HackMyIP
← Back to News
2026-07-03 The Hacker News

Avalon Malware Framework Bundles Credential Theft with CrownX Ransomware

MalwareRansomwarePhishing

Blackpoint Cyber researchers Nevan Beal and Sam Decker have uncovered Avalon, a previously undocumented modular malware framework that consolidates credential harvesting, lateral movement, remote access, recovery disruption, and ransomware deployment under a single umbrella. The framework's ransomware module is internally branded CrownX, and the entire package is distributed through a multi-stage phishing campaign engineered to slip past conventional email security controls. The chain begins with a spoofed legal notice directing victims to a password-protected archive hosted on Proton Drive, with the malicious payload tucked inside an ISO image rather than delivered as a direct attachment to minimize detection at the email gateway.

Once a recipient mounts the ISO and interacts with a document-themed Windows Shortcut ("Secure Document CA-283505.pdf.lnk"), a staged execution sequence fires. The shortcut launches an MSBuild project embedded in the ISO, which loads a .NET assembly that tampers with Event Tracing for Windows (ETW) to erode forensic visibility before retrieving the next-stage payload over HTTPS. The framework's defense evasion subsystem includes purpose-built routines to mask activity from Microsoft Defender, SentinelOne, CrowdStrike, Sophos, Elastic Endpoint, FortiEDR, ESET, McAfee, and Bitdefender, giving operators flexibility to downgrade telemetry, evade user-mode hooks, and adapt to whichever EDR stack is present on the host.

Avalon's data collection module is wide-reaching: it pulls credentials, cookies, history, and bookmarks from Chromium-based browsers and Mozilla Firefox, harvests wallet data from MetaMask, Phantom, Coinbase Wallet, Exodus, Electrum, Atomic Wallet, Ledger Live, and Bitcoin Core, and lifts tokens and credentials from Discord, Slack, Teams, OpenVPN, WireGuard, and Windows Credential Manager. It also catalogs SSH known_hosts entries, saved RDP connections, Wi-Fi profiles, and Group Policy Preferences cpassword artifacts. Exfiltrated data is shipped to a command-and-control server at helloxcherry[.]com, which doubles as a tasking channel for follow-on instructions; operators can run a WHOIS lookup on the domain to enrich their own threat intel picture. With stolen credentials in hand, attackers should assume exposed accounts and verify password strength across reused logins before the data is weaponized for lateral movement.

The CrownX ransomware arm prioritizes encryption of files tied to business operations, software development, engineering, data storage, and virtual infrastructure, leveraging the Windows Cryptography API and dropping a ransom note that includes payment instructions alongside a live countdown showing when the demanded amount will increase. To compound the impact, Avalon actively inhibits system recovery by terminating Volume Shadow Copy Service processes, blocking rollback attempts. "These capabilities give the framework a multitude of ways to reduce telemetry, bypass user mode monitoring, and adjust its execution depending on the defensive controls present on the host," the researchers noted. Defenders are advised to hunt for anomalous MSBuild activity, ISO-mounted shortcuts in email workflows, outbound traffic to Proton Drive and unfamiliar HTTPS endpoints, and ETW tampering indicators, while monitoring breach exposure for any accounts associated with affected hosts.

Source: The Hacker News →

Related Tools

Check whether this kind of story affects you — free, no signup:

Email Breach Check →Privacy Checkup →

Related Guides

Learn the background behind this story:

What is a data breach? →Credential stuffing attacks →How to check for an email breach →