Skip to main content
Press slash or control plus K to focus the search. Use the arrow keys to navigate results and press enter to open a threat.
Reconnecting to live updates…

Vibe Coded Extortion: Path from Legal Lure to CrownX Ransom Capabilities

0
Medium
Published: 07/02/2026 (07/02/2026, 20:59:12 UTC)
Source: AlienVault OTX General

Description

Avalon is a sophisticated multi-stage phishing malware framework delivered via spoofed legal documents hosted on Proton Drive. It uses password-protected archives with ISO images that execute malicious MSBuild projects, loading payloads entirely in memory without traditional executables. Avalon integrates credential theft, lateral movement, recovery disruption, and ransomware functions, with its ransomware component named CrownX. The framework targets browsers, cryptocurrency wallets, messaging platforms, VPN configurations, and infrastructure systems, employing advanced defense evasion techniques. It disrupts recovery by deleting Volume Shadow Copies and Windows Recovery Environment components. The campaign demonstrates AI-assisted development, rapidly combining multiple post-exploitation capabilities. No known exploits in the wild or patches are currently documented.

AI-Powered Analysis

Machine-generated threat intelligence

AILast updated: 07/03/2026, 07:21:39 UTC

Technical Analysis

This threat involves a multi-stage phishing campaign delivering the Avalon framework through password-protected archives containing ISO images that execute malicious MSBuild projects in memory. Avalon consolidates multiple malicious capabilities including credential theft, lateral movement, recovery disruption, and ransomware (CrownX) within a single framework. It targets a broad range of assets such as browsers, cryptocurrency wallets, messaging platforms, VPN configurations, and infrastructure systems. The framework uses extensive defense evasion techniques to avoid detection by major security products and disrupts system recovery by removing Volume Shadow Copies and Windows Recovery Environment components. The development of Avalon shows signs of AI-assisted rapid integration of complex post-exploitation features. There is no vendor patch or official remediation available, and no known exploits in the wild have been reported.

Potential Impact

Avalon enables attackers to steal credentials, move laterally within networks, disrupt system recovery mechanisms, and deploy ransomware that encrypts data using its CrownX component. The disruption of recovery features like Volume Shadow Copies and Windows Recovery Environment increases the difficulty of restoring affected systems without backups. The framework's defense evasion capabilities reduce the likelihood of detection by security products, increasing the potential impact of successful intrusions. The targeting of browsers, cryptocurrency wallets, messaging platforms, VPNs, and infrastructure systems indicates a broad attack surface with potential for significant operational and financial damage.

Mitigation Recommendations

No official patch or remediation is currently available for this threat. Organizations should be aware of the phishing campaign vector involving spoofed legal documents hosted on Proton Drive and password-protected archives containing ISO images. Defensive measures should focus on user awareness training to recognize phishing attempts, restricting execution of MSBuild projects from untrusted sources, and monitoring for indicators of compromise such as the provided file hashes and domains. Since the payload executes entirely in memory, endpoint detection and response solutions with memory analysis capabilities may help detect activity. Regular backups and offline storage of critical data remain essential to recovery in case of ransomware infection.

Pro Console: star threats, build custom feeds, automate alerts via Slack, email & webhooks.Upgrade to Pro

Technical Details

Author
AlienVault
Tlp
white
References
["https://blackpointcyber.com/blog/avalons-path-from-legal-lure-to-crownx-ransom-capabilities/"]
Adversary
null
Pulse Id
6a46d120d41fcc87a8a52932
Threat Score
null

Indicators of Compromise

Hash

ValueDescriptionCopy
hashc3587edc48c37656b29bcd3da9458eea
hash4b7301f02b8312ae6de614981f325dbbabee32166630618fdff74615d9a487ba
hash59a260716d05c20229c6a46fe0a2fb5b80fa30c9c73a850222d9d3454426a60a
hash607cb58b8a592885eef5cfbe35ddce962741b0775c575f58cb3a96ca0ee893a6
hashadbc18f15019ef2ba6890b7996445c14350d57ba772eb33182889bc14ac47085
hashb7d50d0406afcd2efd87bf3bf8c4211719ba9817dd2e0ad62af10c933e765e28
hashc725815cbb07ab5be8903e74ef8aea46ef9c25e4a3bc626ae94bfc1ae21df6e3
hashe3ec5926a167d6e3359f98cdfb7ac3b2cce97652843056505d02e6d2898573c6

Url

ValueDescriptionCopy
urlhttps://helloxcherry.com/cdn/static/c3587edc48c37656b29bcd3da9458eea/update

Domain

ValueDescriptionCopy
domainhelloxcherry.com

Threat ID: 6a475f7e27e9c7971933af2b

Added to database: 07/03/2026, 07:06:38 UTC

Last enriched: 07/03/2026, 07:21:39 UTC

Last updated: 07/03/2026, 09:02:27 UTC

Views: 5

Community Reviews

0 reviews

Crowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.

Sort by
Loading community insights…

Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.

Actions

PRO

Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.

Please log in to the Console to use AI analysis features.

External Links

Need more coverage?

Upgrade to Pro Console for AI refresh and higher limits.

For incident response and remediation, OffSeq services can help resolve threats faster.

Latest Threats

Breach by OffSeqOFFSEQFRIENDS — 25% OFF

Check if your credentials are on the dark web

Instant breach scanning across billions of leaked records. Free tier available.

Scan now
OffSeq TrainingCredly Certified

Lead Pen Test Professional

Technical5-day eLearningPECB Accredited
View courses