logo

Avalon Malware Uses Legal Document Lure to Deliver CrownX Ransomware Capabilities

ID: 8bb88ce4-fcb7-5ccf-bb4c-3529df04857c

STIX ID: report--8bb88ce4-fcb7-5ccf-bb4c-3529df04857c

Feed Name: GBHackers

Threat Score
78/100

Date Published: 2026-07-04

Date Updated: 2026-07-04

Author: Mayura Kathir

...
...

This report describes the Avalon malware framework and its ransomware component CrownX, delivered via a password-protected Proton Drive ISO that used a fake legal-document lure and an MSBuild-based, fileless multi-stage chain to execute in memory. Avalon consolidates credential theft, persistence, lateral movement, anti-forensics, and destructive recovery disruption (including disk overwrite routines) into a single modular payload; CrownX performs robust AES-GCM encryption, targets backup solutions, and produces a parameterized ransom note. The report includes detailed TTPs and IoCs (filenames, staging domain/URL, custom HTTP header, user-agent, encrypted file extension, and a bitcoin address) to support detection and mitigation.

Your team is not currently subscribed to this feed. You must subscribe to it in order to see this post.