Proton A.I CyberSecurity Scoring
Proton
Company Information
Website:https://proton.me/
Employees number:844
Number of followers:137,991
NAICS:513
Industry Type:Technology, Information and Internet
Homepage:proton.me
Proton Risk Score (AI oriented)
Between 700 and 749
ProtonTechnology, Information and Internet
Updated:
03/07/2026
03/07/2026
744/1000
Moderate
Ba
Proton Global Score (TPRM)
xxxx
ProtonTechnology, Information and Internet
Score locked

ProtonModerate
Current Score
744Ba (MODERATE)
01000
3 incidents
-19 avg impact
Incident timeline with MITRE ATT&CK tactics, techniques, and mitigations.
JULY 2026
744
JUNE 2026
744
MAY 2026
743
APRIL 2026
743
MARCH 2026
761
Cyber Attack
11 Mar 2026 • Proton
Sophos, CrowdStrike, Microsoft, Proton Drive, SentinelOne, Bitdefender, ESET and McAfee: New Avalon Malware Framework Packs CrownX Ransomware Capabilities
New Modular Malware Framework 'Avalon' Unveiled in Sophisticated Phishing Attack
742
CRITICAL-19
CROMICBITSOPSENPROESEMCA1783117511
New Modular Malware Framework "Avalon" Unveiled in Sophisticated Phishing Attack
Cybersecurity researchers have identified a previously unknown modular malware framework, Avalon, distributed via a multi-stage phishing campaign designed to evade traditional security controls. The framework integrates credential theft, lateral movement, remote access, recovery disruption, and ransomware execution with its ransomware component internally dubbed CrownX.
The attack begins with a spoofed legal document email directing recipients to a password-protected archive hosted on Proton Drive. Instead of attaching malicious files directly, attackers embedded them within an ISO image, reducing detection at the email layer. When a victim interacts with a document-themed Windows shortcut (Secure Document CA-283505.pdf.lnk) inside the mounted image, it triggers a sequence that deploys Avalon.
The shortcut executes an MSBuild project within the ISO, which loads an embedded .NET assembly to disable Event Tracing for Windows (ETW), obscuring forensic visibility. The malware then downloads a next-stage payload over HTTPS to deploy Avalon, which includes an extensive defense evasion subsystem targeting security tools from Microsoft Defender, SentinelOne, CrowdStrike, Sophos, Elastic Endpoint, FortiEDR, ESET, McAfee, and Bitdefender.
Avalon’s capabilities include:
- Credential harvesting from Chromium-based browsers, Firefox, cryptocurrency wallets (MetaMask, Coinbase Wallet, Exodus, etc.), and apps like Discord, Slack, and Teams.
- Data exfiltration to a remote server (helloxcherry[.]com) and command polling for further instructions.
- Reconnaissance to prioritize high-value systems for lateral movement.
- Ransomware execution using Windows Cryptography API, encrypting files tied to business operations, software development, and virtual infrastructure.
- Recovery disruption by terminating the Volume Shadow Copy Service and deleting shadow copies.
- Anti-forensic measures, including direct disk manipulation to corrupt partition data or boot records.
Researchers note that CrownX represents only the final extortion stage by the time the ransom note appears, the framework has already stolen credentials, established C2 communications, and weakened recovery options. The malware also exhibits signs of AI-assisted development, suggesting lower barriers to entry for threat actors with limited technical expertise.
### AI-Driven Ransomware and Codeless Attacks Emerge
In related developments, Sysdig reported the first publicly documented agentic ransomware attack powered by a large language model (LLM). The threat actor, JADEPUFFER, exploited CVE-2025-3248 to gain access to an exposed Langflow instance, executing an automated campaign that adapted in real-time to pivot toward a production database server for extortion.
Separately, Palo Alto Networks Unit 42 uncovered an AI-powered malware combining a Telegram bot with a public LLM API (api.groq[.]com) to enable codeless attacks. The malware forwards system details to the attacker’s Telegram bot, then polls the API every five seconds to translate natural language instructions into shell commands eliminating the need for command-line expertise. The sample, uploaded to VirusTotal in March 2026, remains undetected by all engines.
INCIDENT DETAILS -
TYPE
MOTIVATION
IMPACT
DATA BREACH
REFERENCES
FEBRUARY 2026
761
JANUARY 2026
761
DECEMBER 2025
760
NOVEMBER 2025
760
OCTOBER 2025
760
SEPTEMBER 2025
760
AUGUST 2025
760
JULY 2024
775
Vulnerability
01 Jul 2024 • Proton
Proton
Proton Introduces End-to-End Encrypted Documents
758
LOW-17
PRO000070924
Proton, known for its privacy-centric services, has introduced a feature for creating, editing, and collaborating on end-to-end encrypted documents within its storage systems, challenging the practices of tech giants like Google and Microsoft. This innovation safeguards user data from third parties, including Proton, which cannot access the content of the files. The initiative enhances user privacy, directly confronting the data collection methodologies prevalent among leading cloud service providers. As a result, there have been no reported data leaks or negative consequences following the implementation of the encrypted document feature provided by Proton.
INCIDENT DETAILS -
TYPE
MOTIVATION
DATA BREACH
REFERENCES
JUNE 2018
775
Vulnerability
16 Jun 2018 • Proton
Proton
ProtonVPN Vulnerability Exposure
758
HIGH-17
PRO023301022
ProtonVPN were exposed to vulnerabilities that could have allowed hackers to execute arbitrary code with administrator privileges on computers running Windows.
The bugs, CVE-2018-395 were discovered by Cisco Talos security researchers which is similar to another security flaw discovered in March by security consulting firm VerSprite.
ProtonVPN had released patches to fix the original vulnerability.
It was still possible to execute code as an administrator albeit through a exploit.
The initial vulnerability was due to OpenVPN being able to select a malicious file when choosing a VPN configuration.
This could have given access to private information and hacking through arbitrary commands.
They use OpenVPN's open-source software to set up secure connections from one point to another.
Later versions of ProtonVPN have resolved this issue and users have been automatically prompted to update.
They have not seen any evidence of this being exploited in the wild, as a user's computer needs to first be compromised by a hacker before this bug can be exploited
INCIDENT DETAILS -
TYPE
MOTIVATION
IMPACT
REFERENCES
Frequently Asked Questions
?
What is the current A.I Rankiteo Cyber Score for Proton ??
What was Proton's A.I Rankiteo Cyber Score in June 2026 ??
What was Proton's A.I Rankiteo Cyber Score in May 2026 ??
What was Proton's A.I Rankiteo Cyber Score in April 2026 ??
What was Proton's A.I Rankiteo Cyber Score in March 2026 ??
What was Proton's A.I Rankiteo Cyber Score in February 2026 ??
What was Proton's A.I Rankiteo Cyber Score in January 2026 ??
What was Proton's A.I Rankiteo Cyber Score in December 2025 ??
What was Proton's A.I Rankiteo Cyber Score in November 2025 ??
What was Proton's A.I Rankiteo Cyber Score in October 2025 ??
What was Proton's A.I Rankiteo Cyber Score in September 2025 ??
What was Proton's A.I Rankiteo Cyber Score in August 2025 ??
What is the average per-incident point impact on Proton's A.I Rankiteo Cyber Score over the past 12 months ??
Where can I access detailed records of all cyber incidents associated with Proton ??
Where can I find a summary of the A.I Rankiteo Risk Scoring methodology ??
Where can I view Proton's profile page on Rankiteo ??
How accurate is the A.I Rankiteo Risk Scoring methodology ?