2026-07-04 · view entry permalink →
Blackpoint Cyber documents "Avalon": a modular framework bundling credential theft, lateral movement and CrownX ransomware behind an MSBuild loader
Blackpoint Cyber's Adversary Pursuit Group published an analysis of Avalon, a modular Windows malware framework recovered from an endpoint and not previously documented (Blackpoint Cyber, 2026-07-02). Delivery starts with a spoofed legal-document phishing email pointing to a password-protected archive; the mounted image contains a weaponised LNK that presents a document-themed filename behind a Microsoft Edge icon so the victim believes they are opening a secure PDF rather than launching commands (Blackpoint Cyber, 2026-07-02). The shortcut runs cmd.exe, which invokes MSBuild.exe against a malicious project file carrying inline C# — a trusted-developer-utility proxy-execution chain (T1127.001) — and the managed downloader then patches ETW and AMSI functions with return stubs (T1562.001) before pulling an encrypted PE payload over HTTPS with certificate-validation bypass.
The recovered payload is notable for consolidating capability that would previously have been spread across several discrete families: browser, cryptocurrency-wallet, Discord/Teams, RDP-session, SSH-key and Windows Credential Manager theft (T1555, T1552.001), lateral movement over admin shares and scheduled tasks (T1021.002, T1053.005), and the embedded CrownX ransomware component that AES-GCM-encrypts a targeted extension set and disables Volume Shadow Copies, WinRE and System Restore to inhibit recovery (T1490, T1486) (Blackpoint Cyber, 2026-07-02). Secondary reporting describes the framework as bringing these diverse functions under one umbrella (The Hacker News, 2026-07-03). Defence evasion includes syscall-obfuscation techniques (HalosGate/TartarusGate) and named checks against a broad list of EDR products. Blackpoint assesses that the framework "bears the hallmarks of AI assisted development, assembled rapidly from functional components with little regard for tradecraft refinement or operational security" (Blackpoint Cyber, 2026-07-02) — a signal that a single operator can now assemble multi-stage capability quickly, even if the tradecraft is sloppy.
Avalon is operationally significant because it consolidates credential theft, persistence, and ransom functionality under one recovered payload rather than distributing them across discrete malware families.
The framework bears the hallmarks of AI assisted development, assembled rapidly from functional components with little regard for tradecraft refinement or operational security