Cybersecurity researchers have identified Avalon, a new and highly sophisticated malware framework that functions as an all-in-one attack platform. It integrates multiple malicious modules, including a potent credential harvester, lateral movement capabilities, and its own ransomware payload, CrownX. The framework is being distributed through a phishing campaign that uses password-protected archives and ISO images to bypass initial security checks. Avalon is particularly dangerous due to its built-in defense evasion mechanisms designed to disable or blind security tools like Microsoft Defender, CrowdStrike, and SentinelOne. The discovery is notable as it points towards the potential use of AI in malware development, which could lower the bar for creating powerful and complex threats.
The Avalon attack chain begins with a phishing email containing a link to a password-protected archive on Proton Drive. This archive contains an ISO image, which, when mounted, presents a malicious Windows Shortcut (.lnk) file disguised as a PDF. Executing this shortcut triggers a fileless attack sequence that leverages trusted system tools like MSBuild.exe to execute malicious code directly in memory. This method is designed to evade detection by traditional file-based antivirus solutions.
The framework's primary goal is multifaceted: steal sensitive information and deploy ransomware. The credential stealing module targets a wide array of applications, including web browsers, cryptocurrency wallets, and enterprise communication tools, maximizing the value of a single compromise.
The Avalon framework demonstrates a high degree of technical sophistication:
.lnk file inside an ISO image..lnk file uses MSBuild.exe to compile and run an inline C# project, a known Living-Off-the-Land (LOL-bin) technique.A successful Avalon infection can be catastrophic for an organization. The immediate impact includes the loss of access to critical data due to the CrownX ransomware. Simultaneously, the comprehensive credential theft opens the door to further breaches, financial fraud, and compromise of other online services. The defense evasion capabilities mean that the attack may go undetected for a longer period, allowing the attacker more time to exfiltrate data and move laterally. The destructive overwrite capability poses a threat of permanent data loss, far exceeding the typical impact of ransomware.
No specific file hashes, IPs, or domains were listed in the source articles.
Security teams should hunt for the following suspicious activities:
process_nameMSBuild.exeMSBuild.exe being executed by non-developer users or with unusual parent processes (e.g., explorer.exe).file_path*.isocommand_line_patternpowershell.exe -command "Mount-DiskImage"api_endpointapi.proton.meMSBuild.exe spawning suspicious child processes or making network connections.MSBuild.exe to only authorized users (e.g., developers).Educating users about the dangers of opening unexpected attachments, especially ISO files and password-protected archives, is a key first line of defense.
Using application control policies to restrict the execution of tools like MSBuild.exe to only authorized users can block this attack vector.
A well-configured EDR can detect and block the malicious behaviors of the framework, such as AMSI/ETW patching and credential theft, even if the initial execution is missed.
Filtering web traffic and blocking downloads from untrusted file-hosting sites like Proton Drive can prevent the initial payload from reaching the endpoint.

Cybersecurity professional with over 10 years of specialized experience in security operations, threat intelligence, incident response, and security automation. Expertise spans SOAR/XSOAR orchestration, threat intelligence platforms, SIEM/UEBA analytics, and building cyber fusion centers. Background includes technical enablement, solution architecture for enterprise and government clients, and implementing security automation workflows across IR, TIP, and SOC use cases.
Help others stay informed about cybersecurity threats
Every tactic, technique, and sub-technique used in this threat has been identified and mapped to the MITRE ATT&CK framework for consistent, actionable threat language.
Observables and indicators of compromise (IOCs) have been extracted and cataloged. Risk has been assessed and correlated with known threat actors and historical campaigns.
Detection rules, incident response steps, and D3FEND-aligned mitigation strategies are included so your team can act on this intelligence immediately.
Structured threat data is packaged as a STIX 2.1 bundle and can be visualized as an interactive graph — relationships between actors, malware, techniques, and indicators.
Sigma detection rules are derived from the threat techniques in this article and can be converted for deployment across any major SIEM or EDR platform.