Avalon Malware Uses Legal Document Lure to Deliver CrownX Ransomware Capabilities
ID: 8bb88ce4-fcb7-5ccf-bb4c-3529df04857c
STIX ID: report--8bb88ce4-fcb7-5ccf-bb4c-3529df04857c
Feed Name: GBHackers
This report describes the Avalon malware framework and its ransomware component CrownX, delivered via a password-protected Proton Drive ISO that used a fake legal-document lure and an MSBuild-based, fileless multi-stage chain to execute in memory. Avalon consolidates credential theft, persistence, lateral movement, anti-forensics, and destructive recovery disruption (including disk overwrite routines) into a single modular payload; CrownX performs robust AES-GCM encryption, targets backup solutions, and produces a parameterized ransom note. The report includes detailed TTPs and IoCs (filenames, staging domain/URL, custom HTTP header, user-agent, encrypted file extension, and a bitcoin address) to support detection and mitigation.
Your team is not currently subscribed to this feed. You must subscribe to it in order to see this post.
