ctipilot.ch

Avalon malware framework (CrownX ransomware component)

tool · tool:avalon-malware-framework single-source

Avalon — modular Windows malware framework combining credential theft, lateral movement and the CrownX ransomware payload behind an LNK->MSBuild->ETW/AMSI-patching loader chain; assessed by Blackpoint Cyber as bearing hallmarks of AI-assisted development

Aliases: CrownX

Coverage timeline
1
first 2026-07-04 → last 2026-07-04
Entries
1
1 distinct days
Sources cited
2
2 hosts
Sections touched
1
research
Co-occurring entities
0
no co-occurrence

Story timeline

  1. 2026-07-04Blackpoint Cyber documents "Avalon": a modular framework bundling credential theft, lateral movement and CrownX ransomware behind an MSBuild loader
    research**Avalon** framework chains a signed-binary MSBuild loader, ETW/AMSI patching and the CrownX ransomware payload in one implant

Where this entity is cited

  • research1

Source distribution

  • blackpointcyber.com1 (50%)
  • thehackernews.com1 (50%)

Entries about Avalon malware framework (CrownX ransomware component) (1)

2026-07-04 · view entry permalink →

Blackpoint Cyber documents "Avalon": a modular framework bundling credential theft, lateral movement and CrownX ransomware behind an MSBuild loader

notable research discovered 2026-07-04 06:24 UTC single-source

Blackpoint Cyber's Adversary Pursuit Group published an analysis of Avalon, a modular Windows malware framework recovered from an endpoint and not previously documented (Blackpoint Cyber, 2026-07-02). Delivery starts with a spoofed legal-document phishing email pointing to a password-protected archive; the mounted image contains a weaponised LNK that presents a document-themed filename behind a Microsoft Edge icon so the victim believes they are opening a secure PDF rather than launching commands (Blackpoint Cyber, 2026-07-02). The shortcut runs cmd.exe, which invokes MSBuild.exe against a malicious project file carrying inline C# — a trusted-developer-utility proxy-execution chain (T1127.001) — and the managed downloader then patches ETW and AMSI functions with return stubs (T1562.001) before pulling an encrypted PE payload over HTTPS with certificate-validation bypass.

The recovered payload is notable for consolidating capability that would previously have been spread across several discrete families: browser, cryptocurrency-wallet, Discord/Teams, RDP-session, SSH-key and Windows Credential Manager theft (T1555, T1552.001), lateral movement over admin shares and scheduled tasks (T1021.002, T1053.005), and the embedded CrownX ransomware component that AES-GCM-encrypts a targeted extension set and disables Volume Shadow Copies, WinRE and System Restore to inhibit recovery (T1490, T1486) (Blackpoint Cyber, 2026-07-02). Secondary reporting describes the framework as bringing these diverse functions under one umbrella (The Hacker News, 2026-07-03). Defence evasion includes syscall-obfuscation techniques (HalosGate/TartarusGate) and named checks against a broad list of EDR products. Blackpoint assesses that the framework "bears the hallmarks of AI assisted development, assembled rapidly from functional components with little regard for tradecraft refinement or operational security" (Blackpoint Cyber, 2026-07-02) — a signal that a single operator can now assemble multi-stage capability quickly, even if the tradecraft is sloppy.

Avalon is operationally significant because it consolidates credential theft, persistence, and ransom functionality under one recovered payload rather than distributing them across discrete malware families.

The framework bears the hallmarks of AI assisted development, assembled rapidly from functional components with little regard for tradecraft refinement or operational security

Blackpoint Cyber
ransomware infostealer phishing ai-abuse global