Last updated: July 5, 2026 at 9:01 AM UTC
All 557 Vulnerability 199 Breach 106 Threat 245 Defense 7
Tag: crownx (1 article)Clear

Avalon malware framework bundles phishing, remote access, and CrownX ransomware

Blackpoint Cyber documented Avalon, a previously undocumented modular malware framework that pulls credential theft, lateral movement, remote access, backup disruption, and ransomware into one toolkit, with its ransomware component named CrownX. The attack starts with a spoofed legal-document email pointing to a password-protected archive on Proton Drive. Inside is an ISO image rather than a direct attachment, which helps it slip past email scanning, and opening a document-themed Windows shortcut inside the mounted image kicks off the infection chain. By combining evasive delivery with a full attack toolkit under one roof, Avalon lets operators run an intrusion from initial access through data theft to encryption.

Check
Alert staff to legal-themed emails that link to password-protected archives on cloud storage, and hunt for mounted ISO images spawning shortcut files and the follow-on scripts that behavior triggers.
Affected
Organizations whose staff can open ISO images and shortcut files delivered through cloud-hosted archives; Avalon then chains credential theft, remote access, and backup disruption into CrownX ransomware deployment.
Fix
Block or restrict automatic mounting of ISO images and execution of shortcut files from downloads, filter links to shared cloud archives, maintain tested offline backups, and train staff on legal-document lures.