Security researchers at Blackpoint Cyber have documented a previously unseen modular malware framework called Avalon, which now carries its own ransomware payload named CrownX. (Source: The Hacker News)
Key Insight: What makes this notable for your organization is the packaging: credential theft, remote access, lateral movement, recovery disruption, and file encryption all sit inside one framework, deployed from a single compromised endpoint.
The attack starts with a spoofed legal document email that points recipients to a password-protected archive on Proton Drive. The malicious payload sits inside an ISO image rather than as a direct attachment, which reduces the chance of detection at the email gateway. Once mounted, a document-themed Windows shortcut (Secure Document CA-283505.pdf.lnk) kicks off the staged infection.
Why this combination matters comes down to sequence. Avalon does not begin with encryption—it begins with reconnaissance and theft. By the time CrownX drops a ransom note, the framework has already harvested credentials from Chromium and Firefox browsers, pulled data from cryptocurrency wallets and collaboration apps like Discord, Slack, and Teams, and established command-and-control channels to helloxcherry[.]com.
"CrownX represented the final extortion stage, but the damage extended well beyond the encryption itself. By the time the ransom note appeared, the broader framework had already collected credentials, established C2 communications, prepared multiple paths for lateral movement, and weakened local recovery options," Blackpoint Cyber said.
Avalon prioritizes files tied to business operations, software development, engineering, data storage, and virtual infrastructure. For firms that run their own build pipelines, engineering workflows, or virtualized environments, this means the encryption targets the systems that keep production running—not just user documents.
This disclosure sits alongside a broader shift researchers are tracking, including an agentic ransomware operation attributed to a threat actor codenamed JADEPUFFER, which ran a fully automated database-extortion campaign driven by a large language model. Avalon itself shows signs of AI-assisted development, meaning the barrier to building multi-capability frameworks is dropping. A tool's capabilities no longer tell you how skilled the operator behind it is.
Attack Chain: From Initial Compromise to Encryption
The Avalon attack chain begins with a single email and ends with wiped disk structures, and every stage in between is designed to reduce the chance a defender sees it happening. The entry point is a phishing message carrying a spoofed legal document that directs the recipient to a password-protected archive hosted on Proton Drive. Using a legitimate cloud storage service and a password on the archive keeps the payload away from email gateway scanning.
The payload lives inside an ISO image rather than as a direct attachment. When you mount that image, the malicious content appears as a Windows Shortcut named Secure Document CA-283505.pdf.lnk. The double extension is meant to read as a PDF, but the .lnk is what actually runs. This maps to MITRE ATT&CK techniques T1566.001 (Phishing: Spearphishing Attachment) and T1204.002 (User Execution: Malicious File).
Interacting with the shortcut runs a command that launches an MSBuild project located inside the same ISO. This is a living-off-the-land technique — MSBuild is a signed Microsoft build tool, so its execution rarely draws attention on its own. The MSBuild project loads an embedded .NET assembly, which is where the framework starts hiding its work.
That assembly interferes with Event Tracing for Windows (ETW) to cut forensic visibility, then downloads a next-stage payload over HTTPS that launches Avalon. Tampering with ETW (ATT&CK T1562.006) means the telemetry your endpoint tools depend on is thinned out before the main payload even runs. In practice, that is the difference between an alert firing and an incident responder reconstructing events after the fact.
Once Avalon is running, its defense evasion subsystem checks the host for security tooling and adjusts behavior accordingly. Blackpoint Cyber researchers documented concealment methods tuned against Microsoft Defender, SentinelOne, CrowdStrike, Sophos, Elastic Endpoint, FortiEDR, ESET, McAfee, and Bitdefender. The framework retrieves subsequent payloads entirely in memory, which limits the disk artifacts available for later analysis.
With execution established, the framework moves through collection and expansion:
- Credential and secret harvesting from Chromium-based browsers, Firefox, Windows Credential Manager, and configuration for OpenVPN, WireGuard, Discord, Slack, and Teams (ATT&CK T1555, T1539).
- Cryptocurrency wallet theft targeting MetaMask, Phantom, Coinbase Wallet, Exodus, Electrum, Atomic Wallet, Ledger Live, and Bitcoin Core.
- Lateral movement preparation by collecting SSH known hosts, saved RDP connections, Wi-Fi profiles, and Group Policy Preferences
cpasswordartifacts — the last of these can yield reversible domain credentials. - Reconnaissance that prioritizes systems capable of widening the compromise across business operations and virtual infrastructure.
Collected data is exfiltrated to the command-and-control domain helloxcherry[.]com, which the malware also polls for tasking commands (ATT&CK T1041, T1071.001). Because the framework has already gathered credentials and mapped lateral paths, the operator can reach file servers, development systems, and virtual infrastructure using legitimate access rather than exploits.
The final stage is the CrownX ransomware component. It encrypts files tied to business operations, software development, engineering, data storage, and virtual infrastructure using the Windows Cryptography API, then drops a ransom note with payment instructions and deadline timers that escalate the demand over time.
"By the time the ransom note appeared, the broader framework had already collected credentials, established C2 communications, prepared multiple paths for lateral movement, and weakened local recovery options," Blackpoint Cyber said.
Before and during encryption, CrownX terminates the Volume Shadow Copy Service and deletes shadow copies (ATT&CK T1490), runs an anti-forensic cleanup routine to remove artifacts, and directly manipulates disk structures to damage partition information and boot records. That last step can render a system unbootable independent of the encryption, so recovery from local copies alone may not be possible.
Business and Operational Impact of Dual Payload Attacks
The dual-payload design of Avalon changes your negotiating position before you even know you have been hit. By the time the CrownX ransom note appears, the framework has already harvested credentials, cookies, browser history, and cryptocurrency wallet data, and moved that information off your network to a remote server. This means the attacker holds two forms of pressure at once: the decryption key you need to restore operations, and a copy of your data they can threaten to leak or sell.
This is the double-extortion model in practice. Paying for decryption does not un-exfiltrate the files that already left your environment. If your organization handles regulated data, that exfiltration is itself a reportable event under most breach-notification regimes, independent of whether you recover your systems.
Consider what Avalon collects and what each item means for you:
- Credentials from Windows Credential Manager, saved RDP connections, and SSH known hosts — attackers gain valid logins to other systems inside and beyond your network, which turns a single compromised endpoint into a foothold across your infrastructure.
- Cryptocurrency wallet data from MetaMask, Phantom, Coinbase Wallet, Exodus, Ledger Live, and others — direct financial theft that is largely irreversible once the funds move.
- Session material from Discord, Slack, and Teams — access to internal communications and the ability to impersonate employees in ongoing conversations.
- OpenVPN and WireGuard configuration data, plus Wi-Fi profiles and Group Policy Preferences cpassword artifacts — the network access details that let an intruder return after you believe you have contained the incident.
The encryption stage is written to hurt operational recovery specifically. Avalon terminates the Volume Shadow Copy Service and deletes shadow copies, so the local restore points Windows keeps for you are gone before the ransom note lands. It also interacts directly with disk structures in a way that can damage partition information and boot records, which can render a machine unbootable rather than merely encrypted.
By the time the ransom note appeared, the broader framework had already collected credentials, established C2 communications, prepared multiple paths for lateral movement, and weakened local recovery options."
The industries Avalon targets for encryption tell you where the operational pain concentrates. The malware prioritizes files tied to business operations, software development, engineering, data storage, and virtual infrastructure.
If you run a software development pipeline, encryption of source repositories, build artifacts, and engineering files stops releases and can expose proprietary code through the exfiltration channel. Intellectual property theft here does not resolve when systems come back online — the code is already in the attacker's hands.
For virtual infrastructure and data storage operators, the risk multiplies because a single hypervisor or storage host often underpins many downstream workloads. Encrypting or damaging those systems takes multiple tenants or business units offline at once, extending downtime and complicating recovery for every service that depends on them.
There is one detail that shapes how you should think about future incidents. Blackpoint Cyber notes Avalon shows signs of AI-assisted development, meaning tools with this range of capability no longer require a well-resourced, highly skilled team to build. The presence of an advanced feature set is no longer a reliable indicator that a sophisticated actor is behind it, so you should assume a wider pool of operators can run attacks that combine data theft and destructive encryption from a single compromised endpoint.
Detection and Response for Avalon and CrownX
Start today by checking whether any internet-facing Langflow instances in your environment are exposed to CVE-2025-3248, the flaw used to gain initial access in the JADEPUFFER agentic ransomware case. If you run Langflow, apply the vendor's fixed version and pull the affected host offline until patching is confirmed. Even if Langflow isn't in your stack, treat any unauthenticated internet-facing service as a hunting priority.
Following the NIST Cybersecurity Framework, here is how to structure detection and response for Avalon and its CrownX ransomware component.
On the identify side, inventory where you mount external .iso images and where MSBuild.exe runs. Avalon abuses MSBuild to load an embedded .NET assembly, so a legitimate developer tool executing from a mounted image is a strong signal. Flag any host where MSBuild launches outside a known build pipeline.
For protection, restrict or block automatic mounting of ISO images delivered by email, and constrain MSBuild execution through application control so it only runs from approved project directories. These two controls break the specific chain the shortcut file relies on to reach the download stage.
Detection is where the framework works hardest to stay quiet, so tune your monitoring for these behaviors:
- Tampering with Event Tracing for Windows (ETW) to reduce forensic visibility — sudden gaps in ETW providers on an endpoint warrant investigation.
- Outbound HTTPS connections to
helloxcherry[.]comfor exfiltration and command polling, and any repeated beaconing to unfamiliar domains. - Access to browser credential stores, cryptocurrency wallet files, SSH known-hosts, saved RDP connections, and Group Policy Preferences cpassword artifacts in quick succession.
- Mass file writes and encryption activity through the Windows Cryptography API, paired with termination of the Volume Shadow Copy Service and shadow copy deletion.
- Direct writes to raw disk structures, which point to attempts to damage partition tables or boot records.
In environments Capstone manages, SentinelOne flags and blocks the endpoint-protection tampering Avalon attempts against Microsoft Defender, CrowdStrike, SentinelOne, Sophos, and the other named security tools, catching the evasion stage before the encryptor runs. Because Avalon adjusts its behavior based on which defensive controls it finds, an EDR that detects tampering itself matters more than one relying on a single static signature.
When you respond to a suspected infection, isolate the affected endpoint from the network immediately but do not power it off — Avalon retrieves later payloads entirely in memory, and a hard shutdown destroys volatile evidence your responders need. Preserve memory captures, then notify your incident response team and legal counsel, since credential and data theft happen before the ransom note ever appears.
Recovery hinges on backups the malware cannot reach. Avalon terminates shadow copy services and directly attacks disk structures, so on-host restore points are unreliable by design.
N-able Cove maintains offsite, immutable backup copies in managed environments, keeping restore points out of reach of the shadow copy deletion and disk-level damage CrownX performs. Test restoration from those offsite copies now, before you need them, and confirm at least one air-gapped copy exists.
Over the longer term, segment your network so a single compromised endpoint cannot reach production database servers or virtual infrastructure, enforce MFA and privileged access management to slow credential-driven lateral movement, and run a tabletop exercise that walks your team through this exact chain — from a phishing lure through in-memory payload delivery to encryption. Rehearsing the sequence surfaces the gaps in isolation and evidence-handling before a real incident does.
Patching CVE-2025-3248 and Hardening Against Framework Variants
CVE-2025-3248 is the entry point that lets an attacker reach the destructive stages described earlier, so if you run Langflow, patch it first. This flaw affects internet-facing Langflow instances and was used to gain initial access in the JADEPUFFER agentic ransomware case Sysdig documented. Apply the fixed release from Langflow's advisory, and until the patch is confirmed, pull any exposed instance off the public internet or place it behind an authenticated gateway.
The reason this vulnerability matters more than any single downstream capability is placement. Closing it removes the unauthenticated path an automated agent used to pivot into a victim's production database server. An attacker running an agent on stolen credentials pays close to nothing to try, so an exposed instance is a cheap target.
"The skill floor for running ransomware has dropped to whatever it costs to run an agent, and if that agent is running on stolen credentials through LLMjacking, the cost to an attacker is close to zero." — Sysdig's Michael Clark
Prioritize patching by exposure and blast radius. Work through your estate in this order:
- Internet-facing Langflow and similar orchestration tools — patch or isolate today; these are the reachable choke point.
- Virtual infrastructure and hypervisor management planes — Avalon specifically encrypts files tied to virtual infrastructure, so a hit here takes down many workloads at once.
- Data storage appliances and file servers — these hold the business, engineering, and development data the framework targets for encryption.
- Engineering and software development hosts — often carry SSH known hosts, saved RDP connections, and Group Policy Preferences cpassword artifacts the framework harvests to move sideways.
Patching CVE-2025-3248 closes the front door, but the Avalon framework is modular and shows signs of AI-assisted development, which means variants can be reassembled quickly with different loaders and payloads. Treat the initial vulnerability as one of several controls rather than the whole defense.
Even if an attacker gets in another way, several host controls slow or stop the chain:
- Application whitelisting (WDAC or AppLocker) — restrict which binaries and scripts run so an attacker cannot pivot through
MSBuild.exeto load an embedded .NET assembly. The recorded chain relies on this specific abuse. - Script and shortcut execution policy — block or alert on
.lnkfiles that spawn command interpreters and on execution from mounted.isovolumes, which is where the malicious shortcut ran. - Windows Credential Guard — isolate cached credentials so a browser and Credential Manager harvesting module returns less usable material.
- Least-privilege service accounts — limit which hosts a compromised account can reach, reducing the lateral movement paths the framework prepares.
The framework tampers with Event Tracing for Windows and includes methods to conceal execution from named endpoint tools. Adlumin monitors authentication patterns across managed environments, catching the lateral logins and credential reuse that follow initial access even when local telemetry has been reduced.
A workable timeline: within the first day, patch or isolate exposed Langflow and confirm no active agent sessions. Within the first week, apply application whitelisting and script controls to virtual infrastructure and storage hosts, and enable Credential Guard on engineering and developer machines. Over the following weeks, review service-account permissions and validate that logging survives ETW tampering by testing detections against a mounted ISO and MSBuild launch in a controlled environment.
Key Actions and Ongoing Vigilance
The most important takeaway from the Avalon and CrownX research is that a single successful phishing click now delivers credential theft, remote access, lateral movement, recovery disruption, and file encryption from one endpoint. You cannot treat these as separate problems to solve later. The framework runs them as stages of one operation.
Two facts should shape how you prioritize. First, CVE-2025-3248 is the unauthenticated internet-facing entry point that automated agents used in the JADEPUFFER case, and any exposed instance is a direct path to the destructive stages. Second, the dual-payload model means data has already left your network before the ransom note appears, so containment before CrownX execution is what separates a contained incident from data loss plus encryption.
The researchers noted that Avalon shows signs of AI-assisted development, which means capability no longer signals a sophisticated actor. Blackpoint Cyber put the practical consequence plainly:
"By the time the ransom note appeared, the broader framework had already collected credentials, established C2 communications, prepared multiple paths for lateral movement, and weakened local recovery options."
Assume campaigns using this delivery method — spoofed legal documents, ISO images, and in-memory payload retrieval — are active against organizations in your sector. The lure is a familiar business document, and the framework is reusable across targets.
Because Avalon terminates the Volume Shadow Copy Service, deletes shadow copies, and interacts directly with disk structures, your final defense is backup integrity you have actually tested. Validate that your offsite copies restore cleanly and confirm your incident response plan accounts for both encryption and data exfiltration. If detection fails at the endpoint, recovery depends on backups the malware could not reach or corrupt.