Avalon Malware Framework Blends Credential Theft, Lateral Movement and Ransomware

Security researchers have identified a previously undocumented modular malware framework called Avalon that appears designed to support a full intrusion lifecycle, from initial access and credential t...

Security researchers have identified a previously undocumented modular malware framework called Avalon that appears designed to support a full intrusion lifecycle, from initial access and credential theft to ransomware deployment and recovery disruption. The ransomware payload within the framework has been tracked internally as CrownX.

According to Blackpoint Cyber, the campaign begins with a phishing email impersonating a legal document. The message points victims to a password-protected archive hosted on Proton Drive, while the malicious content is hidden inside an ISO image rather than attached directly. If a user opens a document-themed Windows shortcut inside the mounted image, the file launches a staged infection chain that eventually installs Avalon.

The execution path uses MSBuild to load an embedded .NET assembly, tampers with Event Tracing for Windows to reduce visibility, and retrieves an additional payload over HTTPS. Researchers said the framework includes a broad set of defenses aimed at evading detection across several security products and at reducing the telemetry available to endpoint monitoring tools.

Capabilities observed in Avalon

  • Steal browser data such as credentials, cookies, history and bookmarks.
  • Collect information from crypto wallets, collaboration tools, VPN clients and Windows Credential Manager.
  • Gather SSH, RDP, Wi-Fi and Group Policy-related data.
  • Exfiltrate data to a remote command server and receive instructions.
  • Encrypt files tied to business operations and virtual infrastructure.
  • Disable recovery by stopping Volume Shadow Copy Service and deleting shadow copies.
  • Use anti-forensic cleanup routines and manipulate disk structures to hinder recovery.

Blackpoint Cyber said the malware’s design suggests that the final ransomware stage is only one part of a wider intrusion strategy. By the time victims see the ransom note, the system may already have been used for reconnaissance, credential harvesting, command-and-control communications and lateral movement preparation.

The company also noted signs that Avalon may have been developed with assistance from artificial intelligence, citing the way multiple components were assembled with relatively little operational discipline. That trend, researchers say, may lower the barrier to entry for attackers building multi-function malware.

The disclosure comes amid other recent cases involving AI-assisted threats. Sysdig separately reported what it described as the first publicly documented agentic ransomware incident driven end-to-end by a large language model, while Palo Alto Networks Unit 42 described malware that uses a public LLM API to translate plain-language operator instructions into shell commands.