Charon is a newly discovered ransomware family that represents a concerning evolution in cyber threats, combining advanced persistent threat (APT) techniques with destructive ransomware operations. This sophisticated ransomware has been observed in targeted attacks against enterprises, particularly in the Middle East’s public sector and aviation industry.
Connection to Earth Baxia APT Techniques
The most striking aspect of Charon ransomware is its use of techniques notably similar to those employed by the Earth Baxia APT group. Earth Baxia is a China-linked threat actor that has been actively targeting government organizations, telecommunications companies, and energy sectors across the Asia-Pacific (APAC) region.
The technical overlap between Charon and Earth Baxia operations includes:
- DLL sideloading methodology using identical toolchains
- Encrypted shellcode delivery through the same binary-DLL combination
- Sophisticated evasion techniques typical of state-sponsored operations
While clear technical convergence is observable, definitive attribution of Charon to Earth Baxia cannot be made without additional corroborating evidence such as shared infrastructure or consistent targeting patterns.
Technical Attack Chain and Capabilities
Initial Execution Method
Charon employs a multi-stage DLL sideloading technique to evade detection. The attack begins with a legitimate binary called Edge.exe (originally named cookie_exporter.exe) that sideloads a malicious DLL named msedge.dll, also known as SWORDLDR.
Payload Delivery Process
The malware uses sophisticated encryption layers:
- The loader decrypts an embedded file called
DumpStack.logcontaining encrypted shellcode - After multiple decryption stages, the final Charon ransomware payload is extracted
- The malware injects itself into
svchost.exeprocesses to masquerade as legitimate Windows services
Command-Line Parameters
Charon accepts several operational parameters that control its behavior:
| Parameter | Function |
|---|---|
--debug=<path> | Enables error logging to specified file path |
--shares=<network shares> | Targets network servers and encrypts accessible shares (except ADMIN$) |
--paths=<specific path> | Specifies local paths or drive letters to encrypt |
--sf | “Shares First” – prioritizes network shares over local drives |
Encryption Strategy
Charon implements a partial encryption approach to balance speed and effectiveness:
- Files ≤ 64KB: Fully encrypted
- Files 64KB-5MB: Encrypts 3 chunks at beginning (0%), middle (50%), and end (75%)
- Files 5MB-20MB: Encrypts 5 evenly distributed chunks
- Files >20MB: Encrypts 7 chunks at strategic positions
Defensive Capabilities and Evasion
Anti-Security Measures
Before initiating encryption, Charon systematically disables security protections by terminating numerous security-related services and processes, including backup software, antivirus solutions, and endpoint protection tools. The ransomware targets services from major security vendors like Symantec, Sophos, and Veeam.
EDR Evasion
Particularly concerning is Charon’s inclusion of a driver compiled from the public Dark-Kill project, specifically designed to disable endpoint detection and response (EDR) solutions. This demonstrates the ransomware’s sophisticated approach to bypassing modern security controls.
Network Propagation
The malware demonstrates network propagation capabilities, actively scanning for and encrypting accessible network shares across infrastructure using NetShareEnum and WNetEnumResource functions. This allows it to spread laterally through compromised networks.
