Cybersecurity researchers have discovered a previously undocumented modular malware framework codenamed Avalon that’s distributed by means of a multi-stage phishing chain capable of bypassing traditional security controls.
Avalon combines credential collection, lateral movement, remote access, recovery disruption, and ransomware execution, bringing together diverse functions under one umbrella. The ransomware component has been internally named CrownX.
“The attack began with a spoofed legal document email directing recipients to a password protected archive on Proton Drive,” Blackpoint Cyber researchers Nevan Beal and Sam Decker said. “Malicious content was embedded inside an ISO image rather than attached directly, reducing the likelihood of detection at the email layer.”
Should the email recipient interact with a document-themed Windows Shortcut (“Secure Document CA-283505.pdf.lnk”) inside the mounted image, it triggers a staged malware sequence that culminates in the deployment of Avalon. Specifically, the shortcut runs a command to launch an MSBuild project located in the ISO image.
The MSBuild project, for its part, loads an embedded .NET assembly, which then interferes with the regular functioning of Event Tracing for Windows (ETW) to reduce forensic visibility and download a next-stage payload over HTTPS responsible for launching Avalon.
The malware framework boasts of an extensive defense evasion subsystem that aims to evade detection, while incorporating specific methods to conceal execution from security tools associated with Microsoft Defender, SentinelOne, CrowdStrike, Sophos, Elastic Endpoint, FortiEDR, ESET, McAfee, and Bitdefender.
“These capabilities give the framework a multitude of ways to reduce telemetry, bypass user mode monitoring, and adjust its execution depending on the defensive controls present on the host,” the researchers said.
The complete set of features built into Avalon is as follows –
- Harvest credentials, cookies, history, and bookmarks from Chromium-based browsers and Mozilla Firefox.
- Gather data from cryptocurrency wallet apps like MetaMask, Phantom, Coinbase Wallet, Exodus, Electrum, Atomic Wallet, Ledger Live, and Bitcoin Core, along with Discord, Slack, Teams, OpenVPN, WireGuard, and Windows Credential Manager.
- Collect details about SSH known hosts, saved RDP connections, Wi-Fi profiles, and Group Policy Preferences cpassword artifacts.
- Exfiltrate data to a remote server (“helloxcherry[.]com”) and poll the server for receiving tasking commands.
- Perform reconnaissance and prioritize systems that can expand the scope of the compromise.
- Encrypt files associated with business operations, software development, engineering, data storage, and virtual infrastructure using Windows Cryptography API and deliver a ransom note containing payment instructions and deadline timers that show how much time is left before the ransom amount is increased.
- Inhibit system recovery by terminating the Volume Shadow Copy Service and deleting shadow copies.
- Remove traces of artifacts using an anti-forensic cleanup subsystem to complicate incident response efforts.
- Directly interact with disk structures likely in an effort to damage partition information, boot records, or other critical areas of the drive, effectively rendering the system unusable.
“CrownX represented the final extortion stage, but the damage extended well beyond the encryption itself,” the company said. “By the time the ransom note appeared, the broader framework had already collected credentials, established C2 communications, prepared multiple paths for lateral movement, and weakened local recovery options.”
Another important detail is that Avalon shows signs of artificial intelligence (AI)-assisted development, one that has assembled multiple components with scant regard for sophisticated tradecraft or operational security, something that requires significant expertise to build.
The findings are yet another sign of how AI can lower the barrier to entry, making malware development more accessible with little time and effort, and even allowing actors with little technical expertise and resources to come up with tools that may require extensive development effort. In other words, the presence of a certain capability is no longer a reliable indicator of a threat actor’s sophistication or operational maturity.
“The kill chain illustrates how a familiar business lure can progress into a reusable, multi-capability framework designed to harvest credentials, retrieve subsequent payloads entirely in memory, and stage multiple follow-on actions from a single compromised endpoint,” Blackpoint Cyber said.
LLM Behind an Agentic Ransomware Attack
The disclosure comes as Sysdig detailed what it said was the first publicly documented agentic ransomware infection driven by a large language model from start to finish, while retrying and tweaking its actions in real-time to complete tasks. The agentic threat actor (ATA) behind the operation has been codenamed JADEPUFFER.
The operator “gained initial access to an internet-facing Langflow instance through CVE-2025-3248 and ran an adaptive and fully automated campaign, ultimately pivoting to the intended target and running a destructive database-extortion playbook against the victim’s production database server,” Sysdig’s Michael Clark said.
“The skill floor for running ransomware has dropped to whatever it costs to run an agent, and if that agent is running on stolen credentials through LLMjacking, the cost to an attacker is close to zero.”
AI Malware That Uses LLM in a Codeless Attack
The findings also follow the discovery of an AI malware that brings together a Telegram bot with a public LLM API to devise a codeless attack. Once launched, the implant transmits basic details about the compromised system to the attacker’s Telegram bot and enters into a command-and-control (C2) loop that polls the bot API every 5 seconds for new messages. The results of the command execution are exfiltrated back using the same channel.
The speciality of this malware is that each operator message is forwarded to a public LLM API endpoint (“api.groq[.]com/openai/v1/chat/completions”), which then translates the natural language instructions provided by the attacker into its equivalent shell command. The artifact was uploaded to the VirusTotal platform on March 11, 2026, and has zero detections across all engines to date.
“This work introduces an LLM translation layer that replaces shell syntax with plain text. The attacker types plaintext instructions in Telegram,” Palo Alto Networks Unit 42 said. “The LLM translates the instructions into shell commands. And the victim executes the shell commands. No command-line knowledge is required.”