preloader

· security ransomware malware backup business-continuity phishing digital-security devops enterprise

Avalon Malware Framework Deliberately Disables Backups Before Deploying CrownX Ransomware

Source: The Hacker News / GBHackers / Rescana

Security researchers have documented a previously unseen modular malware framework named Avalon that combines credential theft, lateral movement, remote access, and a ransomware payload internally called CrownX into a single toolkit. What distinguishes Avalon from the routine flow of new ransomware families is what it goes after first: not files, but the backup and recovery infrastructure that organisations rely on to survive a ransomware attack at all.

A phishing chain built to slip past every layer

The intrusion begins with a spoofed legal-document email directing the recipient to a password-protected archive hosted on Proton Drive. Rather than attaching malicious content directly, the payload is embedded inside an ISO image, a choice that specifically avoids the scanning most email security gateways apply to conventional attachments. Mounting the ISO reveals a document-themed Windows shortcut; activating it launches an MSBuild project that loads an embedded .NET assembly, tampers with ETW to blind forensic logging, and pulls the next stage down over HTTPS. Every step in that chain was chosen to defeat a specific layer of defence rather than to look convincing to a human.

Evasion built for the entire commercial EDR market

Avalon incorporates dedicated evasion routines for Microsoft Defender, SentinelOne, CrowdStrike, Sophos, Elastic Endpoint, FortiEDR, ESET, McAfee, and Bitdefender, essentially the full roster of commercial endpoint protection products in enterprise use today. Researchers note signs of AI-assisted development in how the framework was assembled, which would explain both the unusually broad evasion coverage and the comparatively sloppy operational security in other parts of the toolkit.

The part that should change how you think about backups

Before triggering CrownX, Avalon actively searches for and prioritises domain controllers, backup platforms, and virtualisation infrastructure, specifically hunting for strings tied to Veeam, Acronis, NetApp, Synology, vCenter, and Hyper-V, alongside Exchange. Once found, it stops the Volume Shadow Copy service, deletes shadow copies via COM, alters registry recovery settings, and targets Windows Recovery Environment images and restore configuration. Only after recovery paths are disabled does the ransomware component execute.

That sequencing is deliberate and it inverts the standard assumption behind most ransomware defence planning: “we have backups” is not a sufficient answer if the backup platform itself is the first thing an attacker disables. Credential harvesting from browsers, cryptocurrency wallets, VPN clients, SSH, RDP sessions, and Windows Credential Manager feeds the lateral movement stage, which relies on trusted, already-installed administrative tools like MSBuild.exe, csc.exe, and InstallUtil.exe rather than attacker-supplied binaries that endpoint tools are tuned to catch.

The compliance angle European organisations cannot ignore

This attack pattern maps directly onto what NIS2 already expects: not merely having a backup policy on paper, but demonstrating that recovery actually works when the primary environment, and the systems meant to restore it, are compromised simultaneously. Immutable, offline, or air-gapped backup copies that an attacker with domain admin cannot reach or delete are no longer a best practice extra; they are the baseline that separates a contained incident from a total loss.

If your organisation needs to review backup immutability, close the gap between EDR coverage and this specific evasion set, or pressure-test your incident response plan against an attacker that goes after recovery infrastructure first, contact Excello Digital. We help organisations validate that their backups will actually be there when they need them.

These news items are automatically aggregated from industry sources and are not individually reviewed. Any inaccuracies are unintentional — let us know and we'll correct or remove it.

We’ll help you resolve your infrastructure challenges

Our team of experts is ready to help you with your infrastructure challenges. We’ll give you honest and personal treatment. Get in touch to learn more.

Get in touch!