// 1 ZERO-DAY · 1 CVE · 1 EXPLOIT IN THE LAST 24H
The Avalon framework combines credential harvesting, multi-EDR evasion, and the CrownX ransomware into a single attack chain. Blackpoint Cyber researchers identify signs of AI-assisted development that, according to their analysis, weaken the link between technical sophistication and operator capability.

Researchers Nevan Beal and Sam Decker of Blackpoint Cyber have documented the Avalon malware framework, a modular platform that combines credential theft, lateral movement, evasion of nine EDR/XDR products, and the CrownX ransomware into a single attack chain. The report, published July 3, 2026, reveals signs of AI-assisted development that, according to the source's analysis, reduces the correlation between technical sophistication and the threat actor's operational capability.

Key Takeaways
  • Avalon distributes via multi-stage phishing with forged legal documents, password-protected archives on Proton Drive, and ISO images containing MSBuild projects
  • The framework includes evasion for Microsoft Defender, SentinelOne, CrowdStrike, Sophos, Elastic Endpoint, FortiEDR, ESET, McAfee, and Bitdefender
  • The CrownX ransomware component encrypts via Windows Cryptography API, deletes shadow copies, and damages disk structures to render the system unusable
  • Analysis detects signs of AI-assisted development: components assembled with scant regard for operational security, inverting the assumption that advanced capabilities imply sophisticated actors

The Entry Chain: From a Legal Email to In-Memory MSBuild

The attack begins with a phishing email presenting a forged legal document. The victim is directed to a password-protected archive on Proton Drive. Inside, the malicious payload is encapsulated in an ISO image. A Windows shortcut with a deceptive name — Secure Document CA-283505.pdf.lnk — executes a command that launches an MSBuild project located in the ISO, which loads an embedded .NET assembly.

This architecture offers significant operational advantages. The use of MSBuild, a legitimate Microsoft development tool, allows code execution without requiring external compilers or suspicious binary payloads. The entire chain, from email to in-memory execution, unfolds through trusted tools, reducing opportunities for signature-based detection.

According to the cited source, the assembly interferes with the normal operation of Event Tracing for Windows (ETW), Microsoft's event tracing infrastructure. The ETW tampering reduces the forensic visibility available to analysts, obscuring portions of the execution chain that normally feed SIEM systems and threat detection platforms.

CrownX and Damage Beyond Encryption

The ransomware component is internally named CrownX. It does not merely encrypt files: it interacts directly with disk structures, damaging partitions and boot records to render the system unusable. Before activating, it terminates the Volume Shadow Copy Service and deletes shadow copies, eliminating local recovery.

Encryption occurs via the Windows Cryptography API, a choice that leverages legitimate system libraries rather than custom cryptographic implementations. This approach further reduces the detection surface and complicates differential analysis: the malware appears, in certain respects, as an application using standard APIs as intended.

"CrownX represented the final extortion stage, but the damage extended well beyond the encryption itself. By the time the ransom note appeared, the broader framework had already collected credentials, established C2 communications, prepared multiple paths for lateral movement, and weakened local recovery options." — Blackpoint Cyber

Multi-Vendor Evasion: A Catalog of Bypasses

Avalon integrates a defense evasion subsystem that the source documents with a specific list. The targeted products are: Microsoft Defender, SentinelOne, CrowdStrike, Sophos, Elastic Endpoint, FortiEDR, ESET, McAfee, and Bitdefender — nine EDR/XDR solutions covering the majority of the enterprise market.

According to the cited researchers, the framework employs native APIs to regulate its own execution based on the defensive controls present on the host. The researchers' direct quote specifies that "These capabilities give the framework a multitude of ways to reduce telemetry, bypass user mode monitoring, and adjust its execution depending on the defensive controls present on the host".

The strategy does not aim for a single universal bypass, but for conditional adaptability: detect which product is active, select the appropriate technique, proceed with minimal exposure. This modularity requires technical knowledge distributed across multiple platforms, an investment traditionally associated with threat groups possessing consolidated resources and specialization.

The Collection Subsystem and the C2 Server

In parallel with evasion, Avalon performs systematic harvesting of credentials and data. The source documents collection from eight cryptocurrency wallets: MetaMask, Phantom, Coinbase Wallet, Exodus, Electrum, Atomic Wallet, Ledger Live, and Bitcoin Core. Also targeted are communication and connectivity applications — Discord, Slack, Teams, OpenVPN, WireGuard — along with SSH known hosts, RDP connections, Wi-Fi profiles, and encrypted passwords in Group Policy Preferences.

Collected data is exfiltrated to the remote server helloxcherry[.]com, which also serves as a hub for C2 command polling. The structure suggests a two-way operational model: the victim sends collected data, receives instructions for subsequent phases, potentially including CrownX activation. The framework, therefore, is not pure ransomware but an access platform with a final monetization option.

Why It Matters

The dossier does not specify remediation measures or patches for the Avalon framework. No indicators emerge of how many infections have been confirmed or of prevalent sectors. The source does not clarify whether Avalon is distributed as a service or is the exclusive use of a single threat actor.

The critical point is instead the assessment of the malware's origin. According to Blackpoint Cyber, Avalon "shows signs of artificial intelligence (AI)-assisted development, one that has assembled multiple components with scant regard for sophisticated tradecraft or operational security". The ability to assemble multi-vendor evasion, anti-forensics, lateral movement, and ransomware into a coherent framework — without the operational care typical of elite actors — inverts an established paradigm in threat intelligence.

The MITRE ATT&CK matrix and traditional profiling frameworks associate technical complexity with actor sophistication: more techniques, more evasion, more persistence, the more likely it is an advanced group (APT) or structured ransomware syndicate. Avalon suggests this correlation is weakening. AI-assisted development allows aggregation of technically advanced components without the organization, discipline, or time investment that historically filtered out low-level actors.

For defenders, the implication is that the barrier to entry for multi-capability attacks is falling. The presence of evasion for nine EDR products is no longer a reliable indicator of resourcefulness or nation-state intent; it can instead be the result of generative-model-assisted assembly with access to public repositories of bypass techniques. The dwell-to-encryption time shortens because the framework integrates collection, communication, lateral preparation, and final payload activation into a single platform.

The source does not specify whether AI-assisted development refers to code generation, component orchestration, or another aspect of the development lifecycle. It also remains undocumented whether the framework supports execution on non-Windows systems: the entire evidence map refers to components and APIs specific to the Microsoft ecosystem.

Questions and Answers

Is Avalon sold as a service (MaaS)?

The brief does not document an as-a-service distribution model. It is unclear whether Avalon is a commercial offering, a private toolkit, or something else.

Is there a CVE for Avalon or CrownX?

No. No CVE identifier is assigned to the framework or the ransomware according to the analyzed dossier.

What makes AI-assisted development relevant for defense?

According to the source's analysis, it indicates that technically complex components can be assembled without traditional operational care, making it harder to profile the threat actor based solely on observed technical capabilities.

Sources

Information is based on the cited source and current as of publication.

Fonti


Sources and references
  1. thehackernews.com
  2. welivesecurity.com
  3. nvd.nist.gov