Skip to content

Avalon / CrownX malware framework

Summary

Blackpoint Cyber, summarized publicly by The Hacker News on July 3, 2026, reported Avalon, a previously undocumented modular Windows malware framework delivered through a legal-document phishing lure. Avalon combines credential and wallet theft, reconnaissance, C2 tasking, lateral-movement preparation, recovery disruption, anti-forensic cleanup, destructive disk interaction, and a ransomware component named CrownX.

Tags

Attack chain

  1. Phishing lure: victims receive a spoofed legal-document email that points to a password-protected archive hosted on Proton Drive.
  2. Container staging: the archive contains an ISO image rather than a directly attached executable, reducing simple email-layer detection opportunities.
  3. User execution: a document-themed shortcut named Secure Document CA-283505.pdf.lnk launches a staged command chain.
  4. Build-tool execution: the shortcut runs an MSBuild project from the mounted ISO image.
  5. Loader: the MSBuild project loads an embedded .NET assembly, tampers with Event Tracing for Windows (ETW), and downloads the next-stage payload over HTTPS.
  6. Framework execution: Avalon starts local reconnaissance, credential and wallet collection, C2 polling, defense evasion, recovery inhibition, cleanup, and ransomware staging.
  7. Extortion stage: CrownX encrypts business, development, engineering, storage, and virtualization-related files and drops ransom notes with deadline timers.

Capabilities called out publicly

Avalon is notable because it packages several intrusion phases into one framework:

  • browser credential, cookie, history, and bookmark theft from Chromium-family browsers and Firefox;
  • theft from cryptocurrency wallet applications including MetaMask, Phantom, Coinbase Wallet, Exodus, Electrum, Atomic Wallet, Ledger Live, and Bitcoin Core;
  • collection from Discord, Slack, Teams, OpenVPN, WireGuard, Windows Credential Manager, SSH known hosts, saved RDP connections, Wi-Fi profiles, and Group Policy Preferences cpassword artifacts;
  • exfiltration to helloxcherry[.]com and C2 polling for tasking;
  • host reconnaissance and prioritization of systems useful for compromise expansion;
  • EDR / security-tool-aware evasion covering products named publicly as Microsoft Defender, SentinelOne, CrowdStrike, Sophos, Elastic Endpoint, FortiEDR, ESET, McAfee, and Bitdefender;
  • ETW interference to reduce forensic visibility;
  • Volume Shadow Copy Service termination and shadow-copy deletion;
  • anti-forensic artifact cleanup;
  • direct interaction with disk structures, likely to damage partition information, boot records, or other critical areas.

Why this matters

  • Avalon blurs the line between infostealer, remote-access framework, recovery-denial toolkit, and ransomware loader. By the time CrownX appears, credentials and lateral-movement material may already be gone.
  • The delivery path uses common enterprise-trust seams: legal-document email, cloud-file hosting, ISO mounting, LNK execution, and MSBuild abuse.
  • The reported credential targets span browsers, chat, VPN, SSH, RDP, Wi-Fi, Windows Credential Manager, and crypto wallets, so incident response should not scope only encrypted files.
  • Blackpoint assessed signs of AI-assisted development. The defensive lesson is important: broad capability coverage no longer reliably implies a mature or highly resourced operator.
  • Recovery-denial and disk-damage behavior make evidence preservation and backup isolation time-sensitive.

Defender response

  1. Treat Avalon/CrownX as a full credential-compromise and ransomware-preparation event, not just a file-encryption incident.
  2. Preserve email, archive, mounted ISO, LNK, MSBuild, PowerShell/command-line, ETW, EDR, proxy, DNS, and endpoint telemetry before destructive cleanup where feasible.
  3. Hunt for legal-document lures, password-protected Proton Drive downloads, ISO mounts, *.pdf.lnk shortcuts, and MSBuild execution from removable/mounted-image paths.
  4. Alert on MSBuild loading embedded assemblies or spawning network-capable child processes from user-writable or mounted-image paths.
  5. Investigate ETW tampering, sudden telemetry gaps, or process behavior that targets EDR user-mode monitoring.
  6. Hunt for browser, wallet, SSH, RDP, VPN, Wi-Fi, and cpassword collection before encryption timestamps; rotate exposed credentials and revoke session tokens.
  7. Monitor for outbound traffic to helloxcherry[.]com and preserve any related DNS/proxy evidence.
  8. Check for Volume Shadow Copy Service termination, vssadmin/WMI shadow-copy deletion patterns, backup-agent impairment, and disk-structure manipulation.
  9. Isolate affected systems from backup and management networks until C2, credential theft, and lateral-movement preparation are ruled out.
  10. Review adjacent systems for reuse of harvested credentials, especially remote access, VPN, RDP, source-control, cloud, and privileged Windows accounts.

Sources

  • The Hacker News: https://thehackernews.com/2026/07/new-avalon-malware-framework-packs.html
  • Blackpoint Cyber: https://blackpointcyber.com/blog/avalons-path-from-legal-lure-to-crownx-ransom-capabilities/