{
  "name": "New Ransomware Charon Uses Earth Baxia APT Techniques to Target Enterprises",
  "slug": "new-ransomware-charon-uses-earth-baxia-apt-techniques-to-target-enterprises",
  "description": "A new ransomware family called Charon has been identified, targeting the Middle East's public sector and aviation industry. The attack employs sophisticated APT-style techniques, including DLL sideloading, process injection, and anti-EDR capabilities. Charon uses a multistage payload extraction technique and a hybrid cryptographic scheme combining Curve25519 with ChaCha20 cipher. The ransomware exhibits network propagation capabilities and includes a dormant anti-EDR component. The campaign demonstrates a concerning trend of ransomware operators adopting APT-level techniques, posing an elevated risk to organizations. Defending against Charon requires a multilayered approach, including hardening against DLL sideloading, limiting lateral movement, strengthening backup capabilities, and reinforcing user awareness.",
  "published": "2025-08-12T09:37:36+00:00",
  "created_at": "2025-08-12T09:37:36+00:00",
  "modified_at": "2025-08-12T13:49:15+00:00",
  "created_at_opencti": "2025-08-12T09:37:36+00:00",
  "author": "",
  "confidence": null,
  "report_types": [],
  "labels": [],
  "tags": [
    "2025-08-12",
    "apt",
    "aviation",
    "charon",
    "dll sideloading",
    "encryption",
    "evasion",
    "middle east",
    "network-propagation",
    "ransomware"
  ],
  "related_entities": {
    "malware": [
      {
        "id": "14d8b467-8eaf-479a-9656-b0d72e561be4",
        "name": "Charon",
        "slug": "charon"
      }
    ],
    "intrusion_sets": [
      {
        "id": "d114c080-c493-43c4-af01-6841def89eef",
        "name": "Earth Baxia",
        "slug": "earth-baxia"
      }
    ],
    "attack_patterns": [
      {
        "id": "5d2af906-6187-4702-ab9f-590fbe5b1ca3",
        "name": "T1021.002"
      },
      {
        "id": "b15c00da-c412-4429-900c-659de612baf5",
        "name": "T1543.003"
      },
      {
        "id": "ecaaa4cc-d487-4002-bcb2-f769acfcc38f",
        "name": "T1490"
      },
      {
        "id": "e8422fc8-8365-4a6a-a556-d6ec16cb4e5d",
        "name": "T1574.002"
      },
      {
        "id": "eaff4611-3c78-4127-8745-726f77ed68ba",
        "name": "T1070.004"
      },
      {
        "id": "7364ca96-72bf-4b7f-afef-ce2583b1ed58",
        "name": "T1562.001"
      },
      {
        "id": "f1bb7823-4f4b-4565-b472-bf0cfca467b1",
        "name": "T1486"
      },
      {
        "id": "c3af9fd7-d307-4df4-9220-cc627938fb85",
        "name": "T1055"
      },
      {
        "id": "d9b45b3b-d093-4016-89e9-48f31ff4d05d",
        "name": "T1566"
      },
      {
        "id": "9f11a241-9abc-4c57-95dd-33955ab08826",
        "name": "T1078"
      },
      {
        "id": "64cdebc9-0fb4-48f2-bf4f-b87f3741f664",
        "name": "T1068"
      }
    ],
    "others": [
      {
        "id": "",
        "name": "Aerospace"
      },
      {
        "id": "",
        "name": "Government"
      }
    ]
  },
  "external_refs": [
    "https://www.trendmicro.com/en_us/research/25/h/new-ransomware-charon.html",
    "https://otx.alienvault.com/pulse/689b2780c21f5f675ae44730"
  ]
}