Vibe Coded Extortion: Path from Legal Lure to CrownX Ransom Capabilities
Essential information
- Published
- 02/07/2026 22:59
- Modified
- —
- Source / Author
- AlienVault
- Confidence
- 100/100
- Report type(s)
- threat-report
- Labels / Tags
- ai-assisted development avalon credential theft crownx defense evasion lateral movement phishing ransomware
- Related entities
- 9 indicators, 2 observables, 20 techniques (mitre), 2 malware
Description
A sophisticated multi-stage phishing campaign delivers a previously undocumented framework called Avalon through spoofed legal documents hosted on Proton Drive. The intrusion begins with password-protected archives containing ISO images that execute malicious MSBuild projects, loading payloads entirely in memory without conventional executable attachments. Avalon consolidates credential theft, lateral movement, recovery disruption, and ransomware capabilities within a single framework, with its encryption component branded as CrownX. The framework demonstrates hallmarks of AI-assisted development, rapidly combining multiple post-exploitation capabilities that previously required sustained development effort. Avalon targets browsers, cryptocurrency wallets, messaging platforms, VPN configurations, and infrastructure systems while implementing extensive defense evasion techniques against major security products. The framework disrupts recovery by eliminating Volume Shadow Copies, Windows Recovery Environment...