR capabilities. Charon uses a multistage payload extraction technique and a hybrid cryptographic scheme combining Curve25519 with ChaCha20 cipher. The ransomware exhibits network propagation capabilities and includes a dormant anti-EDR component. The campaign demonstrates a concerning trend of ransomware operators adopting APT-level techniques, posing an elevated risk to organizations. Defending against Charon requires a multilayered approach, including hardening against DLL sideloading, limiting lateral movement, strengthening backup capabilities, and reinforcing user awareness.

AI-Powered Analysis

AILast updated: 08/12/2025, 16:19:42 UTC

Technical Analysis

Charon is a newly identified ransomware family that leverages advanced persistent threat (APT)-style techniques attributed to the Earth Baxia adversary group. It primarily targets enterprises in the Middle East's public sector and aviation industry but demonstrates capabilities that could pose risks globally. The ransomware employs sophisticated evasion tactics such as DLL sideloading, which allows it to load malicious DLLs under the guise of legitimate processes, and process injection to stealthily execute code within trusted processes. It also includes anti-Endpoint Detection and Response (EDR) mechanisms, including a dormant anti-EDR component that can activate to evade detection tools. Charon uses a multistage payload extraction technique, complicating detection and analysis, and employs a hybrid cryptographic scheme combining Curve25519 for key exchange and ChaCha20 for encryption, ensuring strong cryptographic protection of victim data. The ransomware exhibits network propagation capabilities, enabling it to spread laterally within compromised networks, increasing its impact. The campaign reflects a concerning evolution where ransomware operators adopt sophisticated APT-level tactics, increasing the complexity and potential damage of attacks. Defending against Charon requires a multilayered security approach focusing on hardening systems against DLL sideloading, restricting lateral movement through network segmentation and strict access controls, enhancing backup and recovery strategies to mitigate ransomware impact, and reinforcing user awareness to prevent initial infection vectors such as phishing. Indicators of compromise include specific file hashes that can be used for detection and response. Although currently observed primarily in the Middle East, the advanced techniques and targeting of critical sectors like aviation suggest a broader potential threat landscape.

Potential Impact

For European organizations, the emergence of Charon ransomware represents a significant threat, especially for sectors analogous to those targeted in the Middle East, such as public sector entities and aviation companies. The use of advanced evasion techniques and network propagation capabilities means that once inside a network, Charon can spread rapidly, encrypting critical systems and data, leading to operational disruption, financial losses, and reputational damage. The hybrid cryptographic scheme complicates decryption efforts, increasing the likelihood that victims must pay ransoms or suffer permanent data loss. The dormant anti-EDR features pose challenges for detection and incident response teams, potentially allowing the ransomware to remain undetected for extended periods. European organizations with complex IT environments and interconnected systems are particularly vulnerable to lateral movement exploitation. Additionally, the adoption of APT-level tactics by ransomware actors signals a shift towards more targeted, persistent, and sophisticated attacks, requiring European enterprises to elevate their defensive postures. The aviation sector in Europe, a critical infrastructure component, could face severe operational and safety risks if targeted. Public sector organizations may also be at risk of data breaches and service interruptions, impacting citizens and government functions.

Mitigation Recommendations

1. Implement strict application whitelisting and monitor for DLL sideloading attempts by validating DLL signatures and origins. 2. Employ advanced endpoint protection solutions capable of detecting process injection and anomalous behaviors associated with anti-EDR techniques. 3. Enforce network segmentation and zero-trust principles to limit lateral movement, including restricting administrative privileges and using micro-segmentation in critical environments. 4. Maintain robust, immutable, and regularly tested backups stored offline or in isolated environments to ensure recovery without paying ransom. 5. Conduct targeted user awareness training focused on phishing and social engineering tactics, as initial infection vectors often involve user interaction. 6. Monitor network traffic for unusual propagation patterns and implement intrusion detection systems tuned to detect lateral movement techniques. 7. Regularly update and patch systems to reduce attack surface, even though no specific CVEs are currently linked to Charon. 8. Establish incident response plans that include rapid containment and eradication procedures tailored to sophisticated ransomware threats. 9. Collaborate with threat intelligence sharing communities to stay informed about emerging indicators and tactics related to Charon and Earth Baxia.

Need more detailed analysis?Get Pro

Technical Details

Author
AlienVault
Tlp
white
References
["https://www.trendmicro.com/en_us/research/25/h/new-ransomware-charon.html"]
Adversary
Earth Baxia
Pulse Id
689b2780c21f5f675ae44730
Threat Score
null

Indicators of Compromise

Hash

ValueDescriptionCopy
hash21b233c0100948d3829740bd2d2d05dc35159ccb
hash92750eb5990cdcda768c7cb7b654ab54651c058a
hasha1c6090674f3778ea207b14b1b55be487ce1a2ab

Threat ID: 689b65a8ad5a09ad00343049

Added to database: 8/12/2025, 4:02:48 PM

Last enriched: 8/12/2025, 4:19:42 PM

Last updated: 8/17/2025, 12:29:06 PM

Views: 26

Actions

PRO

Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.

Please log in to the Console to use AI analysis features.

External Links

Need enhanced features?

Contact root@offseq.com for Pro access with improved analysis and higher rate limits.

Latest Threats