A previously undocumented multi-stage malware framework, tracked as Avalon, that embeds a ransomware component internally labeled CrownX and specifically targets recovery and backup systems.
By placing malicious content inside an ISO image rather than attaching an executable directly, the actor avoided email-layer scanning and social-engineered victims into mounting a seemingly legitimate “Secure Document” package.
A document‑themed shortcut (.lnk) inside the mounted ISO launched a staged MSBuild project (zfighv.tmp) which used CodeTaskFactory to compile inline C# and reconstruct an encrypted managed downloader entirely in memory, avoiding disk‑backed artifacts and conventional detection.
The managed downloader disabled telemetry and inspection pathways before fetching the next stage over HTTPS: it resolved ETW and AMSI entry points and prepared short return stubs to force success.
A permissive certificate validation callback, and sent requests with a browser‑like User‑Agent plus a custom X‑Edge‑Cache header to distinguish campaign traffic.
The response contained an encrypted PE plus a 32‑byte HMAC‑SHA256 tag; the loader validated and decrypted the payload using an offset‑based HMAC keystream, then manually mapped the PE into the MSBuild process memory.
Manual mapping reproduced relocation, import resolution, exception registration, and Control Flow Guard setup so the final native x64 implant executed without a separate file on disk.
The intrusion chain began with a spoofed legal-document email that directed recipients to a password‑protected archive hosted on Proton Drive.
Blackpoint’s Adversary Pursuit Group (APG) identified malware framework, now tracked as Avalon, delivered through a multi-stage phishing chain.
The recovered implant self‑identified as Avalon and served as a central orchestration layer: credential harvesting, persistence, lateral movement, telemetry reduction, and final‑stage extortion were all integrated.
CrownX Ransomware Attack
Collection routines copied browser and wallet databases (Chromium/Firefox Login Data, Cookies; MetaMask, Ledger Live, Electrum, Coinbase paths), extracted DPAPI material via CryptUnprotectData, and harvested VPN, SSH, RDP, Wi‑Fi, and Windows Credential Manager artifacts.
Inside the archive was an ISO image named Secure_Document_CA-283505_pdf.iso. Mounting the image exposed a shortcut named Secure Document CA-283505.pdf.lnk.

A local credential validation module used LogonUserW and local SAM enumeration with built‑in password lists to convert weak credentials into usable access.
C2 communications used WinHTTP POSTs to /api/v2/tasking on helloxcherry[.]com, with form fields separating LSASS, SAM, and general exfiltration payloads.
Avalon prioritized high‑value targets for lateral propagation domain controllers, backup platforms, and virtualization infrastructure searching for strings associated with Veeam, Acronis, NetApp, Synology, vCenter, Hyper‑V and Exchange.

Remote staging used administrative shares and trusted Microsoft utilities (MSBuild.exe, csc.exe, InstallUtil.exe) to compile or load .NET components on remote hosts. Execution options included scheduled tasks, remote service launches, and PsExec‑style methods.
The ransomware module, CrownX, implemented robust cryptography and recovery disruption. CrownX used BCrypt APIs with AES‑GCM for authenticated encryption, file mapping for efficient processing, and transaction‑aware APIs for controlled file operations.
It targeted a broad set of formats including VM images, databases, source files, engineering CAD files, and creative projects while appending structured metadata (nonce, auth tag, segment info) to enable decryption if keys were supplied.
CrownX also attempted multiple methods to display ransom notes and included countdown timers to pressure payment.
Critically, Avalon attacked recovery mechanisms: it stopped VSS, deleted shadow copies via COM, modified registry recovery settings, and targeted WinRE images and restore configuration.
An anti‑forensic subsystem purged Prefetch, AmCache, SRUM, ShimCache, Jump Lists, PowerShell history, USN journal and other investigator artifacts.
The framework even contained a direct physical‑drive write capability capable of corrupting partition or boot structures, extending impact beyond encryption into potential disk‑level destruction.
Avalon demonstrates an operational consolidation credential theft, persistence, lateral movement and extortion unified in one recovered payload lowering defenders’ window for disruption.
Indicators of Compromise (IoCs)
| Type | Indicator | Context |
| ISO image | Secure_Document_CA-283505_pdf.iso | Mounted image containing the fake PDF shortcut and MSBuild project. |
| Shortcut | Secure Document CA-283505.pdf.lnk | Fake PDF shortcut launched cmd.exe and used a Microsoft Edge icon. |
| MSBuild project | Mimecast Secure File Logs\zfighv.tmp | Malicious MSBuild XML project copied from the ISO. |
| Decoy file | Mimecast Secure File Logs\verification.txt | Decoy text file in the ISO. |
| Decoy file | Mimecast Secure File Logs\manifest.xml | Decoy XML file in the ISO. |
| Temporary project path | %TEMP%\ngen0cc9.dat | Temporary copy of the MSBuild project executed by MSBuild.exe. |
| Staging domain | helloxcherry[.]com | Remote staging domain contacted by the managed loader. |
| Staging URL | hxxps://helloxcherry[.]com/cdn/static/c3587edc48c37656b29bcd3da9458eea/update | Encrypted remote object retrieved by the managed loader. URL was unavailable during later sandbox testing. |
| HTTP header | X-Edge-Cache: e3ec5926a167d6e3359f98cdfb7ac3b2cce97652843056505d02e6d2898573c6 | Custom header sent by the managed loader during remote stage retrieval. |
| User agent | Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 | User agent sent by the managed loader. |
| Encrypted file extension | .8hn2yc | Extension associated with CrownX encrypted files. |
| Cryptocurrency address | bc1qq9tx6p99jpqcj9p6nr3mwc3f9q3sxmj45l4anz | Bitcoin address embedded in the ransom note. |
Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.
Click Here For The Original Source.
