Avalon: modular malware framework bundles CrownX ransomware — Blackpoint
Blackpoint Cyber documents Avalon, a previously undocumented modular framework whose ransomware payload — CrownX — arrives at the end of a legal-lure phishing chain that stages through Proton Drive, ISO, LNK, and MSBuild.
New disclosure, single primary source. Blackpoint Cyber on July 3 named a previously undocumented modular malware framework Avalon, whose ransomware component ships under the internal name CrownX. Researchers Nevan Beal and Sam Decker are credited. The Hacker News picked it up the same day. Attribution: not stated. Victim count: not stated. Targeted sectors: not stated.
What was reported
- Framework name: Avalon. Ransomware module: CrownX. Confidence: high — both names are the researchers’ own.
- Delivery chain: spoofed legal-document email → password-protected archive on Proton Drive → ISO image → Windows shortcut (
Secure Document CA-283505.pdf.lnk) → MSBuild project → .NET assembly that disables Event Tracing for Windows (ETW). Confidence: high as reported. - Capabilities enumerated by Blackpoint: credential harvesting from browsers, cryptocurrency wallets, Discord, Slack, Teams, SSH, RDP, and Wi-Fi profiles; lateral movement and reconnaissance; remote access and C2; recovery disruption via VSS termination and shadow-copy deletion; ransomware encryption via the Windows Cryptography API; anti-forensic cleanup; direct disk-structure interaction.
- Attribution: not stated by Blackpoint. No overlap with a known crew claimed in either writeup.
Why the delivery chain matters
The interesting part isn’t the ransomware — every crew has one. It’s the stack in front of it. Password-protected archives on a legitimate hosting provider (Proton Drive) sail past URL reputation and inline scanners because the payload is behind a password the user types after clicking. ISO images defeat Mark-of-the-Web. LNK files hand execution to MSBuild, a signed Microsoft binary. The .NET assembly loaded by MSBuild does the ETW disable before defenders’ telemetry ever sees it fire.
Every step is a known technique on its own. Chained together in one framework, aimed at a business inbox, they push the detection burden onto whatever sees the process tree after MSBuild — which is exactly the moment the loader has shut ETW off.
What defenders should already be doing
Not new advice, but Avalon exercises all of it at once:
- Constrain MSBuild. Application-control policies (WDAC, AppLocker, or vendor equivalent) that block MSBuild for non-developer users close this specific chain outright. Developer exception scopes should be as narrow as your build hosts.
- Block ISO auto-mount from email or downloaded archives where policy allows. Same for VHD/VHDX. Microsoft’s Mark-of-the-Web propagation to container files closed part of this gap, but ISOs delivered inside a password-protected archive still avoid the tag entirely.
- Alert on ETW patch-outs. EDR products that surface
NtTraceControlmanipulation, ETW provider disable calls, orEtwEventWritepatching will catch the second stage even when the first stage looks like a signed MSBuild invocation. - Kill VSS/shadow-copy deletion attempts as high-severity.
vssadmin delete shadows,wmic shadowcopy delete,wbadmin delete catalog— these are ransomware pre-encryption behavior, not maintenance.
None of that is Avalon-specific. It’s the reason the chain works: each individual technique is old, no single control catches all of them, and the framework author knows which order to run them in.
Watching for
- Broader IOCs from Blackpoint or a follow-on write-up. The initial disclosure names a lure filename and stages the tooling; sample hashes and C2 infrastructure IOCs, if released, will let ISPs and hosts move against the delivery footprint.
- CISA advisory or KEV addition. Unconfirmed as of this writing — Avalon has not, so far, been tied to exploitation of a specific CVE. If Blackpoint or another vendor connects a specific initial-access exploit to the chain later, treat that as the news that changes urgency, not this disclosure.
- Overlap claims with named crews. No attribution today. If one is asserted (a threat-intel vendor tying Avalon to an existing operator), read the confidence language carefully — “assessed with moderate confidence” is not “confirmed.”
For the parallel Citrix Bleed 2 / Anubis ransomware story from the same news window, see Anubis ransomware seen exploiting Citrix Bleed 2. Different crew, different initial-access path, same downstream problem.
Sourcing
- Blackpoint Cyber, Avalon’s Path from Legal Lure to CrownX Ransom Capabilities — primary technical writeup.
- The Hacker News, New Avalon Malware Framework Packs CrownX Ransomware Capabilities — secondary summary, July 3, 2026.
Found this useful? Share it.