logo

CrownX Ransomware Embedded Inside Avalon Framework Targets Recovery and Backup Systems

ID: 2c5a17a4-ae06-567e-b751-ece42b1c6e49

STIX ID: report--2c5a17a4-ae06-567e-b751-ece42b1c6e49

Feed Name: Cyber Press

Threat Score
86/100

Date Published: 2026-07-04

Date Updated: 2026-07-04

Author: Mayura

...
...

A technical report on the Avalon malware framework and its CrownX ransomware module that used staged ISO-based phishing to deliver an MSBuild in-memory loader, harvest credentials, and prioritize backup and virtualization systems for lateral movement and extortion. CrownX employed strong cryptography for file encryption, actively disrupted recovery mechanisms (VSS, WinRE, shadow copies), included anti-forensic and disk-corruption capabilities, and the report provides multiple IoCs (filenames, staging domain/URL, custom HTTP header, encrypted file extension, and a bitcoin address).

Your team is not currently subscribed to this feed. You must subscribe to it in order to see this post.