Researchers Uncover "Avalon," a Sophisticated Malware Framework with Integrated "CrownX" Ransomware

New 'Avalon' Malware Framework Unleashes 'CrownX' Ransomware with Advanced Evasion Techniques

CRITICAL
July 6, 2026
5m read
MalwareRansomwareThreat Actor

Related Entities

Organizations

Products & Tech

Microsoft DefenderProton Drive

Other

AvalonCrownX

Full Report

Executive Summary

Cybersecurity researchers have identified Avalon, a new and highly sophisticated malware framework that functions as an all-in-one attack platform. It integrates multiple malicious modules, including a potent credential harvester, lateral movement capabilities, and its own ransomware payload, CrownX. The framework is being distributed through a phishing campaign that uses password-protected archives and ISO images to bypass initial security checks. Avalon is particularly dangerous due to its built-in defense evasion mechanisms designed to disable or blind security tools like Microsoft Defender, CrowdStrike, and SentinelOne. The discovery is notable as it points towards the potential use of AI in malware development, which could lower the bar for creating powerful and complex threats.

Threat Overview

The Avalon attack chain begins with a phishing email containing a link to a password-protected archive on Proton Drive. This archive contains an ISO image, which, when mounted, presents a malicious Windows Shortcut (.lnk) file disguised as a PDF. Executing this shortcut triggers a fileless attack sequence that leverages trusted system tools like MSBuild.exe to execute malicious code directly in memory. This method is designed to evade detection by traditional file-based antivirus solutions.

The framework's primary goal is multifaceted: steal sensitive information and deploy ransomware. The credential stealing module targets a wide array of applications, including web browsers, cryptocurrency wallets, and enterprise communication tools, maximizing the value of a single compromise.

Technical Analysis

The Avalon framework demonstrates a high degree of technical sophistication:

  • Initial Access (T1566.001): Phishing with a link to a malicious file.
  • Execution (T1204.002): The user is tricked into clicking a malicious .lnk file inside an ISO image.
  • Defense Evasion (T1218.007): The .lnk file uses MSBuild.exe to compile and run an inline C# project, a known Living-Off-the-Land (LOL-bin) technique.
  • Defense Evasion (T1562.001) & (T1562.006): Avalon actively attempts to disable security tools. It includes functionality to patch Event Tracing for Windows (ETW) and bypass the Antimalware Scan Interface (AMSI), which are critical sources of telemetry for EDR products.
  • Credential Access (T1555): The framework contains a stealer module that targets credentials from browsers, crypto wallets (MetaMask, Ledger Live), and collaboration apps (Slack, Teams).
  • Impact (T1486): The final payload is the CrownX ransomware, which encrypts files. It also attempts to delete Volume Shadow Copies (T1490) to hinder recovery.
  • Impact (T1485): The framework also possesses a destructive capability to overwrite physical drives, indicating it could be used for purely destructive attacks.

Impact Assessment

A successful Avalon infection can be catastrophic for an organization. The immediate impact includes the loss of access to critical data due to the CrownX ransomware. Simultaneously, the comprehensive credential theft opens the door to further breaches, financial fraud, and compromise of other online services. The defense evasion capabilities mean that the attack may go undetected for a longer period, allowing the attacker more time to exfiltrate data and move laterally. The destructive overwrite capability poses a threat of permanent data loss, far exceeding the typical impact of ransomware.

IOCs — Directly from Articles

No specific file hashes, IPs, or domains were listed in the source articles.

Cyber Observables — Hunting Hints

Security teams should hunt for the following suspicious activities:

Type
process_name
Value
MSBuild.exe
Description
Monitor for MSBuild.exe being executed by non-developer users or with unusual parent processes (e.g., explorer.exe).
Type
file_path
Value
*.iso
Description
Alert on the downloading or mounting of ISO files from untrusted sources, especially from web browsers or email clients.
Type
command_line_pattern
Value
powershell.exe -command "Mount-DiskImage"
Description
PowerShell being used to mount ISO images, which can be part of an automated attack script.
Type
api_endpoint
Value
api.proton.me
Description
Unusual or high-volume traffic to Proton Drive, which was used for hosting the initial payload.

Detection & Response

  • Endpoint Detection and Response (EDR): Ensure EDR solutions are configured with anti-tampering enabled. Monitor for processes attempting to patch memory related to ETW or AMSI. Create detection rules for MSBuild.exe spawning suspicious child processes or making network connections.
  • Script Block Logging: Enable PowerShell Script Block Logging (Event ID 4104) to capture the contents of de-obfuscated scripts that might be executed by the malware.
  • Email Security: Use email gateways to block password-protected archives and potentially ISO file attachments or links to them.
  • Application Control: Use application control solutions like AppLocker or WDAC to restrict the execution of MSBuild.exe to only authorized users (e.g., developers).

Mitigation

  • User Training: Train users to be suspicious of emails with password-protected attachments and to be wary of opening files from unexpected ISO images.
  • Block ISO Mounting: For most users, the ability to mount ISO files is not required for daily business. Consider using Group Policy to block the automatic mounting of ISO files to prevent this attack vector.
  • Attack Surface Reduction (ASR): Implement ASR rules, such as "Block execution of potentially obfuscated scripts" and "Block all office applications from creating child processes."
  • Credential Protection: Use password managers and enable MFA on all services to limit the impact of credential theft.

Timeline of Events

1
July 6, 2026
This article was published

MITRE ATT&CK Mitigations

Educating users about the dangers of opening unexpected attachments, especially ISO files and password-protected archives, is a key first line of defense.

Using application control policies to restrict the execution of tools like MSBuild.exe to only authorized users can block this attack vector.

A well-configured EDR can detect and block the malicious behaviors of the framework, such as AMSI/ETW patching and credential theft, even if the initial execution is missed.

Filtering web traffic and blocking downloads from untrusted file-hosting sites like Proton Drive can prevent the initial payload from reaching the endpoint.

Article Author

Jason Gomes

Jason Gomes

• Cybersecurity Practitioner

Cybersecurity professional with over 10 years of specialized experience in security operations, threat intelligence, incident response, and security automation. Expertise spans SOAR/XSOAR orchestration, threat intelligence platforms, SIEM/UEBA analytics, and building cyber fusion centers. Background includes technical enablement, solution architecture for enterprise and government clients, and implementing security automation workflows across IR, TIP, and SOC use cases.

Threat Intelligence & AnalysisSecurity Orchestration (SOAR/XSOAR)Incident Response & Digital ForensicsSecurity Operations Center (SOC)SIEM & Security AnalyticsCyber Fusion & Threat SharingSecurity Automation & IntegrationManaged Detection & Response (MDR)

Tags

avaloncrownxmalwareransomwarephishingisomsbuilddefense evasion

📢 Share This Article

Help others stay informed about cybersecurity threats

🎯 MITRE ATT&CK Mapped

Every tactic, technique, and sub-technique used in this threat has been identified and mapped to the MITRE ATT&CK framework for consistent, actionable threat language.

🧠 Enriched & Analyzed

Observables and indicators of compromise (IOCs) have been extracted and cataloged. Risk has been assessed and correlated with known threat actors and historical campaigns.

🛡️ Actionable Guidance

Detection rules, incident response steps, and D3FEND-aligned mitigation strategies are included so your team can act on this intelligence immediately.

🔗 STIX Visualizer

Structured threat data is packaged as a STIX 2.1 bundle and can be visualized as an interactive graph — relationships between actors, malware, techniques, and indicators.

Sigma Generator

Sigma detection rules are derived from the threat techniques in this article and can be converted for deployment across any major SIEM or EDR platform.