AI Created the Modular Malware Framework Avalon: Hackers Have Started Playing with “Plug-in Architecture” Too
Security firm Blackpoint has exposed a modular malicious framework named Avalon, whose code bears clear signs of AI generation. The author appears not to be an experienced programmer, yet used generative AI to integrate multiple attack modules—including credential theft, backup destruction, and ransomware encryption—into a complete framework, marking a new "framework-based" stage in AI-assisted malware development.
AI Has Created the Modular Malware Framework Avalon: Hackers Are Starting to Play the "Plugin" Game Too
On July 7, security firm Blackpoint released a report that immediately put the entire threat intelligence community on edge: during a real-world incident response engagement, they captured a modular malware framework called Avalon. From coding style to architectural design, it carries the unmistakable fingerprints of generative AI everywhere. More troubling, this is not another small-scale “AI-written ransomware script” story — Avalon is a fully fledged framework capable of loading attack components on demand. Attackers can attach whatever functionality they need as modules, much like installing plugins in VSCode.
AI-assisted attacks have now entered the “frameworkization” stage, and that signal is more significant than any previous “AI writes malware” headline.
From “Script Kiddie” to “Framework Engineer,” Just One Large Model Away
Over the past two years, the security industry has seen countless AI-generated malicious samples, but frankly, most of them only reached the “it runs” level: a backdoor, an information-stealing script, a crude ransomware encryptor. Researchers could often identify them instantly from the “overly polished comments” and “textbook-style try-except blocks” — clearly homework written by ChatGPT.
Avalon is different.
In its report, Blackpoint’s analysts made an interesting observation: judging from the inconsistent code quality, naming conventions, and the somewhat “wishful-thinking” interface designs between modules, the author’s actual programming skills appear fairly limited, possibly not even experienced enough to independently build a medium-sized project. Yet this “half-skilled” developer still managed to chain together credential theft, backup destruction, lateral movement, ransomware encryption, and an entire attack lifecycle into a modular, extensible framework.
In other words, generative AI has now lowered the barrier to architectural design itself. In the past, a low-level hacker could at most tweak an open-source RAT. Now they can ask Claude or GPT to help design a plugin system, then feed modules to the AI one by one for implementation.
That is the part that is truly unsettling.
Breaking Down Avalon’s Attack Chain
Based on details disclosed by Blackpoint, Avalon’s operational flow roughly looks like this:
- Initial access: phishing emails or disguised installers — old tricks, but still effective
- Deployment: the Avalon core loader is implanted on the victim machine; it is very small and only handles communication and module orchestration
- Credential theft module loaded: steals browser-saved passwords, Windows credentials, and SSH keys
- Backup destruction module loaded: deletes shadow copies and destroys local/network backups, preparing the environment for ransomware
- CrownX ransomware module loaded: encrypts the file system and displays a ransom note
Pay attention to step 4 — actively destroying backups is the critical dividing line between ransomware that merely compromises a victim and ransomware that actually gets paid. Avalon turns this into an independent module, meaning attackers can flexibly enable or disable it based on the target environment: skip it for personal users, always load it for enterprises.
That is already a highly mature “productization” mindset.
Why the “AI Fingerprints” Matter
Blackpoint did not release the full sample code, but based on their description, several indicators likely informed their “AI-generated” assessment:
- Interfaces between modules are overly standardized: nearly identical entry function signatures, return value formats, and error code definitions across modules. Human programmers usually start cutting corners or improvising as projects evolve; AI does not
- Unusually dense and stylistically consistent comments: including classic AI placeholders such as
# TODO: optimize this later - Certain modules display obvious “AI thought patterns”: for example, the encryption module contained completely unnecessary key derivation logic, seemingly inserted because the AI “assumed” it was best practice
- Code quality fluctuates dramatically between modules: some resemble the work of senior engineers, others look like beginner intern code — highly consistent with modules generated from different prompts
Put together, the profile becomes clear: an attacker with limited programming knowledge repeatedly used prompt engineering to assemble a complete framework through a large language model.
What This Means for Enterprise Defense
The conclusion first: the bad news outweighs the good.
Bad news #1: the technical barrier for attackers is collapsing. Previously, building a modular RAT required at least a mid-level C/C++ engineer with some understanding of the Windows kernel. Now, anyone who can write prompts and debug runtime errors can assemble something like Avalon. Underground markets offering “AI-assisted custom malware” services will only grow.
Bad news #2: traditional detection methods based on YARA rules and static signatures will become increasingly ineffective. AI can generate slightly different module code for each attack, and signature databases cannot keep up. Blackpoint’s report also notes that multiple Avalon variants differ significantly in strings and function layouts while maintaining identical functionality.
Bad news #3: modularization allows attackers to iterate rapidly. If today’s credential theft module gets blocked by EDR, tomorrow they can generate a fresh version with a new prompt and redeploy it immediately. Defenders are no longer playing whack-a-mole — they are playing whack-a-mole against AI-generated moles at scale.
There is some good news as well:
- The “over-standardization” of AI-generated code is itself a detectable feature. Several EDR vendors have already started training classifiers specifically to identify “AI-style malicious code”
- Behavioral detection (at the EDR/XDR layer) remains effective — regardless of how the code changes, actions such as deleting shadow copies and mass file encryption are difficult to conceal
- Modular frameworks often exhibit recognizable C2 communication patterns, increasing the value of network-layer detection
My Assessment: This Is Only the Beginning
If 2024 was the first year of “AI-assisted malware writing,” and 2025 the first year of “AI-assisted vulnerability discovery,” then 2026 may very well become the first year of “AI-assisted attack frameworkization.”
Avalon will not be an isolated case. In the coming months, we will likely see:
- More malicious frameworks with “plugin marketplace” concepts, potentially even underground equivalents of “npm install”
- Agent capabilities abused maliciously — not merely having AI write code, but allowing AI to directly make decisions on victim machines: what files to target, whether to escalate privileges, where to move laterally
- Both attackers and defenders leveraging the same large models, eventually evolving into “red-team prompts vs blue-team prompts”
For developers and security professionals, one important shift worth watching is this: the ability to cost-effectively invoke multiple large models for code analysis, feature extraction, and sample clustering is becoming a baseline capability for security teams. This is why more and more blue-team toolchains are integrating AI API aggregation layers — the bias and hallucinations of a single model are simply too costly in security analysis scenarios. Aggregation services like OpenAI Hub, which allow one API key to access GPT, Claude, Gemini, and DeepSeek, can indeed simplify cross-validation workflows for malware samples, though that is ultimately a tooling choice and not central to the Avalon story itself.
The real concern is this: when “building a modular malware framework” shifts from “requiring a team working for several months” to “something one person can finish in a few weeks,” the entire cadence of threat intelligence response must be recalibrated. Blackpoint’s disclosure only lifted one corner of the curtain, and the “author” behind Avalon is likely already building v2 using the exact same methodology.
References
- ITHome: Security Firm Exposes Hackers Using AI to Build the Modular Malware Framework Avalon — Chinese-language first report on the Blackpoint findings, including details about Avalon’s attack chain and the CrownX ransomware module



