CrownX Ransomware Embedded Inside Avalon Framework Targets Recovery and Backup Systems
ID: 2c5a17a4-ae06-567e-b751-ece42b1c6e49
STIX ID: report--2c5a17a4-ae06-567e-b751-ece42b1c6e49
Feed Name: Cyber Press
A technical report on the Avalon malware framework and its CrownX ransomware module that used staged ISO-based phishing to deliver an MSBuild in-memory loader, harvest credentials, and prioritize backup and virtualization systems for lateral movement and extortion. CrownX employed strong cryptography for file encryption, actively disrupted recovery mechanisms (VSS, WinRE, shadow copies), included anti-forensic and disk-corruption capabilities, and the report provides multiple IoCs (filenames, staging domain/URL, custom HTTP header, encrypted file extension, and a bitcoin address).
Your team is not currently subscribed to this feed. You must subscribe to it in order to see this post.
