Close Menu
    What's Hot

    How sports diplomacy for a dead empire built a World Cup underdog – Live Updates

    NASA launches robotic mission to save telescope falling back to Earth | Space News

    The browser wars aren’t about search anymore — here are the best alternatives to Chrome and Safari

    Facebook X (Twitter) Instagram
    Trending
    • How sports diplomacy for a dead empire built a World Cup underdog – Live Updates
    • NASA launches robotic mission to save telescope falling back to Earth | Space News
    • The browser wars aren’t about search anymore — here are the best alternatives to Chrome and Safari
    • Scientists say Elon Musk’s orbital data centers could blind Earth’s biggest telescopes
    • Police unamused by Starmer’s 5 am pub call – Live Updates
    • Oppressive Heat Alters Plans for 250th Celebrations in Washington
    • Trump holds the golden tickets – Live Updates
    • David S. Doty, Judge Who Helped Shape the Modern N.F.L., Dies at 96
    interluknewsinterluknews
    • Home
    • Business
      • Corporate News
      • Industry Insights
      • Startups & Entrepreneurship
      • Technology & Innovation
    • Economy
      • Economic Policy
      • Financial Analysis
      • Inflation & Interest Rates
      • Trade & Markets
    • Global
      • Conflicts & Security
      • Diplomacy
      • Global Trends
      • International Affairs
    • Lifestyle
      • Fashion
      • Food & Dining
      • Personal Development
      • Travel
    • Opinion
      • Columns
      • Editorials
      • Expert Opinions
      • Reader Voices
    • More
      • Politics
        • Elections
        • Government & Policy
        • International Relations
        • Political Analysis
      • Sports
        • Cricket
        • Football / Soccer
        • International Sports
        • Local Sports
      • Technology
        • Artificial Intelligence
        • Cybersecurity
        • Gadgets & Reviews
        • Tech News
      • South Africa News
    Facebook X (Twitter) Instagram
    interluknewsinterluknews
    Cybersecurity

    New Avalon Malware Framework Packs CrownX Ransomware Capabilities

    adminBy adminJuly 3, 2026No Comments5 Mins Read
    Share Facebook Twitter Pinterest Copy Link Telegram LinkedIn Tumblr Email
    New Avalon Malware Framework Packs CrownX Ransomware Capabilities
    Share
    Facebook Twitter LinkedIn Pinterest Email

    New Avalon Malware Framework Packs CrownX Ransomware Capabilities

    Cybersecurity researchers have discovered a previously undocumented modular malware framework codenamed Avalon that’s distributed by means of a multi-stage phishing chain capable of bypassing traditional security controls.

    Avalon combines credential collection, lateral movement, remote access, recovery disruption, and ransomware execution, bringing together diverse functions under one umbrella. The ransomware component has been internally named CrownX. 

    “The attack began with a spoofed legal document email directing recipients to a password protected archive on Proton Drive,” Blackpoint Cyber researchers Nevan Beal and Sam Decker said. “Malicious content was embedded inside an ISO image rather than attached directly, reducing the likelihood of detection at the email layer.”

    Should the email recipient interact with a document-themed Windows Shortcut (“Secure Document CA-283505.pdf.lnk”) inside the mounted image, it triggers a staged malware sequence that culminates in the deployment of Avalon. Specifically, the shortcut runs a command to launch an MSBuild project located in the ISO image.

    The MSBuild project, for its part, loads an embedded .NET assembly, which then interferes with the regular functioning of Event Tracing for Windows (ETW) to reduce forensic visibility and download a next-stage payload over HTTPS responsible for launching Avalon.

    Cybersecurity

    The malware framework boasts of an extensive defense evasion subsystem that aims to evade detection, while incorporating specific methods to conceal execution from security tools associated with Microsoft Defender, SentinelOne, CrowdStrike, Sophos, Elastic Endpoint, FortiEDR, ESET, McAfee, and Bitdefender.

    “These capabilities give the framework a multitude of ways to reduce telemetry, bypass user mode monitoring, and adjust its execution depending on the defensive controls present on the host,” the researchers said.

    The complete set of features built into Avalon is as follows –

    • Harvest credentials, cookies, history, and bookmarks from Chromium-based browsers and Mozilla Firefox.
    • Gather data from cryptocurrency wallet apps like MetaMask, Phantom, Coinbase Wallet, Exodus, Electrum, Atomic Wallet, Ledger Live, and Bitcoin Core, along with Discord, Slack, Teams, OpenVPN, WireGuard, and Windows Credential Manager.
    • Collect details about SSH known hosts, saved RDP connections, Wi-Fi profiles, and Group Policy Preferences cpassword artifacts.
    • Exfiltrate data to a remote server (“helloxcherry[.]com”) and poll the server for receiving tasking commands.
    • Perform reconnaissance and prioritize systems that can expand the scope of the compromise.
    • Encrypt files associated with business operations, software development, engineering, data storage, and virtual infrastructure using Windows Cryptography API and deliver a ransom note containing payment instructions and deadline timers that show how much time is left before the ransom amount is increased.
    • Inhibit system recovery by terminating the Volume Shadow Copy Service and deleting shadow copies.
    • Remove traces of artifacts using an anti-forensic cleanup subsystem to complicate incident response efforts.
    • Directly interact with disk structures likely in an effort to damage partition information, boot records, or other critical areas of the drive, effectively rendering the system unusable.

    “CrownX represented the final extortion stage, but the damage extended well beyond the encryption itself,” the company said. “By the time the ransom note appeared, the broader framework had already collected credentials, established C2 communications, prepared multiple paths for lateral movement, and weakened local recovery options.”

    Another important detail is that Avalon shows signs of artificial intelligence (AI)-assisted development, one that has assembled multiple components with scant regard for sophisticated tradecraft or operational security, something that requires significant expertise to build.

    The findings are yet another sign of how AI can lower the barrier to entry, making malware development more accessible with little time and effort, and even allowing actors with little technical expertise and resources to come up with tools that may require extensive development effort. In other words, the presence of a certain capability is no longer a reliable indicator of a threat actor’s sophistication or operational maturity.

    “The kill chain illustrates how a familiar business lure can progress into a reusable, multi-capability framework designed to harvest credentials, retrieve subsequent payloads entirely in memory, and stage multiple follow-on actions from a single compromised endpoint,” Blackpoint Cyber said.

    LLM Behind an Agentic Ransomware Attack

    The disclosure comes as Sysdig detailed what it said was the first publicly documented agentic ransomware infection driven by a large language model from start to finish, while retrying and tweaking its actions in real-time to complete tasks. The agentic threat actor (ATA) behind the operation has been codenamed JADEPUFFER.

    The operator “gained initial access to an internet-facing Langflow instance through CVE-2025-3248 and ran an adaptive and fully automated campaign, ultimately pivoting to the intended target and running a destructive database-extortion playbook against the victim’s production database server,” Sysdig’s Michael Clark said.

    Cybersecurity

    “The skill floor for running ransomware has dropped to whatever it costs to run an agent, and if that agent is running on stolen credentials through LLMjacking, the cost to an attacker is close to zero.”

    AI Malware That Uses LLM in a Codeless Attack

    The findings also follow the discovery of an AI malware that brings together a Telegram bot with a public LLM API to devise a codeless attack. Once launched, the implant transmits basic details about the compromised system to the attacker’s Telegram bot and enters into a command-and-control (C2) loop that polls the bot API every 5 seconds for new messages. The results of the command execution are exfiltrated back using the same channel.

    The speciality of this malware is that each operator message is forwarded to a public LLM API endpoint (“api.groq[.]com/openai/v1/chat/completions”), which then translates the natural language instructions provided by the attacker into its equivalent shell command. The artifact was uploaded to the VirusTotal platform on March 11, 2026, and has zero detections across all engines to date.

    “This work introduces an LLM translation layer that replaces shell syntax with plain text. The attacker types plaintext instructions in Telegram,” Palo Alto Networks Unit 42 said. “The LLM translates the instructions into shell commands. And the victim executes the shell commands. No command-line knowledge is required.”

    Avalon capabilities CrownX Framework Malware packs Ransomware
    Follow on Google News Follow on Flipboard
    Share. Facebook Twitter Pinterest LinkedIn Tumblr Email Copy Link
    Previous ArticleAir Force Detains Officer Who Called for Trump’s Impeachment at Capitol
    Next Article ICC Women’s T20 World Cup: Flawless Australia favourites coming into final but buoyed England will provide tough test at Lord’s | Cricket News
    admin
    • Website

    Related Posts

    North Korea-Linked npm Packages Mimic Rollup Polyfills to Steal Developer Secrets

    July 3, 2026

    Armored Likho Targets Government Agencies, Power Sector with BusySnake Stealer

    July 3, 2026

    Progress Kemp LoadMaster Flaw Could Let Attackers Run Root Commands Pre-Auth

    July 3, 2026
    Leave A Reply Cancel Reply

    Demo
    Latest Posts

    How sports diplomacy for a dead empire built a World Cup underdog – Live Updates

    NASA launches robotic mission to save telescope falling back to Earth | Space News

    The browser wars aren’t about search anymore — here are the best alternatives to Chrome and Safari

    Scientists say Elon Musk’s orbital data centers could blind Earth’s biggest telescopes

    Latest Posts

    Subscribe to News

    Get the latest sports news from NewsSite about world, sports and politics.

    Advertisement
    Demo

    We are a digital news platform delivering timely, accurate, and insightful coverage of politics, global affairs, business, economy, sports, and more. Our mission is to keep readers informed with reliable news, clear analysis, and stories that truly matter.
    We're social. Connect with us:

    Facebook X (Twitter) Instagram Pinterest YouTube

    Subscribe to Updates

    Get the latest creative news from FooBar about art, design and business.

    Type above and press Enter to search. Press Esc to cancel.

    Powered by
    ...
    ►
    Necessary cookies enable essential site features like secure log-ins and consent preference adjustments. They do not store personal data.
    None
    ►
    Functional cookies support features like content sharing on social media, collecting feedback, and enabling third-party tools.
    None
    ►
    Analytical cookies track visitor interactions, providing insights on metrics like visitor count, bounce rate, and traffic sources.
    None
    ►
    Advertisement cookies deliver personalized ads based on your previous visits and analyze the effectiveness of ad campaigns.
    None
    ►
    Unclassified cookies are cookies that we are in the process of classifying, together with the providers of individual cookies.
    None
    Powered by