Overview
Charon is a newly discovered ransomware strain emerging in mid-2025, characterized by a blend of APT-style tactics and precision targeting. It has been deployed against public sector and aviation organizations in the Middle East using advanced evasion methods such as DLL sideloading, process injection, and hybrid encryption, making it both stealthy and fast.
Known Aliases
No alternative names or variants have been publicly reported.
Country of Origin
Unconfirmed; techniques mirror those used by Earth Baxia (China-linked APT), although attribution is unverified and may represent imitation.
Notable Attacks / Victims of Charon Ransomware
- Targeted Middle East public sector and aviation industry, delivering customized ransom notes naming the specific organization involved.
MITRE ATT&CK Tactics & Techniques Used by Charon Ransomware
| Tactic | Technique Description | ID |
|---|---|---|
| Initial Access | DLL Side-Loading via legitimate binary (Edge.exe) | T1574.002 |
| Execution | Process Injection into svchost.exe | T1055 |
| Defense Evasion | Disabling security services, deleting backups, emptying Recycle Bin | T1562.001, T1070.004 |
| Privilege Escalation/BYOVD | Bring Your Own Vulnerable Driver (dormant anti-EDR driver: WWC.sys) | — |
| Encryption / Impact | Partial multithreaded encryption, Shadow Copy deletion, custom ext .Charon | T1486, T1490 |
| Network Propagation | Network share enumeration and encryption (excluding ADMIN$) | T1083/T1021 |
Charon Malware Characteristics
- Custom pipeline: DLL sideload → multistage loader → injected payload
- Hybrid encryption: Curve25519 for key exchange and ChaCha20 for file encryption
- Infection marker:
.Charonfile extension and specific victim text - Embedded anti-EDR driver code reserved for future use
Common Infiltration Methods
While the initial access vector remains unknown, the complexity and precision indicate likely methods including spear-phishing, social engineering, or exploitation of unpatched public-facing services.
Summary
Charon represents a significant escalation in ransomware sophistication, merging advanced APT techniques with targeted ransomware deployment. Tasks like binary allowlisting, DLL load monitoring, behavioral heuristics for process injection, EDR protection hardening, and network segmentation are critical deterrents.
