Cybersecurity researchers have uncovered Avalon, a previously undocumented modular malware framework distributed through a sophisticated, multi-stage phishing chain designed to evade traditional security controls. Avalon integrates diverse functionalities, including credential harvesting, lateral movement, remote access, system recovery disruption, and its internal ransomware component, CrownX. The attack typically begins with spoofed legal document emails, luring recipients to password-protected archives on Proton Drive, which contain malicious ISO images with embedded LNK files.
Upon interaction, these LNK files trigger a staged malware sequence. This involves an MSBuild project that interferes with Event Tracing for Windows (ETW) to reduce forensic visibility, subsequently downloading and launching Avalon. The framework features an extensive defense evasion subsystem targeting major security products like Microsoft Defender, SentinelOne, and CrowdStrike. Its comprehensive capabilities range from harvesting credentials and sensitive data from numerous browsers and cryptocurrency wallets to performing reconnaissance, exfiltrating data to helloxcherry[.]com, encrypting files with CrownX, inhibiting system recovery, and executing anti-forensic cleanup to complicate incident response. Notably, Avalon exhibits signs of AI-assisted development, underscoring how AI lowers the entry barrier for malware creation.
This discovery coincides with other significant findings in the AI threat landscape. Sysdig detailed JADEPUFFER, the first publicly documented agentic ransomware infection driven by a Large Language Model (LLM) from start to finish, adapting its actions in real-time. Separately, an AI malware was found that leverages a Telegram bot with a public LLM API (api.groq[.]com) to translate natural language instructions into shell commands, enabling "codeless attacks." These trends collectively emphasize the increasing role of AI in making sophisticated cyber threats more accessible and challenging traditional assessments of threat actor capabilities.
Top comments (0)