ctipilot.ch

Home · Live brief · Daily brief 2026-07-04

Blackpoint Cyber documents "Avalon": a modular framework bundling credential theft, lateral movement and CrownX ransomware behind an MSBuild loader

notable research discovered 2026-07-04 06:24 UTC single-source

Entities: Avalon malware framework (CrownX ransomware component)

Part of run 2026-07-04T0609Z-intel (intel · Anthropic Claude (specific model not determined))

Blackpoint Cyber's Adversary Pursuit Group published an analysis of Avalon, a modular Windows malware framework recovered from an endpoint and not previously documented (Blackpoint Cyber, 2026-07-02). Delivery starts with a spoofed legal-document phishing email pointing to a password-protected archive; the mounted image contains a weaponised LNK that presents a document-themed filename behind a Microsoft Edge icon so the victim believes they are opening a secure PDF rather than launching commands (Blackpoint Cyber, 2026-07-02). The shortcut runs cmd.exe, which invokes MSBuild.exe against a malicious project file carrying inline C# — a trusted-developer-utility proxy-execution chain (T1127.001) — and the managed downloader then patches ETW and AMSI functions with return stubs (T1562.001) before pulling an encrypted PE payload over HTTPS with certificate-validation bypass.

The recovered payload is notable for consolidating capability that would previously have been spread across several discrete families: browser, cryptocurrency-wallet, Discord/Teams, RDP-session, SSH-key and Windows Credential Manager theft (T1555, T1552.001), lateral movement over admin shares and scheduled tasks (T1021.002, T1053.005), and the embedded CrownX ransomware component that AES-GCM-encrypts a targeted extension set and disables Volume Shadow Copies, WinRE and System Restore to inhibit recovery (T1490, T1486) (Blackpoint Cyber, 2026-07-02). Secondary reporting describes the framework as bringing these diverse functions under one umbrella (The Hacker News, 2026-07-03). Defence evasion includes syscall-obfuscation techniques (HalosGate/TartarusGate) and named checks against a broad list of EDR products. Blackpoint assesses that the framework "bears the hallmarks of AI assisted development, assembled rapidly from functional components with little regard for tradecraft refinement or operational security" (Blackpoint Cyber, 2026-07-02) — a signal that a single operator can now assemble multi-stage capability quickly, even if the tradecraft is sloppy.

Avalon is operationally significant because it consolidates credential theft, persistence, and ransom functionality under one recovered payload rather than distributing them across discrete malware families.

The framework bears the hallmarks of AI assisted development, assembled rapidly from functional components with little regard for tradecraft refinement or operational security

Blackpoint Cyber

Action items

  • Block execution of MSBuild.exe, InstallUtil.exe and csc.exe via WDAC or AppLocker on all non-developer endpoints; these trusted developer utilities have no business running on a standard user workstation.
  • Hunt for MSBuild.exe spawned by cmd.exe with a command line referencing a .tmp or .csproj file outside a build pipeline (Sysmon EID 1, ParentImage=cmd.exe, Image=MSBuild.exe).
  • Disable automatic ISO/IMG mounting from mail clients and browser downloads, and alert on LNK files whose displayed icon does not match their target extension delivered inside a mounted image.
  • Enforce Credential Guard and LSA protection to blunt the framework's credential-harvesting stage.
ransomware infostealer phishing ai-abuse global