New Ransomware Charon Uses Earth Baxia APT Techniques To Target Enterprises

The malware attempts to drop this driver as %SystemRoot%\System32\Drivers\WWC.sys and register it as the “WWC” service. However, our analysis revealed that while this anti-EDR component exists in the data section, it remains dormant and is never called during execution. This suggests that the feature is still under development and hasn’t been activated in this variant, possibly reserved for future versions.

Defending against Charon ransomware

Given the Charon threat actor’s blend of stealth, speed, and evasiveness, a multilayered defense is critical. Here are some actionable best practices for security teams:

• Harden against DLL sideloading and process injection by:
  • Limiting which executables can run and load DLLs, especially in directories commonly abused for sideloading (e.g., app folders, temp locations).
  • Alerting on suspicious process chains, such as Edge.exe or other signed binaries spawning nonstandard DLLs or svchost.exe instances.
  • Watching out for unsigned or suspicious DLLs placed next to legitimate binaries.
• ·Ensure that EDR and antivirus agents are running with capabilities that prevent malware from disabling, tampering with, or uninstalling the security solutions.
• Limit lateral movement by restricting access between workstations, servers, and sensitive shares. Disable or closely monitor the use of ADMIN$ and other admin shares. Require strong authentication for all remote access.
• Strengthen backup and recovery capabilities by:
  • Maintaining offline or immutable backup copies, separate from production systems, so that backups can’t be wiped by ransomware.
  • Regularly validating that backups can be restored and that shadow copy deletion or Recycle Bin emptying won’t block recovery.
  • Only allowing backup, shadow copy, and restore rights to specific, monitored accounts.
• Reinforce user awareness and privilege management by:
  • Educating end users and training employees to avoid suspicious attachments, links, and executables, which may initiate the sideloading chain.
  • Limiting user and service accounts to only the permissions needed for their roles to reduce the impact if a system is compromised.

The Charon ransomware campaign demonstrates the ongoing evolution of ransomware, blending advanced evasion tactics with highly targeted, disruptive capabilities. The convergence of techniques once reserved for APTs compels enterprises to reconsider traditional approaches and strengthen their security posture with layered defenses, proactive threat intelligence, and robust incident response. Beyond immediate business disruption, Charon exposes organizations to data loss, operational downtime, reputational harm, regulatory penalties, and substantial financial costs associated with ransom payments and recovery. The targeted nature of these attacks means that even well-defended networks can be compromised, underscoring the urgent need for resilience and readiness at every level of the organization.

Proactive security with Trend Vision One™

Trend Vision One™ is the only AI-powered enterprise cybersecurity platform that centralizes cyber risk exposure management, security operations, and robust layered protection. This comprehensive approach helps you predict and prevent threats, accelerating proactive security outcomes across your entire digital estate. With Trend Vision One, you’re enabled to eliminate security blind spots, focus on what matters most, and elevate security into a strategic partner for innovation.

Trend Vision One™ Threat Intelligence

To stay ahead of evolving threats, Trend customers can access Trend Vision One™ Threat Insights, which provides the latest insights from Trend Research on emerging threats and threat actors. 

Trend Vision One Threat Insights

Trend Vision One Intelligence Reports (IOC Sweeping) 

Hunting Queries 

Trend Vision One Search App 

Trend Vision One customers can use the Search App to match or hunt the malicious indicators mentioned in this blog post with data in their environment.    

Charon ransomware detection
malName: *CHARON* AND eventName: MALWARE_DETECTION

More hunting queries are available for Trend Vision One customers with Threat Insights entitlement enabled. 

Indicators of Compromise (IOC)

The indicators of compromise for this entry can be found here.

Read More HERE