Avalon Malware Framework Packs CrownX Ransomware Capabilities
What happened
Black Point cybersecurity researchers discovered a previously undocumented modular malware framework called Avalon, which is delivered through a multi-stage phishing chain designed to bypass traditional security controls. The campaign begins with a spoofed legal document email that directs recipients to a password-protected Proton Drive archive. Inside the archive, the malicious content is hidden in an ISO image rather than attached directly to the email, reducing the chance of detection at the email layer.
If the victim opens the document-themed Windows shortcut inside the mounted ISO image, the shortcut launches an MSBuild project that loads an embedded .NET assembly. That assembly interferes with Event Tracing for Windows to reduce forensic visibility, then downloads another payload over HTTPS to launch Avalon. The framework includes credential theft, lateral movement, remote access, recovery disruption, and ransomware execution, with the ransomware component internally named CrownX.
Avalon can harvest browser credentials, cookies, history, and bookmarks from Chromium-based browsers and Firefox. It can also collect data from cryptocurrency wallets, Discord, Slack, Teams, OpenVPN, WireGuard, Windows Credential Manager, SSH known hosts, saved RDP connections, Wi-Fi profiles, and Group Policy Preferences cpassword artifacts. The framework exfiltrates data to a remote server and polls that server for tasking commands.
The CrownX ransomware component encrypts files tied to business operations, software development, engineering, data storage, and virtual infrastructure. It also attempts to weaken recovery by terminating the Volume Shadow Copy Service, deleting shadow copies, removing traces of artifacts, and directly interacting with disk structures in ways that could damage partition information, boot records, or other critical drive areas. Researchers also said Avalon shows signs of AI-assisted development, suggesting that complex malware capability is no longer a reliable indicator of a highly skilled or mature operator.
Who is affected
Organizations are affected if employees receive and interact with the spoofed legal document lure, especially if they open password-protected archives or mounted ISO files from untrusted sources.
Windows environments are directly at risk because the attack chain relies on Windows shortcuts, MSBuild, .NET payloads, and endpoint defense evasion.
The impact can extend beyond a single infected endpoint. Avalon can steal credentials and access tokens, collect data from collaboration tools and VPN clients, identify paths for lateral movement, communicate with command-and-control infrastructure, and eventually deploy ransomware through CrownX.
Why CISOs should care
Avalon shows how a single phishing lure can lead to a full intrusion chain: credential theft, stealth, command-and-control, lateral movement preparation, recovery disruption, and ransomware execution.
For CISOs, the ISO and shortcut delivery method matters because it abuses familiar Windows behaviors and file types that may not be treated as high-risk by users or email controls. Password-protected archives also make gateway inspection harder.
The framework’s targeting of browsers, wallets, collaboration apps, VPN tools, RDP data, Wi-Fi profiles, and Windows Credential Manager shows how attackers can quickly turn one compromised endpoint into broader organizational access.
The AI-assisted development angle is also important. Even if Avalon lacks elite tradecraft, it still combines many dangerous capabilities. Security teams should assess malware based on behavior and impact, not assumptions about actor sophistication.
3 practical actions
Block risky archive and ISO workflows: Avalon begins with a password-protected archive and ISO image containing a malicious Windows shortcut. Security teams should restrict ISO mounting, flag document-themed shortcut files, and treat password-protected external archives as high-risk.
Monitor for MSBuild and .NET abuse: The malware chain uses MSBuild and an embedded .NET assembly to continue execution. Defenders should alert on unusual MSBuild launches from mounted images, user directories, or archive-extracted paths.
Prepare for ransomware plus credential theft: CrownX is only the final stage of Avalon. CISOs should pair ransomware defenses with credential theft detection, session revocation, shadow copy monitoring, backup isolation, and investigation of browser, VPN, RDP, and collaboration app data access.
Cybersecurity in the news:
PamStealer Mimics Maccy Clipboard Manager to Harvest macOS Data
IBM-Managed Environment Breach Exposes Singapore Land Authority Data
European Parliament Spyware Investigator Hacked With Pegasus
North Korean Hackers Publish 108 Malicious Packages and Extensions in PolinRider Campaign
UK National Cyber Action Plan Delayed Amid Labour Leadership Crisis
Flipper Zero Firmware Development Continues With Community Help


