New Ransomware Charon Uses Earth Baxia APT Techniques to Target Enterprises
Charon ransomware blurs the line between APT operations and cybercrime by adopting techniques previously attributed to Earth Baxia, a state-sponsored threat actor. The group leverages DLL sideloading through legitimate Microsoft Edge binaries, uses hybrid Curve25519/ChaCha20 encryption that makes file recovery virtually impossible, and employs multi-stage loaders to evade detection. This analysis maps the crossover between APT tradecraft and ransomware operations, including shared infrastructure indicators and tooling overlaps.
Related Research
Charon Ransomware: Advanced Breach and Lateral Movement
Thread exposing the newly identified Charon ransomware and its advanced methods for breaching and spreading within organizations.
Agenda Ransomware Deploys Linux Variant on Windows Systems Through Remote Management Tools and BYOVD Techniques
Discovered Agenda ransomware deploying Linux variants on Windows systems via remote management tools and BYOVD techniques for cross-platform evasion.
Agenda Ransomware Group Adds SmokeLoader and NETXLOADER to Their Arsenal
Uncovered Agenda ransomware group adopting SmokeLoader and a new loader named NETXLOADER for improved delivery and evasion.
Cerber Ransomware Exploits Atlassian Confluence Vulnerability CVE-2023-22518
Documented Cerber ransomware operators rapidly weaponizing CVE-2023-22518 in Atlassian Confluence for initial access and encryption deployment.