Avalon: An AI-Assembled Ransomware Framework That Evades All Detections at Launch
Blackpoint Cyber researchers Nevan Beal and Sam Decker have disclosed Avalon, a previously undocumented modular malware framework that automates every phase of an attack — from phishing delivery to final ransomware encryption. When Avalon was first uploaded to VirusTotal on March 11, 2026, it achieved zero detections across all antivirus engines.
The framework includes CrownX ransomware as its final-stage payload and shows clear signs of AI-assisted development, demonstrating how AI tools are lowering the barrier for threat actors with limited technical expertise to deploy sophisticated, multi-stage attack chains.
Delivery Chain
Avalon is distributed through a carefully engineered multi-stage phishing chain designed to bypass traditional email and endpoint security controls at each step:
1. Spoofed legal document email sent to target
2. Email contains link to password-protected archive (hosted on Proton Drive)
3. Victim downloads and opens archive → reveals ISO image
4. ISO bypasses direct email attachment scanning
5. Victim mounts ISO, clicks Windows Shortcut (.lnk): "Secure Document CA-283505.pdf.lnk"
6. .lnk executes MSBuild project with embedded .NET assembly
7. ETW (Event Tracing for Windows) tampered to reduce forensic visibility
8. Next-stage payload downloaded over HTTPS
9. Avalon deploys — all subsequent stages executeEach step is designed to defeat a specific defensive layer:
- Proton Drive hosting — legitimate CDN, hard to block by domain
- Password-protected archive — bypasses email scanning
- ISO file — bypasses Mark of the Web (MotW) enforcement on extracted files
- MSBuild lolbin — trusted Windows binary used for execution
- ETW tampering — degrades forensic telemetry collection
Capabilities
Full Attack Lifecycle
| Phase | Capability |
|---|---|
| Initial Access | Phishing via spoofed legal document lure |
| Execution | MSBuild + embedded .NET assembly |
| Defense Evasion | ETW tampering, AV/EDR termination |
| Credential Access | Credential collection from compromised host |
| C2 Establishment | Encrypted HTTPS communications |
| Lateral Movement | Multiple lateral movement paths prepared |
| Impact | CrownX ransomware encryption + ransom note |
Targeted Security Products
Avalon's defense evasion module actively targets the following endpoint security tools:
- Microsoft Defender
- SentinelOne
- CrowdStrike
- Sophos
- Elastic Endpoint
- FortiEDR
- ESET
- McAfee
- Bitdefender
Recovery Disruption
Before deploying CrownX ransomware, Avalon weakens recovery options by disrupting:
- Volume Shadow Copies (VSS)
- Backup processes and agents
- System restore points
By the time the ransom note appears, all prior damage — credential theft, C2 establishment, lateral movement staging, and recovery disruption — has already been completed.
CrownX Ransomware
CrownX is the final extortion component of the Avalon framework. It represents the visible endpoint of what has already been a comprehensive compromise. Victims who see a CrownX ransom note have likely already had:
- Credentials exfiltrated
- Network reconnaissance completed
- Lateral movement positions established
- Backups and recovery options disabled
This "quiet breach first, noisy ransom last" pattern is consistent with modern ransomware-as-a-business operations and maximizes leverage during extortion negotiations.
AI-Assisted Development
Avalon shows structural characteristics consistent with AI-generated code assembly. The framework appears to have been constructed with minimal regard for operational security tradecraft — consistent with a threat actor using AI coding tools to compensate for limited manual expertise.
This represents a documented case of the democratization of advanced threat capabilities: attack chains that previously required significant technical skill can now be assembled by lower-sophistication actors using AI assistance.
Indicators of Compromise
| Type | Indicator |
|---|---|
| LNK filename | Secure Document CA-283505.pdf.lnk |
| Delivery platform | Proton Drive (legitimate CDN) |
| Execution mechanism | MSBuild.exe with embedded .NET assembly |
| C2 protocol | HTTPS (encrypted) |
A full IoC list is available in the Blackpoint Cyber original research report.
Detection Guidance
- Monitor MSBuild.exe for unusual child processes or network connections — it is rarely used for legitimate development on end-user workstations
- Alert on ETW provider disabling — a strong indicator of defense evasion activity
- Inspect ISO file mounts on endpoints — ISO delivery is increasingly used to bypass MotW enforcement
- Hunt for
Secure Document CA-283505.pdf.lnkor similar legal-document lure filenames - Block Proton Drive (drive.proton.me) if not required for business operations in your environment
Key Takeaways
- Zero detections at launch — Avalon evaded all antivirus engines on VirusTotal on March 11, 2026
- AI-assisted construction — lowers the bar for threat actors with limited technical skills
- Multi-stage phishing chain defeats email scanning, MotW enforcement, and EDR telemetry at each step
- CrownX ransomware is the final stage of an already-completed full compromise
- MSBuild lolbin + ETW tampering are key detection opportunities in the attack chain