New Ransomware Charon Uses Earth Baxia APT Techniques to Target Enterprises

SUMMARY :

A new ransomware family called Charon has been identified, targeting the Middle East's public sector and aviation industry. The attack employs sophisticated APT-style techniques, including DLL sideloading, process injection, and anti-EDR capabilities. Charon uses a multistage payload extraction technique and a hybrid cryptographic scheme combining Curve25519 with ChaCha20 cipher. The ransomware exhibits network propagation capabilities and includes a dormant anti-EDR component. The campaign demonstrates a concerning trend of ransomware operators adopting APT-level techniques, posing an elevated risk to organizations. Defending against Charon requires a multilayered approach, including hardening against DLL sideloading, limiting lateral movement, strengthening backup capabilities, and reinforcing user awareness.

OPENCTI LABELS :

apt,ransomware,evasion,encryption,middle east,dll sideloading,aviation,network propagation,charon


AI COMMENTARY :

1. Introduction: In recent threat intelligence developments, the new Charon ransomware has emerged as a formidable adversary, leveraging sophisticated APT-level techniques to infiltrate and compromise enterprises. While ransomware is nothing new to the cybersecurity landscape, Charon distinguishes itself through its advanced evasion capabilities and its targeted focus on the Middle East’s public sector and aviation industry. The growing trend of ransomware operators adopting tactics once reserved for elite APT groups raises serious concerns for organizations globally, as they must now confront adversaries with stealth and persistence reminiscent of nation-state actors.

2. Target Profile and Campaign Scope: Charon’s campaign primarily zeroes in on government agencies, critical infrastructure, and aviation companies throughout the Middle East. By honing in on high-value targets where operational disruption yields maximum leverage, its operators enhance both the impact of their attacks and the probability of lucrative ransom payments. The choice of the aviation sector underscores a strategic appetite for maximum disruption and headline-grabbing consequences, amplifying pressure on victims to comply with demands swiftly.

3. APT-Style Techniques in Play: Unlike typical ransomware families, Charon harnesses advanced persistent threat methodologies. Its use of DLL sideloading allows the malware to inject malicious payloads under the guise of trusted software components. Process injection further cloaks its activities from endpoint detection and response (EDR) systems by embedding code into legitimate processes. A dormant anti-EDR module remains hidden until needed, enabling Charon to disable or evade security controls before deploying its encryption routine. These capabilities demonstrate a fusion of ransomware goals with APT-grade stealth and persistence in the network environment.

4. Technical Deep Dive into Payload and Encryption: Charon employs a multistage payload extraction technique that begins with a lightweight dropper executing in memory, followed by a secondary loader that unpacks the full ransomware toolkit. The hybrid cryptographic scheme blends Curve25519 for secure key exchange with the ChaCha20 cipher for high-speed file encryption. This combination ensures both robust security and efficient performance during mass file encryption. Network propagation capabilities allow Charon to move laterally across affected networks, exploiting weak credentials and misconfigured shares to maximize its reach before triggering the encryption phase.

5. Operational Implications and Evasion Strategies: The integration of APT tactics into a ransomware campaign significantly elevates the threat level. Organizations must contend with a stealthy initial infection phase that blends in with legitimate traffic, followed by a covert proliferation stage designed to evade detection. Charon’s use of anti-EDR features means that traditional antivirus and heuristic scanning may fail to intercept the attack in its early stages. In addition, the aircraft industry’s legacy systems and specialized software stacks create further blind spots, complicating incident response efforts and extending dwell time for attackers.

6. Defense and Mitigation Recommendations: Effective defense against Charon requires a multilayered approach. First, organizations must harden systems against DLL sideloading by enforcing application allowlisting and rigorous code signing policies. Second, monitoring for anomalous process injection behaviors can help detect the initial stages of the attack. Third, network segmentation and stringent access controls limit lateral movement, preventing widespread propagation. Fourth, regular, immutable backups and offline storage ensure that encrypted data can be recovered without paying ransom. Finally, ongoing user awareness training will empower staff to recognize phishing lures and suspicious attachments that serve as the primary infection vector.

7. Conclusion: The advent of Charon ransomware marks a dangerous evolution in threat actor tradecraft, blending the high stakes of ransomware extortion with the stealth and sophistication of APT operations. As operators continue to refine evasion techniques and encryption methods, organizations in the Middle East and beyond must remain vigilant and proactive. By adopting comprehensive defensive strategies and fostering resilience through layered security controls, enterprises can mitigate the risk posed by Charon and safeguard critical infrastructure from this next generation of ransomware threats.


OPEN NETMANAGEIT OPENCTI REPORT LINK!


Use public read only username and password on login page.

NOTE : Use Public READ only user credentials on login page banner.


New Ransomware Charon Uses Earth Baxia APT Techniques to Target Enterprises