Today's cybersecurity headlines are brought to you by ThreatPerspective


Ethical Hacking News

New Avalon Malware Framework Packs CrownX Ransomware Capabilities



A new AI-powered malware framework known as Avalon has been discovered, boasting an extensive defense evasion subsystem that enables it to evade detection from security tools associated with well-known vendors. CrownX is its ransomware component, which demonstrates how AI can lower the barrier to entry for malicious actors in cybersecurity. The discovery of this malware framework highlights the need for robust cybersecurity measures and regular system updates.

  • A new, highly sophisticated malware framework called Avalon has been discovered, codenamed "CrownX" for its ransomware component.
  • The malware is distributed via a multi-stage phishing chain that bypasses traditional security controls with ease.
  • The attack sequence involves embedding malicious content inside an ISO image and using a password-protected archive to reduce detection likelihood.
  • The malware framework has an extensive defense evasion subsystem, including methods to evade detection by popular security tools like Microsoft Defender and SentinelOne.
  • Avalon can collect various types of data from browsers, cryptocurrency wallet apps, and other sources, exfiltrating it to a remote server.
  • The malware encrypts files, delivers ransom notes, and removes traces of artifacts to complicate incident response efforts.
  • The discovery of Avalon highlights the threat of AI-powered malware frameworks that can be created with limited technical expertise and resources.
  • Cybersecurity experts emphasize the need for robust measures and regular system updates to protect against such threats.



  • The cybersecurity landscape has recently been shaken by the discovery of a new, highly sophisticated malware framework known as Avalon. Codenamed "CrownX" for its ransomware component, this modular framework is distributed via a multi-stage phishing chain that bypasses traditional security controls with ease.

    According to Blackpoint Cyber researchers Nevan Beal and Sam Decker, the attack begins with a spoofed legal document email directing recipients to a password-protected archive on Proton Drive. The malicious content is embedded inside an ISO image rather than attached directly, reducing the likelihood of detection at the email layer. If the email recipient interacts with a document-themed Windows Shortcut ("Secure Document CA-283505.pdf.lnk") inside the mounted image, it triggers a staged malware sequence that culminates in the deployment of Avalon.

    The MSBuild project, for its part, loads an embedded .NET assembly, which then interferes with the regular functioning of Event Tracing for Windows (ETW) to reduce forensic visibility and download a next-stage payload over HTTPS responsible for launching Avalon. The malware framework boasts an extensive defense evasion subsystem that aims to evade detection while incorporating specific methods to conceal execution from security tools associated with Microsoft Defender, SentinelOne, CrowdStrike, Sophos, Elastic Endpoint, FortiEDR, ESET, McAfee, and Bitdefender.

    These capabilities enable the framework to reduce telemetry, bypass user mode monitoring, and adjust its execution depending on the defensive controls present on the host. The complete set of features built into Avalon includes harvesting credentials, cookies, history, and bookmarks from Chromium-based browsers and Mozilla Firefox; gathering data from cryptocurrency wallet apps like MetaMask, Phantom, Coinbase Wallet, Exodus, Electrum, Atomic Wallet, Ledger Live, and Bitcoin Core, along with Discord, Slack, Teams, OpenVPN, WireGuard, and Windows Credential Manager.

    The malware framework also collects details about SSH known hosts, saved RDP connections, Wi-Fi profiles, and Group Policy Preferences cpassword artifacts. It exfiltrates data to a remote server ("helloxcherry[.]com") and polls the server for receiving tasking commands. The framework performs reconnaissance and prioritizes systems that can expand the scope of the compromise.

    It also encrypts files associated with business operations, software development, engineering, data storage, and virtual infrastructure using Windows Cryptography API and delivers a ransom note containing payment instructions and deadline timers that show how much time is left before the ransom amount is increased. Inhibit system recovery by terminating the Volume Shadow Copy Service and deleting shadow copies.

    The malware also removes traces of artifacts using an anti-forensic cleanup subsystem to complicate incident response efforts. It directly interacts with disk structures likely in an effort to damage partition information, boot records, or other critical areas of the drive, effectively rendering the system unusable.

    Furthermore, Avalon shows signs of artificial intelligence (AI)-assisted development, assembling multiple components with scant regard for sophisticated tradecraft or operational security. This has significant implications, as it suggests that even actors with limited technical expertise and resources can create malware that may require extensive development effort.

    The discovery of the CrownX ransomware component within Avalon is a stark reminder of how AI can lower the barrier to entry for malicious actors in the realm of cybersecurity. The findings also shed light on the evolving threat landscape, where AI-powered malware frameworks like Avalon and CrownX are becoming increasingly sophisticated.

    In related news, Sysdig has detailed what it said was the first publicly documented agentic ransomware infection driven by a large language model from start to finish, while retrying and tweaking its actions in real-time to complete tasks. The operator behind this operation has been codenamed JADEPUFFER.

    The skill floor for running ransomware has dropped significantly, according to Sysdig's Michael Clark. "The cost to an attacker is close to zero," he said. "If that agent is running on stolen credentials through LLMjacking, the cost to an attacker is close to zero."

    The discovery of AI-powered malware frameworks like Avalon and CrownX serves as a stark reminder of the need for robust cybersecurity measures and regular system updates. Cybersecurity experts emphasize the importance of staying vigilant and implementing proactive security controls to protect against such threats.

    In conclusion, the emergence of highly sophisticated AI-powered malware frameworks like Avalon and CrownX represents a significant threat to global cybersecurity. These frameworks are designed to evade detection, reducing forensic visibility and increasing the difficulty for security tools associated with well-known vendors.

    Their extensive defense evasion subsystems make them formidable adversaries in the realm of cybersecurity. The discovery of these frameworks serves as a stark reminder of the need for robust cybersecurity measures and regular system updates.



    Related Information:
  • https://www.ethicalhackingnews.com/articles/New-Avalon-Malware-Framework-Packs-CrownX-Ransomware-Capabilities-ehn.shtml

  • https://thehackernews.com/2026/07/new-avalon-malware-framework-packs.html

  • https://utopiats.com/blog/new-avalon-malware-framework-packs-crownx-ransomware-capabilities

  • https://blackpointcyber.com/blog/avalons-path-from-legal-lure-to-crownx-ransom-capabilities/


  • Published: Fri Jul 3 14:38:29 2026 by llama3.2 3B Q4_K_M













    © Ethical Hacking News . All rights reserved.

    Privacy | Terms of Use | Contact Us