GBHackers

Avalon Malware Uses Legal Document Lure to Deliver CrownX Ransomware Capabilities


A previously undocumented malware framework, tracked as Avalon, that uses a spoofed legal-document lure and a multi-stage, fileless-oriented chain to deliver a ransomware component internally labeled CrownX.

The campaign demonstrates a shift toward consolidation of multiple offensive capabilities into a single recovered payload and highlights how modern development practices including likely AI assistance are lowering the bar for threat actors to field sophisticated, modular toolsets.

Hiding the payload outside the email reduced inspection opportunities for mail gateways. The archive contained an ISO image that, when mounted, presented a document-styled shortcut and a faux “Mimecast Secure File Logs” folder.

The visible files reinforced the secure-document ruse while the real payload resided in an MSBuild project file disguised with a .tmp extension.

The in-memory loader implemented multiple telemetry-evasion techniques. It resolved and patched ETW (Event Tracing for Windows) entry points and tampered with AMSI (Antimalware Scan Interface) flows so security products would report success or be bypassed.

The managed downloader used a permissive certificate callback, a browser-like User-Agent, and a custom request header to retrieve an encrypted remote payload.

That response required HMAC-SHA256-based keyed validation and an offset-driven keystream to decrypt, keeping the server-delivered PE resistant to passive analysis.

 Staging archive hosted on Proton Drive (Source : Blackpoint).

Blackpoint’s Adversary Pursuit Group (APG) identified malware framework, now tracked as Avalon.The intrusion began with a convincingly themed email directing recipients to a password-protected archive on Proton Drive rather than attaching malware to the message.

CrownX Ransomware Capabilities

The loader manually mapped the decrypted PE into process memory, resolved imports, applied relocations, and registered exception tables, enabling the final native binary to run without creating a new process or leaving a file on disk.

Launching the shortcut invoked cmd.exe and then MSBuild.exe, which exploited CodeTaskFactory to compile and execute embedded C# code, loading the next-stage assembly entirely in memory and avoiding disk-backed executables.

Cleaned up logic of the malicious .lnk file (Source : Blackpoint).
Cleaned up logic of the malicious .lnk file (Source : Blackpoint).

The recovered native implant acted as an orchestration framework Avalon that consolidated credential harvesting, persistence, lateral movement, anti-forensics, recovery disruption, and extortion into one package.

Avalon harvested browser data (including Chromium and Firefox stores), wallets and crypto-related files, messaging tokens, VPN and SSH Keys artifacts, Wi‑Fi profiles, and Windows credential material via DPAPI calls.

FlushViewOfFile then committed the modified data back to disk, while SetEndOfFile allowed the ransomware to adjust the final file size after appending or removing metadata. 

It contained a local credential-validation routine to turn weak or harvested secrets into validated access for propagation. Its C2 communications used WinHTTP POSTs to an /api/v2/tasking endpoint on helloxcherry[.]com, formatted to resemble legitimate web traffic.

The reconstructed CrownX HTML template (Source : Blackpoint).
The reconstructed CrownX HTML template (Source : Blackpoint).

Avalon prioritized high-value targets and backup infrastructure Veeam, Acronis, NetApp, Synology, Hyper-V, vCenter and others and staged follow-on components via administrative shares and commonly writable system paths.

The HTML ransom note template was more than a static payment message. It included placeholders that CrownX could populate with details from the affected system, including the number of files encrypted.

It leveraged trusted Microsoft tooling (MSBuild, csc, InstallUtil) to execute .NET components remotely, increasing the likelihood of success in constrained environments.

The ransomware module, CrownX, implemented robust cryptography via Windows CNG and AES-GCM, used file mapping for efficient bulk encryption, supported transactional file operations, and appended structured metadata to allow controlled decryption when keys are provided.

CrownX also attempted to neutralize recovery by stopping and deleting VSS snapshots, corrupting recovery environment artifacts, and deleting system restore metadata.

A comprehensive anti-forensic subsystem removed Prefetch, AmCache, SRUM, ShimCache, timeline artifacts, PowerShell history, RDP caches, and other investigator-relevant records.

Avalon also contained direct disk-access routines capable of overwriting physical drives, raising the risk from recoverable encryption to potential irrecoverable damage.

Operationally, Avalon’s significance lies in integration and accessibility: credential theft, persistence, and ransomware are bundled under one developer-labeled framework, and evidence suggests rapid assembly likely aided by modern assistive tooling.

Indicators of Compromise (IoCs) 

Type Indicator Context 
ISO image Secure_Document_CA-283505_pdf.iso Mounted image containing the fake PDF shortcut and MSBuild project. 
Shortcut Secure Document CA-283505.pdf.lnk Fake PDF shortcut launched cmd.exe and used a Microsoft Edge icon. 
MSBuild project Mimecast Secure File Logszfighv.tmp Malicious MSBuild XML project copied from the ISO. 
Decoy file Mimecast Secure File Logsverification.txt Decoy text file in the ISO. 
Decoy file Mimecast Secure File Logsmanifest.xml Decoy XML file in the ISO. 
Temporary project path %TEMP%ngen0cc9.dat Temporary copy of the MSBuild project executed by MSBuild.exe. 
Staging domain helloxcherry[.]com Remote staging domain contacted by the managed loader. 
Staging URL hxxps://helloxcherry[.]com/cdn/static/c3587edc48c37656b29bcd3da9458eea/update Encrypted remote object retrieved by the managed loader. URL was unavailable during later sandbox testing. 
HTTP header X-Edge-Cache: e3ec5926a167d6e3359f98cdfb7ac3b2cce97652843056505d02e6d2898573c6 Custom header sent by the managed loader during remote stage retrieval. 
User agent Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 User agent sent by the managed loader. 
Encrypted file extension .8hn2yc Extension associated with CrownX encrypted files. 
Cryptocurrency address bc1qq9tx6p99jpqcj9p6nr3mwc3f9q3sxmj45l4anz Bitcoin address embedded in the ransom note. 

Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.

Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.



Source link