Sophos, CrowdStrike, Microsoft, Proton Drive, SentinelOne, Bitdefender, ESET and McAfee: New Avalon Malware Framework Packs CrownX Ransomware Capabilities

Sophos, CrowdStrike, Microsoft, Proton Drive, SentinelOne, Bitdefender, ESET and McAfee: New Avalon Malware Framework Packs CrownX Ransomware Capabilities

New Modular Malware Framework "Avalon" Unveiled in Sophisticated Phishing Attack

Cybersecurity researchers have identified a previously unknown modular malware framework, Avalon, distributed via a multi-stage phishing campaign designed to evade traditional security controls. The framework integrates credential theft, lateral movement, remote access, recovery disruption, and ransomware execution with its ransomware component internally dubbed CrownX.

The attack begins with a spoofed legal document email directing recipients to a password-protected archive hosted on Proton Drive. Instead of attaching malicious files directly, attackers embedded them within an ISO image, reducing detection at the email layer. When a victim interacts with a document-themed Windows shortcut (Secure Document CA-283505.pdf.lnk) inside the mounted image, it triggers a sequence that deploys Avalon.

The shortcut executes an MSBuild project within the ISO, which loads an embedded .NET assembly to disable Event Tracing for Windows (ETW), obscuring forensic visibility. The malware then downloads a next-stage payload over HTTPS to deploy Avalon, which includes an extensive defense evasion subsystem targeting security tools from Microsoft Defender, SentinelOne, CrowdStrike, Sophos, Elastic Endpoint, FortiEDR, ESET, McAfee, and Bitdefender.

Avalon’s capabilities include:

  • Credential harvesting from Chromium-based browsers, Firefox, cryptocurrency wallets (MetaMask, Coinbase Wallet, Exodus, etc.), and apps like Discord, Slack, and Teams.
  • Data exfiltration to a remote server (helloxcherry[.]com) and command polling for further instructions.
  • Reconnaissance to prioritize high-value systems for lateral movement.
  • Ransomware execution using Windows Cryptography API, encrypting files tied to business operations, software development, and virtual infrastructure.
  • Recovery disruption by terminating the Volume Shadow Copy Service and deleting shadow copies.
  • Anti-forensic measures, including direct disk manipulation to corrupt partition data or boot records.

Researchers note that CrownX represents only the final extortion stage by the time the ransom note appears, the framework has already stolen credentials, established C2 communications, and weakened recovery options. The malware also exhibits signs of AI-assisted development, suggesting lower barriers to entry for threat actors with limited technical expertise.

AI-Driven Ransomware and Codeless Attacks Emerge

In related developments, Sysdig reported the first publicly documented agentic ransomware attack powered by a large language model (LLM). The threat actor, JADEPUFFER, exploited CVE-2025-3248 to gain access to an exposed Langflow instance, executing an automated campaign that adapted in real-time to pivot toward a production database server for extortion.

Separately, Palo Alto Networks Unit 42 uncovered an AI-powered malware combining a Telegram bot with a public LLM API (api.groq[.]com) to enable codeless attacks. The malware forwards system details to the attacker’s Telegram bot, then polls the API every five seconds to translate natural language instructions into shell commands eliminating the need for command-line expertise. The sample, uploaded to VirusTotal in March 2026, remains undetected by all engines.

Source: https://thehackernews.com/2026/07/new-avalon-malware-framework-packs.html

CrowdStrike cybersecurity rating report: https://www.rankiteo.com/company/crowdstrike

Microsoft Threat Intelligence cybersecurity rating report: https://www.rankiteo.com/company/microsoft-threat-intelligence

Bitdefender cybersecurity rating report: https://www.rankiteo.com/company/bitdefender

Sophos cybersecurity rating report: https://www.rankiteo.com/company/sophos

SentinelOne cybersecurity rating report: https://www.rankiteo.com/company/sentinelone

Proton cybersecurity rating report: https://www.rankiteo.com/company/protonprivacy

ESET cybersecurity rating report: https://www.rankiteo.com/company/eset

McAfee cybersecurity rating report: https://www.rankiteo.com/company/mcafee

"id": "CROMICBITSOPSENPROESEMCA1783117511",
"linkid": "crowdstrike, microsoft-threat-intelligence, bitdefender, sophos, sentinelone, protonprivacy, eset, mcafee",
"type": "Cyber Attack",
"date": "3/2026",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"
{'attack_vector': 'Phishing (spoofed legal document email with ISO image '
                  'containing malicious shortcut)',
 'data_breach': {'data_encryption': 'Yes (Windows Cryptography API for '
                                    'ransomware)',
                 'data_exfiltration': 'Yes (to helloxcherry[.]com)',
                 'personally_identifiable_information': 'Yes (credentials, '
                                                        'wallet data)',
                 'sensitivity_of_data': 'High (PII, financial data, '
                                        'operational files)',
                 'type_of_data_compromised': ['Credentials',
                                              'Cryptocurrency wallet data',
                                              'Business documents',
                                              'Software development files',
                                              'Virtual infrastructure files']},
 'description': 'Cybersecurity researchers have identified a previously '
                'unknown modular malware framework, Avalon, distributed via a '
                'multi-stage phishing campaign designed to evade traditional '
                'security controls. The framework integrates credential theft, '
                'lateral movement, remote access, recovery disruption, and '
                'ransomware execution with its ransomware component internally '
                'dubbed CrownX.',
 'impact': {'data_compromised': 'Credentials, cryptocurrency wallet data, '
                                'business documents, software development '
                                'files, virtual infrastructure files',
            'identity_theft_risk': 'High (credential harvesting, PII exposure)',
            'operational_impact': 'Recovery disruption, encryption of critical '
                                  'files, termination of Volume Shadow Copy '
                                  'Service',
            'systems_affected': 'Windows systems with Chromium-based browsers, '
                                'Firefox, cryptocurrency wallets, Discord, '
                                'Slack, Teams, and security tools from '
                                'Microsoft Defender, SentinelOne, CrowdStrike, '
                                'Sophos, Elastic Endpoint, FortiEDR, ESET, '
                                'McAfee, and Bitdefender'},
 'initial_access_broker': {'entry_point': 'Phishing email with ISO image',
                           'high_value_targets': 'Systems with access to '
                                                 'credentials, cryptocurrency '
                                                 'wallets, and '
                                                 'business-critical files'},
 'investigation_status': 'Ongoing',
 'lessons_learned': 'The Avalon framework demonstrates advanced evasion '
                    'techniques, AI-assisted development, and modular '
                    'capabilities that enable threat actors to conduct '
                    'multi-stage attacks with lower technical barriers. '
                    'Traditional security controls may be insufficient against '
                    'such sophisticated malware.',
 'motivation': ['Financial Gain', 'Data Exfiltration', 'Extortion'],
 'post_incident_analysis': {'corrective_actions': ['Enhance phishing detection '
                                                   'and employee training',
                                                   'Implement stricter '
                                                   'controls on ISO and LNK '
                                                   'file execution',
                                                   'Monitor for ETW tampering '
                                                   'and security tool '
                                                   'disruptions',
                                                   'Deploy advanced threat '
                                                   'detection for modular '
                                                   'malware'],
                            'root_causes': ['Phishing attack exploiting human '
                                            'trust in legal documents',
                                            'Use of ISO images to bypass email '
                                            'security controls',
                                            'Disabling of ETW and security '
                                            'tools to evade detection',
                                            'Modular malware framework '
                                            'enabling multi-stage attacks']},
 'ransomware': {'data_encryption': 'Yes',
                'data_exfiltration': 'Yes',
                'ransomware_strain': 'CrownX (part of Avalon framework)'},
 'recommendations': ['Implement multi-layered security controls, including '
                     'behavioral analysis and AI-driven threat detection.',
                     'Monitor for unusual activity in Event Tracing for '
                     'Windows (ETW) and security tool logs.',
                     'Educate employees on phishing risks, especially those '
                     'involving ISO images and password-protected archives.',
                     'Segment networks to limit lateral movement.',
                     'Regularly back up critical data and test recovery '
                     'procedures.',
                     'Monitor for unauthorized access to LLM APIs or exposed '
                     'Langflow instances.'],
 'references': [{'source': 'Cybersecurity Research Report'}],
 'title': "New Modular Malware Framework 'Avalon' Unveiled in Sophisticated "
          'Phishing Attack',
 'type': ['Malware', 'Ransomware', 'Phishing']}
Great! Next, complete checkout for full access to Rankiteo Blog.
Welcome back! You've successfully signed in.
You've successfully subscribed to Rankiteo Blog.
Success! Your account is fully activated, you now have access to all content.
Success! Your billing info has been updated.
Your billing was not updated.