New Avalon Malware Framework Integrates CrownX Ransomware, Evades Detection
A sophisticated new modular malware framework named Avalon has emerged, combining extensive credential harvesting, lateral movement, and ransomware capabilities, including the CrownX variant, while employing advanced techniques to evade security defenses.

Cybersecurity researchers have uncovered a previously undocumented modular malware framework, codenamed Avalon, which is being distributed through a multi-stage phishing campaign designed to circumvent traditional security measures. This comprehensive framework consolidates a wide array of malicious functionalities, including credential collection, lateral movement, remote access, disruption of recovery processes, and the execution of ransomware, with its ransomware component internally designated as CrownX.
The initial attack vector involves a deceptive email, masquerading as a legal document, that directs recipients to a password-protected archive hosted on Proton Drive. To further evade detection, the malicious content is embedded within an ISO image file rather than being attached directly to the email, significantly reducing the chances of interception at the email gateway.
Upon opening the ISO image, victims are presented with a document-themed Windows Shortcut file, such as "Secure Document CA-283505.pdf.lnk." Interacting with this shortcut initiates a staged malware sequence. This sequence culminates in the deployment of the Avalon framework by executing an MSBuild project concealed within the ISO. The MSBuild project, in turn, loads an embedded .NET assembly that actively interferes with the normal operation of Event Tracing for Windows (ETW), thereby diminishing forensic visibility. It then proceeds to download the next-stage payload over HTTPS, which is responsible for launching the main Avalon framework.
A key feature of Avalon is its robust defense evasion subsystem, engineered to thwart detection by a wide range of security tools. Researchers noted specific methods designed to conceal execution from prominent security solutions including Microsoft Defender, SentinelOne, CrowdStrike, Sophos, Elastic Endpoint, FortiEDR, ESET, McAfee, and Bitdefender. These capabilities allow the framework to reduce telemetry, bypass user-mode monitoring, and adapt its execution based on the defensive controls present on the compromised host.
The Avalon framework's extensive feature set includes the ability to harvest credentials, cookies, history, and bookmarks from popular Chromium-based browsers and Mozilla Firefox. It also targets data from various cryptocurrency wallet applications such as MetaMask, Phantom, Coinbase Wallet, and Exodus, alongside communication and productivity tools like Discord, Slack, Teams, and VPN clients, as well as the Windows Credential Manager.
Beyond credential theft, Avalon gathers sensitive system information, including SSH known hosts, saved RDP connections, Wi-Fi profiles, and Group Policy Preferences cpassword artifacts. It exfiltrates this data to a remote server at "helloxcherry[.]com" and actively polls this server for commands. The framework performs reconnaissance to identify and prioritize systems that can expand the compromise's scope, enabling lateral movement.
The ransomware component, CrownX, encrypts files critical to business operations, software development, engineering, data storage, and virtual infrastructure using the Windows Cryptography API. It then delivers a ransom note with payment instructions and countdown timers that indicate when the ransom amount will increase. To hinder recovery efforts, Avalon terminates the Volume Shadow Copy Service and deletes shadow copies. It also employs an anti-forensic cleanup subsystem to remove traces of its activity, complicating incident response. In a final destructive act, it may directly interact with disk structures to damage partition information or boot records, rendering the system unusable.
Researchers suggest that Avalon shows signs of AI-assisted development, integrating multiple components with a notable lack of sophisticated tradecraft or operational security, which typically requires significant expertise. This indicates a lowering of the barrier to entry for creating advanced malware, potentially enabling less technically skilled actors to develop potent tools. The presence of such capabilities is no longer a reliable indicator of an attacker's sophistication or operational maturity.