216.73.216.67

Vibe Coded Extortion: Path from Legal Lure to CrownX Ransom Capabilities

· Published 02/07/2026 22:59

Export JSON

Essential information

Published
02/07/2026 22:59
Modified
Source / Author
AlienVault
Confidence
100/100
Report type(s)
threat-report
Labels / Tags
ai-assisted development avalon credential theft crownx defense evasion lateral movement phishing ransomware
Related entities
9 indicators, 2 observables, 20 techniques (mitre), 2 malware

Description

A sophisticated multi-stage campaign delivers a previously undocumented framework called Avalon through spoofed legal documents hosted on Proton Drive. The intrusion begins with password-protected archives containing ISO images that execute malicious MSBuild projects, loading payloads entirely in memory without conventional executable attachments. Avalon consolidates , , recovery disruption, and capabilities within a single framework, with its encryption component branded as CrownX. The framework demonstrates hallmarks of AI-assisted development, rapidly combining multiple post-exploitation capabilities that previously required sustained development effort. Avalon targets browsers, cryptocurrency wallets, messaging platforms, VPN configurations, and infrastructure systems while implementing extensive techniques against major security products. The framework disrupts recovery by eliminating Volume Shadow Copies, Windows Recovery Environment...

External references