Avalon / CrownX malware framework
Summary
Blackpoint Cyber, summarized publicly by The Hacker News on July 3, 2026, reported Avalon, a previously undocumented modular Windows malware framework delivered through a legal-document phishing lure. Avalon combines credential and wallet theft, reconnaissance, C2 tasking, lateral-movement preparation, recovery disruption, anti-forensic cleanup, destructive disk interaction, and a ransomware component named CrownX.
Tags
- ops
- operations
- malware framework
- ransomware
- credential theft
- browser credential theft
- cryptocurrency wallet theft
- phishing
- ISO image
- LNK
- MSBuild
- .NET malware
- ETW tampering
- EDR evasion
- recovery disruption
- shadow copy deletion
- anti-forensics
- destructive malware
- AI-assisted malware
- Avalon
- CrownX
- Blackpoint Cyber
Attack chain
- Phishing lure: victims receive a spoofed legal-document email that points to a password-protected archive hosted on Proton Drive.
- Container staging: the archive contains an ISO image rather than a directly attached executable, reducing simple email-layer detection opportunities.
- User execution: a document-themed shortcut named
Secure Document CA-283505.pdf.lnklaunches a staged command chain. - Build-tool execution: the shortcut runs an MSBuild project from the mounted ISO image.
- Loader: the MSBuild project loads an embedded .NET assembly, tampers with Event Tracing for Windows (ETW), and downloads the next-stage payload over HTTPS.
- Framework execution: Avalon starts local reconnaissance, credential and wallet collection, C2 polling, defense evasion, recovery inhibition, cleanup, and ransomware staging.
- Extortion stage: CrownX encrypts business, development, engineering, storage, and virtualization-related files and drops ransom notes with deadline timers.
Capabilities called out publicly
Avalon is notable because it packages several intrusion phases into one framework:
- browser credential, cookie, history, and bookmark theft from Chromium-family browsers and Firefox;
- theft from cryptocurrency wallet applications including MetaMask, Phantom, Coinbase Wallet, Exodus, Electrum, Atomic Wallet, Ledger Live, and Bitcoin Core;
- collection from Discord, Slack, Teams, OpenVPN, WireGuard, Windows Credential Manager, SSH known hosts, saved RDP connections, Wi-Fi profiles, and Group Policy Preferences
cpasswordartifacts; - exfiltration to
helloxcherry[.]comand C2 polling for tasking; - host reconnaissance and prioritization of systems useful for compromise expansion;
- EDR / security-tool-aware evasion covering products named publicly as Microsoft Defender, SentinelOne, CrowdStrike, Sophos, Elastic Endpoint, FortiEDR, ESET, McAfee, and Bitdefender;
- ETW interference to reduce forensic visibility;
- Volume Shadow Copy Service termination and shadow-copy deletion;
- anti-forensic artifact cleanup;
- direct interaction with disk structures, likely to damage partition information, boot records, or other critical areas.
Why this matters
- Avalon blurs the line between infostealer, remote-access framework, recovery-denial toolkit, and ransomware loader. By the time CrownX appears, credentials and lateral-movement material may already be gone.
- The delivery path uses common enterprise-trust seams: legal-document email, cloud-file hosting, ISO mounting, LNK execution, and MSBuild abuse.
- The reported credential targets span browsers, chat, VPN, SSH, RDP, Wi-Fi, Windows Credential Manager, and crypto wallets, so incident response should not scope only encrypted files.
- Blackpoint assessed signs of AI-assisted development. The defensive lesson is important: broad capability coverage no longer reliably implies a mature or highly resourced operator.
- Recovery-denial and disk-damage behavior make evidence preservation and backup isolation time-sensitive.
Defender response
- Treat Avalon/CrownX as a full credential-compromise and ransomware-preparation event, not just a file-encryption incident.
- Preserve email, archive, mounted ISO, LNK, MSBuild, PowerShell/command-line, ETW, EDR, proxy, DNS, and endpoint telemetry before destructive cleanup where feasible.
- Hunt for legal-document lures, password-protected Proton Drive downloads, ISO mounts,
*.pdf.lnkshortcuts, and MSBuild execution from removable/mounted-image paths. - Alert on MSBuild loading embedded assemblies or spawning network-capable child processes from user-writable or mounted-image paths.
- Investigate ETW tampering, sudden telemetry gaps, or process behavior that targets EDR user-mode monitoring.
- Hunt for browser, wallet, SSH, RDP, VPN, Wi-Fi, and
cpasswordcollection before encryption timestamps; rotate exposed credentials and revoke session tokens. - Monitor for outbound traffic to
helloxcherry[.]comand preserve any related DNS/proxy evidence. - Check for Volume Shadow Copy Service termination,
vssadmin/WMI shadow-copy deletion patterns, backup-agent impairment, and disk-structure manipulation. - Isolate affected systems from backup and management networks until C2, credential theft, and lateral-movement preparation are ruled out.
- Review adjacent systems for reuse of harvested credentials, especially remote access, VPN, RDP, source-control, cloud, and privileged Windows accounts.
Related pages
- CrownX
- JADEPUFFER Langflow agentic ransomware
- Ababil of Minab MOIS-linked recovery-destruction campaign
- Anubis ransomware CitrixBleed 2 / RMM / cloudflared intrusions
Sources
- The Hacker News: https://thehackernews.com/2026/07/new-avalon-malware-framework-packs.html
- Blackpoint Cyber: https://blackpointcyber.com/blog/avalons-path-from-legal-lure-to-crownx-ransom-capabilities/