Avalon modular malware framework with CrownX ransomware
Malware Activity
Summary
Hide ▲
Show ▼
The Avalon malware framework was uncovered after a multi-stage phishing chain that can bypass traditional security controls and deliver credential theft plus ransomware execution on compromised Windows hosts. Its extortion component, CrownX, adds file encryption and recovery disruption. The framework also uses anti-forensic methods and C2 polling to make detection and response harder.
Related Happenings
The Gentlemen affiliate-driven RaaS expansion and enterprise scale-up
Threat Actor Meta
H score57
First: 21.04.2026 17:00
Last: 21.04.2026 17:00
Sources 1
About this happening:
**The Gentlemen** ransomware-as-a-service operation is using an operator-maintained **EDR-killer** portfolio, led by **GentleKiller**, to disable security software before encrypti...
The Gentlemen affiliate-driven RaaS expansion and enterprise scale-up
Threat Actor MetaAbout this happening: **The Gentlemen** ransomware-as-a-service operation is using an operator-maintained **EDR-killer** portfolio, led by **GentleKiller**, to disable security software before encrypti...
Reynolds ransomware BYOVD defense-evasion activity
Malware Activity
H score31
First: 10.02.2026 16:36
Last: 10.02.2026 16:36
Sources 1
About this happening:
The **Reynolds** ransomware family now matters because it bundles a **vulnerable NsecSoft NSecKrnl driver** inside the payload to disable **EDR** and terminate security processes...
Reynolds ransomware BYOVD defense-evasion activity
Malware ActivityAbout this happening: The **Reynolds** ransomware family now matters because it bundles a **vulnerable NsecSoft NSecKrnl driver** inside the payload to disable **EDR** and terminate security processes...
Timeline
-
03.07.2026 21:55 2 articles · 6d ago
Researchers uncover Avalon modular malware framework with CrownX ransomware
Initial DisclosureResearchers disclosed Avalon, a previously undocumented modular malware framework delivered through a spoofed legal document email, a password-protected archive on Proton Drive, an ISO image, and a Windows Shortcut that launches MSBuild to deploy payloads. The framework combines credential collection, lateral movement, remote access, recovery disruption, ETW interference, anti-forensic cleanup, and ransomware execution through CrownX, with the final extortion stage encrypting business, software development, engineering, data storage, and virtual infrastructure files while threatening ransom increases over time.
Show sources
- New Avalon Malware Framework Packs CrownX Ransomware Capabilities — thehackernews.com — 03.07.2026 21:55
- New Avalon Malware Framework Packs CrownX Ransomware Capabilities — thehackernews.com — 03.07.2026 21:55