Skip to content
feed: live about
>_ 0dayNews
ransomware
● Breaking

Blackpoint: Avalon framework bundles theft, wiper, and CrownX ransomware

Blackpoint Cyber says the previously undocumented Avalon framework combines credential theft, EDR-aware defense evasion, shadow-copy destruction, and the CrownX ransomware payload in one multi-stage phishing chain.

Blackpoint: Avalon framework bundles theft, wiper, and CrownX ransomware
Photo: Tom Gally / Wikimedia Commons · Public domain
airgap · Published · 3 min read

Confirmed reporting by Blackpoint Cyber. Attribution to a named crew or affiliate: not stated. Treat accordingly. Blackpoint Cyber researchers Nevan Beal and Sam Decker disclosed on July 3 a previously undocumented modular malware framework they call Avalon, delivered through a phishing chain and shipping a ransomware payload named CrownX. Credential theft, lateral movement enablers, EDR-aware defense evasion, shadow-copy destruction, disk-structure damage, and file encryption — one bundle.

Delivery, per Blackpoint

  • Lure: spoofed legal-document email pointing at a password-protected archive on Proton Drive. Reported.
  • Container: an ISO image, not a direct attachment. Cuts email-layer detection.
  • Trigger: a shortcut file named Secure Document CA-283505.pdf.lnk. Executes an MSBuild project from inside the ISO.
  • Second stage: an embedded .NET assembly that interferes with Event Tracing for Windows to reduce forensic visibility, then pulls the next payload over HTTPS.
  • Payload: Avalon itself.

Blackpoint’s chain, as reported. Independent corroboration: pending. No CVE cited — this is a social-engineering delivery, not a vulnerability exploit.

What Avalon is built to take

Blackpoint documents the collection targets. Broad, not curated:

  • Browsers. Chromium-based and Firefox — credentials, cookies, history, bookmarks.
  • Cryptocurrency wallets. MetaMask, Phantom, Coinbase Wallet, Exodus, Electrum, Atomic Wallet, Ledger Live, Bitcoin Core.
  • Communications. Discord, Slack, Teams.
  • Network / remote access. OpenVPN, WireGuard, Windows Credential Manager, SSH known-hosts, RDP connection history, Wi-Fi profiles.
  • Legacy. Group Policy Preferences cpassword artifacts — the reversible-encryption AD-password mistake Microsoft killed by policy in 2014, still worth harvesting in 2026.

Broad enough to feed both immediate follow-on intrusion and resale of the credential set.

The wiper-plus-ransom endgame

Blackpoint reports Avalon terminates the Volume Shadow Copy Service, deletes existing shadow copies, and writes directly to disk structures to damage partition information and boot records. The CrownX component then encrypts business-critical file categories via the Windows Cryptography API and drops a ransom note with a countdown.

Encrypt-and-damage in the same operation. Recovery from backups is the plan; recovery from local snapshots is off the table by the time the note appears. Consistent with the direction the last twelve months of ransomware tradecraft has been trending.

EDR-aware

Avalon carries logic targeting Microsoft Defender, SentinelOne, CrowdStrike, Sophos, Elastic Endpoint, FortiEDR, ESET, McAfee, and Bitdefender. Blackpoint’s list, verbatim. That’s a nine-vendor coverage matrix — either an off-the-shelf module the framework author pulled in, or built with awareness of what the market actually deploys. Either way, the “we have EDR” line stops being a full answer.

C2 and IoCs Blackpoint published

  • Exfil / tasking: helloxcherry[.]com. Defanged. Confirmed by Blackpoint.
  • Anti-forensics: artifact cleanup subsystem intended to complicate IR.

Full IoC set is in Blackpoint’s writeup, linked via The Hacker News piece above.

The AI angle — reported, labeled

Blackpoint’s writeup flags signs of AI-assisted development in the framework: multiple components stitched together “with scant regard for sophisticated tradecraft or operational security” (Blackpoint’s phrasing, via The Hacker News). Not a claim that an agent RAN Avalon. A claim that an agent likely helped WRITE parts of it. Analysis — labeled.

Same landscape carrying Sysdig’s JADEPUFFER report from Wednesday and Unit 42’s Telegram-bot LLM malware find. Skill floor keeps dropping. Volume of framework-quality tooling in circulation keeps rising.

What to actually do

Tradecraft is unremarkable. Detection is available if you’re looking.

  • Block ISO and LNK from email at the gateway if you don’t have a business reason to allow them. Both are load-bearing in this chain.
  • Alert on MSBuild.exe launched from unusual paths — parent process outside a build environment, working directory in %TEMP% or a mounted ISO, no Visual Studio context. Standard living-off-the-land signal.
  • Watch for VSS termination and vssadmin delete shadows equivalents as pre-encryption tells. Old signal, still works.
  • Egress-block or DNS-sinkhole helloxcherry[.]com. Take the low-effort win while the domain is fresh.
  • Rotate anything Avalon would have taken if you’ve had a suspected phishing click in the last week — browser sessions, VPN keys, RDP creds, GPP passwords if any GPP is still around, Discord/Slack/Teams tokens. Assume harvest, not just theft.
  • Verify backups restore from an offline copy, not from on-host snapshots. The disk-damage step means the local recovery story is gone.

What we don’t know

  • Victims. Blackpoint has not named affected organizations. Sectors and geography: not disclosed.
  • Volume of infections. Not stated.
  • Whether Avalon is being sold, leased, or run by one crew. No affiliate-program indicators reported.
  • Attribution. Not offered.
  • Overlap with other frameworks. Blackpoint has not tied Avalon to a previously named family.

Sourcing

Found this useful? Share it.