Cybersecurity

Avalon and CrownX: A Modular Malware Kit That Bundles Everything an Intruder Needs

Blackpoint Cyber researchers have detailed Avalon, a modular malware framework that folds credential theft, lateral movement, remote access, and the CrownX ransomware into one kit, all delivered through a phishing chain built to slip past email defenses and blind the leading EDR products.

PublishedJuly 8, 2026
Read time6 min read
Share

One Framework, Every Stage of the Attack

The evolution of intrusion tooling has trended steadily toward consolidation, and Avalon is a vivid example of where that trend leads. Detailed by Blackpoint Cyber researchers Nevan Beal and Sam Decker, Avalon is a previously undocumented modular malware framework that folds functions once spread across separate tools into a single package. It combines credential collection, reconnaissance, lateral movement prioritization, remote access, recovery disruption, and file encryption, with the ransomware payload internally named CrownX. In effect, it is a full intrusion life cycle in a box.

We think the significance of Avalon is less about any single novel technique and more about the packaging. When credential theft, movement, and ransomware ship as coordinated modules of one framework, the operator needs less skill to run a devastating campaign, and the phases blend together in ways that frustrate detection built around discrete stages. Defenders who tune their alerting to catch, say, a separate credential dumper followed later by a separate ransomware binary may find that a unified kit slips between the categories their tooling was designed to separate.

The Phishing Chain: Proton Drive, an ISO, and a Fake PDF

Avalon delivery is a case study in modern social engineering that treats the email gateway as an obstacle to be routed around rather than confronted. The campaign begins with a spoofed legal document email that directs the recipient to a password protected archive hosted on Proton Drive, a legitimate service whose reputation helps the lure survive reputation based filtering. The malicious content is embedded inside an ISO image rather than attached directly, a deliberate choice that reduces the likelihood of detection at the email layer, where ISO contents are often not inspected.

Inside the mounted image sits a document themed Windows Shortcut named to look like a secure PDF. Interacting with it triggers an MSBuild project that loads an embedded .NET assembly, which tampers with Event Tracing for Windows to reduce forensic visibility before pulling down the next stage that launches Avalon. Every hop in this chain is chosen to defeat a specific control: the trusted cloud host defeats reputation filtering, the ISO defeats attachment scanning, the shortcut defeats user suspicion, and the MSBuild abuse defeats application allowlists that trust signed Microsoft tooling.

Built to Blind the EDR Stack

What distinguishes Avalon from run of the mill commodity malware is the seriousness of its defense evasion. The framework carries an extensive evasion subsystem engineered to conceal execution specifically from the market leading endpoint products, with the researchers naming Microsoft Defender, SentinelOne, CrowdStrike, Sophos, Elastic Endpoint, FortiEDR, ESET, McAfee, and Bitdefender as targets. That is not a generic attempt to avoid antivirus; it is a curated list of the exact tools most enterprises rely on, which implies deliberate testing against those products during development.

In the researchers own words, these capabilities give the framework a multitude of ways to reduce telemetry, bypass user mode monitoring, and adjust its execution depending on the defensive controls present on the host. The last clause is the one that should give security leaders pause. Avalon does not just try to hide; it fingerprints the defenses it finds and changes behavior accordingly, which means the same sample can look different, and quieter, on a machine running one EDR versus another. Detection strategies that assume malware behaves consistently across the fleet are poorly matched to an adversary that adapts per host.

From Credential Theft to Boot Record Destruction

Once resident, Avalon works methodically through the intrusion. It harvests credentials from Chromium based browsers, Firefox, and a range of cryptocurrency wallets including MetaMask, Phantom, and Coinbase, then exfiltrates the loot to attacker controlled infrastructure. It performs reconnaissance to prioritize lateral movement, spreading toward the business, development, and infrastructure data that will maximize leverage. Only after establishing that position does the CrownX ransomware component begin encrypting files, following the now standard double extortion logic of stealing before locking.

The destructive tail of Avalon is what elevates it from costly to potentially catastrophic. It terminates the Volume Shadow Copy Service and deletes shadow copies to strip away the quickest local recovery path, and it interacts directly with disk structures to damage partitions and boot records. An organization that has treated shadow copies or on host snapshots as its safety net will discover that net was cut before encryption even began. This is precisely why we keep arguing that backups only count if they are immutable, offline or otherwise out of the attacker reach, and tested against a full restore rather than assumed to work.

Why Modular Malware Changes the Economics

Avalon fits a broader shift in which sophisticated capability is being productized and commoditized. When a single framework bundles the entire kill chain with built in evasion tuned against named EDR vendors, the barrier to running an enterprise grade intrusion drops for a much larger population of operators. The skill that used to live in the heads of elite intruders gets encoded into modules, and the marginal attacker can now execute campaigns that would once have required a capable team. That expansion of the threat actor pool is a strategic problem, not just a tactical one.

For defenders, the economic implication cuts both ways. On one hand, a unified framework has a consistent signature surface that, once studied, can inform detection across all of its deployments. On the other, the evasion sophistication raises the cost of that detection and shortens the time between initial access and irreversible damage. We believe the right response is to invest less in chasing individual malware families and more in the durable fundamentals that frustrate any kit: strong identity controls, network segmentation, allowlisting that resists living off the land tooling, and recovery that assumes the attacker will try to destroy it.

The Defensive Playbook for a Kit Like Avalon

The controls that blunt Avalon are unglamorous and well known, which is exactly why they remain the right answer. Blocking or closely inspecting ISO and disk image attachments, restricting the execution of scripting and build tools like MSBuild through application controls, and hardening browsers against credential theft all interrupt the chain at points where Avalon is committed to a specific technique. Phishing resistant multi factor authentication and least privilege limit how far stolen credentials travel once the harvesting stage succeeds.

The most important preparation, though, is assuming the destructive endgame will happen and building recovery that survives it. Because Avalon deletes shadow copies and can corrupt boot records, resilience depends on backups that live beyond the reach of a host level compromise, ideally immutable and physically or logically isolated, with restoration rehearsed on a realistic schedule. Enterprises should also monitor for the specific behaviors this framework exhibits, such as tampering with Event Tracing for Windows and shadow copy deletion, treating either as a high confidence signal that an intrusion has already reached its later, more dangerous stages.

Tagged#news#security#cybersecurity#ransomware#phishing#malware#edr#data-exfiltration