Avalon Malware Framework: A New AI-Assisted Threat Blending Ransomware with Advanced Evasion
Cybersecurity researchers have uncovered **Avalon**, a sophisticated, modular malware framework distributed via a multi-stage phishing campaign designed to bypass traditional security controls. This new threat integrates credential harvesting, lateral movement, remote access, recovery disruption, and its own ransomware component, **CrownX**, demonstrating signs of AI-assisted development.

Cybersecurity researchers at **Blackpoint Cyber** have detailed a previously undocumented modular malware framework dubbed **Avalon**. This framework is notable for its multi-stage phishing chain, which adeptly evades conventional security measures.
**Avalon** consolidates a wide array of malicious functionalities, including credential collection, lateral movement, remote access, recovery disruption, and ransomware execution. Its ransomware module has been internally named **CrownX**.
### The Phishing Lure and Initial Compromise
According to **Blackpoint Cyber** researchers Nevan Beal and Sam Decker, the attack begins with a spoofed legal document email. Recipients are directed to a password-protected archive hosted on **Proton Drive**. Crucially, the malicious content is embedded within an ISO image rather than directly attached, significantly reducing the likelihood of detection at the email gateway.
Should a recipient interact with a document-themed Windows Shortcut (**"Secure Document CA-283505.pdf.lnk"**) inside the mounted ISO image, a staged malware sequence is initiated. This sequence ultimately leads to the deployment of **Avalon**. The shortcut executes a command to launch an **MSBuild** project located within the ISO.
This **MSBuild** project subsequently loads an embedded .NET assembly. This assembly then interferes with the regular operation of **Event Tracing for Windows (ETW)** to diminish forensic visibility. Following this, it downloads a subsequent payload over HTTPS, which is responsible for launching **Avalon** itself.
### Advanced Evasion and Data Exfiltration
The **Avalon** framework is equipped with an extensive defense evasion subsystem. This subsystem is designed to bypass detection and specifically conceal its execution from security tools associated with major vendors like **Microsoft Defender**, **SentinelOne**, **CrowdStrike**, **Sophos**, **Elastic Endpoint**, **FortiEDR**, **ESET**, **McAfee**, and **Bitdefender**.
Researchers noted that these capabilities provide the framework with numerous methods to reduce telemetry, bypass user-mode monitoring, and adapt its execution based on the defensive controls present on the host system.
**Avalon's** full feature set is comprehensive, including:
* Harvesting credentials, cookies, browsing history, and bookmarks from Chromium-based browsers and **Mozilla Firefox**.
* Gathering data from cryptocurrency wallet applications such as **MetaMask**, **Phantom**, **Coinbase Wallet**, **Exodus**, **Electrum**, **Atomic Wallet**, **Ledger Live**, and **Bitcoin Core**, alongside communication platforms like **Discord**, **Slack**, and **Teams**, and VPN clients like **OpenVPN** and **WireGuard**, as well as **Windows Credential Manager**.
* Collecting details on **SSH** known hosts, saved **RDP** connections, Wi-Fi profiles, and **Group Policy Preferences cpassword** artifacts.
* Exfiltrating collected data to a remote server (**"helloxcherry[.]com"**) and polling this server for tasking commands.
* Performing reconnaissance to prioritize systems that can expand the scope of the compromise.
* Encrypting files related to business operations, software development, engineering, data storage, and virtual infrastructure using the Windows **Cryptography API**. It then delivers a ransom note detailing payment instructions and deadline timers, indicating when the ransom amount will increase.
* Inhibiting system recovery by terminating the **Volume Shadow Copy Service** and deleting shadow copies.
* Employing an anti-forensic cleanup subsystem to remove artifacts and complicate incident response efforts.
* Directly interacting with disk structures, potentially to damage partition information, boot records, or other critical drive areas, effectively rendering the system unusable.
**Blackpoint Cyber** emphasized that **CrownX** represents the final extortion stage, but the damage extends far beyond mere encryption. By the time the ransom note appears, the broader framework has already harvested credentials, established command-and-control (C2) communications, prepared multiple paths for lateral movement, and weakened local recovery options.
### The AI Factor in Modern Malware
An important aspect of **Avalon** is the presence of signs pointing to artificial intelligence (AI)-assisted development. The framework appears to assemble multiple components with little regard for sophisticated tradecraft or operational security, aspects that typically require significant expertise to build.
This finding underscores how AI can lower the barrier to entry for malware development, making it more accessible with less time and effort. It enables actors with limited technical expertise and resources to create tools that would otherwise demand extensive development. Consequently, the presence of a certain capability is no longer a reliable indicator of a threat actor's sophistication or operational maturity.
**Blackpoint Cyber** concluded that the kill chain demonstrates how a familiar business lure can escalate into a reusable, multi-capability framework designed for credential harvesting, in-memory payload retrieval, and staging multiple follow-on actions from a single compromised endpoint.
### LLMs Driving Agentic Ransomware Attacks
This disclosure coincides with **Sysdig's** recent findings regarding what they believe to be the first publicly documented agentic ransomware infection. This attack was driven by a large language model (LLM) from start to finish, with the LLM retrying and tweaking its actions in real-time to complete tasks. The agentic threat actor (ATA) behind this operation has been codenamed **JADEPUFFER**.
**Sysdig's** Michael Clark reported that the operator gained initial access to an internet-facing **Langflow** instance through **CVE-2025-3248**. They then executed an adaptive and fully automated campaign, ultimately pivoting to the intended target and running a destructive database-extortion playbook against the victim's production database server.
Clark warned that the skill floor for running ransomware has dropped to whatever it costs to run an agent. If that agent is operating on stolen credentials through **LLMjacking**, the cost to an attacker approaches zero.
### AI Malware Leveraging LLMs for Codeless Attacks
These developments also follow the discovery of AI malware that combines a **Telegram** bot with a public LLM API to engineer a codeless attack. Once launched, this implant transmits basic system details to the attacker's **Telegram** bot and enters a command-and-control (C2) loop, polling the bot API every five seconds for new messages. Command execution results are exfiltrated via the same channel.
The unique aspect of this malware is an LLM translation layer. Each operator message is forwarded to a public LLM API endpoint (**"api.groq[.]com/openai/v1/chat/completions"**), which then translates natural language instructions into equivalent shell commands. This artifact was uploaded to **VirusTotal** on March 11, 2026, and currently has zero detections across all engines.
**Palo Alto Networks Unit 42** explained that this work introduces an LLM translation layer that replaces shell syntax with plain text. The attacker types plaintext instructions in **Telegram**, the LLM translates these instructions into shell commands, and the victim executes those commands. This eliminates the need for command-line knowledge, making sophisticated attacks accessible to a broader range of actors.