New Charon Ransomware Uses DLL Sideloading and Anti-EDR Tactics in Targeted Attacks

Trend Micro researchers have uncovered a novel ransomware family dubbed Charon, deployed in a sophisticated campaign targeting the public sector and aviation industry in the Middle East.

This operation employs advanced persistent threat (APT)-style techniques, including DLL sideloading via a legitimate Edge.exe binary (originally cookie_exporter.exe) to load a malicious msedge.dll loader known as SWORDLDR.

Discovery of Charon in Middle East Operations

The loader decrypts an encrypted shellcode hidden in a file named DumpStack.log, which contains multilayered payloads.

Forensic analysis revealed that the initial decryption layer exposes configuration data specifying process injection into svchost.exe, enabling the malware to masquerade as a legitimate Windows service and evade endpoint security.

A second decryption layer yields the final portable executable (PE) of Charon, which proceeds to encrypt files while appending the .Charon extension and an infection marker “hCharon is enter to the urworld!”

The customized ransom note, referencing ...