Avalon modular malware framework and CrownX ransomware
🛡️ Cybersecurity researchers uncovered a modular malware framework dubbed Avalon that uses a multi-stage phishing chain to bypass traditional defenses and deploy a ransomware component called CrownX. The campaign begins with a spoofed legal-document email pointing victims to a password-protected Proton Drive archive containing an ISO image. Interaction with a malicious Windows Shortcut inside the mounted image triggers an MSBuild-led loader that disables ETW, fetches additional payloads, and ultimately launches Avalon. The framework includes credential harvesting, crypto-wallet theft, lateral movement, data exfiltration, recovery disruption, anti-forensics, and disk tampering capabilities.
