The first documented deployment of the novel malware in a campaign against the Middle Eastern public sector and aviation industry may be tied to China's state-sponsored actor Earth Baxia.
August 11, 2025 By Elizabeth Montalbano
An emerging ransomware actor is using sophisticated techniques in the style of an advanced persistent threat group (APT) to target organizations with customized ransom demands, posing a significant risk to businesses.
Charon is a new ransomware family (named for the ferryman from Greek mythology who carried souls across the River Styx to Hades); Trend Micro observed it being deployed in a targeted attack in the Middle East's public sector and aviation industry — the first such record of Charon observed in the wild, according to new research from the firm.
The ransomware leverages techniques such as DLL sideloading, process injection, and anti-EDR capabilities, which are typically the hallmark of advanced threat actors and — in this case — reminiscent of campaigns by the group Earth Baxia, according to a Trend Micro blog post published today.
"The attack chain leveraged a legitimate browser-related file, Edge.exe (originally named cookie_exporter.exe), to sideload a malicious msedge.dll (SWORDLDR), which subsequently deployed the Charon ransomware payload," Trend Micro threat researchers wrote in the post.
