top of page

Avalon Ships Its Own Ransomware and Outsources Its Brain to Groq. The Attacker Types English; a Public LLM Writes the Shell Commands.

  • Writer: Patrick Duggan
    Patrick Duggan
  • 1 hour ago
  • 4 min read

On July 1, Blackpoint Cyber researchers Nevan Beal and Sam Decker published a teardown of a malware framework they are calling Avalon, and it is the clearest example yet of the thesis we have been writing all week: the attacker's brain is now a rented API. Avalon is a full modular framework — credential theft, lateral movement, remote access, recovery disruption, and its own bundled ransomware component internally named CrownX. What makes it worth a post is not the feature list, which plenty of frameworks share. It is how the operator drives it. Each operator message is forwarded to a public large-language-model endpoint — api.groq[.]com/openai/v1/chat/completions — which translates the attacker's plain-English instruction into the equivalent shell command, runs it, and pipes the result back through a Telegram bot. The human types what they want. A commercial LLM writes the command. That is the whole control plane.


We wrote almost exactly this shape three days ago about JADEPUFFER, Sysdig's first-documented AI-run ransomware operation, and two days ago about the ten-of-eleven AI coding agents that fell to shell tricks older than their users. Avalon is the same story from the offensive side: the LLM is not the sophistication, it is the convenience. Blackpoint's own read is that Avalon shows signs of AI-assisted development and assembles its components with, in their words, scant regard for sophisticated tradecraft or operational security — the kind of thing that would normally require real expertise to build, thrown together by someone leaning on automation to cover for the gaps. The tell is right there in the C2 design: a competent operator does not route their command generation through a third-party SaaS endpoint they do not control. Someone who cannot write the shell commands themselves does.


The delivery chain is old religion dressed in new cloth, and that is the point. It starts with a spoofed legal-document email pointing the target at a password-protected archive on Proton Drive — legitimate consumer file-sharing, chosen because it sails past email filters that would flag a raw attachment. Inside is an ISO image, not a direct attachment, because mounting an ISO sidesteps a whole layer of mark-of-the-web and attachment scanning. The ISO carries a document-themed Windows shortcut — Secure Document CA-283505.pdf.lnk — that launches an MSBuild project straight off the mounted image. An embedded .NET assembly disables Event Tracing for Windows, the telemetry layer most detection quietly depends on, and pulls the second stage over HTTPS. Every single one of those moves — Proton Drive, ISO wrapping, LNK-to-MSBuild, ETW patching — predates the LLM by years. The AI is bolted onto a delivery chain that would work fine without it.


Then CrownX runs. It encrypts business, development, engineering, and infrastructure data using the Windows Cryptography API, drops a ransom note with a countdown timer, and — the part that turns a bad day into a catastrophe — disables the Volume Shadow Copy Service and deletes existing shadow copies before an anti-forensic cleanup subsystem scrubs the evidence behind it. The defense-evasion subsystem is built to hide execution specifically from Microsoft Defender, SentinelOne, CrowdStrike, Sophos, Elastic Endpoint, FortiEDR, ESET, McAfee, and Bitdefender — a named list, which tells you the authors did their homework on which EDR they expected to meet. The sample Blackpoint tied to the Groq-driven variant, hash d85a5c2cf466d01e17110ee39ca456b1be0b6514e669d0095d1f77c84a8d98c1, was uploaded to VirusTotal on March 11 and sat at zero detections across every engine. Zero. A framework that hides from nine EDR products by name and reads clean on the world's largest sample-sharing platform is not a hypothetical.


Here is the indicator you can act on today. The exfiltration and C2 traffic runs to helloxcherry[.]com — hunt your egress logs for it. And the durable detection is behavioral, not signature, because the signature story already lost once at zero-on-VirusTotal: watch for ISO-mounted LNK files launching MSBuild, for processes disabling ETW, for Volume Shadow Copy deletion, and — the tell that is unique to this class — outbound traffic to a public LLM inference endpoint like api.groq[.]com from a host that has no business talking to one. A developer's workstation calling an LLM API is noise. A file server in your finance segment suddenly holding a conversation with an inference endpoint is the command channel. That is the new hunt, and it is one almost nobody has a rule for yet.


The reason we keep returning to this all week is that Avalon closes a loop we have been describing from three directions. JADEPUFFER proved an LLM can run the intrusion. The AI-coding-agent work proved LLMs can be steered by inputs older than the model. Avalon proves the offensive kit is now built to outsource its own decision-making to a rented brain, using a delivery chain assembled entirely from techniques that predate the technology. The lesson is not that AI made attackers smarter. It is that AI let less-capable attackers operate at a capability tier they could not previously reach, on top of the same negligence — unfiltered egress, unmonitored ETW, deletable shadow copies — that has always been the actual opening. Blackpoint did the primary work here; credit is theirs. What we will keep doing is telling you where the new C2 channel actually shows up in your traffic, because that is the part that turns their research into your detection.




Every indicator in this post is in the feed. Free.

1.58M+ IOCs, STIX 2.1 / TAXII, 88% novel vs ThreatFox, exploited-CVE leads ahead of CISA. No credit card — a free API key in 30 seconds, and you can audit every claim above against the live endpoints.


Comments

Rated 0 out of 5 stars.
No ratings yet

Add a rating
bottom of page