Hackers Use FUD Crypt for Microsoft-Signed Malware with

A newly identified malware-as-a-service (MaaS) platform, FUD Crypt, now enables cybercriminals to effortlessly generate sophisticated Windows malware without writing any code.

The platform, operating from fudcrypt.net, accepts any Windows executable uploaded by a subscriber and returns a fully packaged, polymorphic deployment bundle.

For monthly fees ranging from $800 to $2,000, subscribers receive malware carrying Microsoft-signed certificates, automatic persistence, and a live command-and-control (C2) channel, all configured before the attacker issues a single instruction.

What makes FUD Crypt especially alarming is how sharply it lowered the barrier for serious attacks.

Any criminal with a budget could upload a remote access tool or information stealer and receive back a polished, multi-stage package designed to slip past antivirus engines, Windows Defender, and endpoint detection and response (EDR) solutions.

The platform offered three tiers. The Starter plan at $800 per month covered basic carriers like ProtonVPN and Zoom.

The Pro plan at $1,500 expanded to Discord and OneDrive with anti-VM checks. The Enterprise plan at $2,000 unlocked all 20 carrier profiles, full UAC bypass, and automatic Defender disablement.

Ctrl-Alt-Intel analysts recovered the full server infrastructure and identified the complete operational picture, revealing 200 registered users, 334 confirmed builds, and 2,093 fleet commands issued across 32 compromised machines over a 38-day window.

Critically, researchers found that the platform operator enrolled in Microsoft’s own Azure Trusted Signing service, passed identity verification using real-world identities, and used it to produce Microsoft-rooted Authenticode signatures on malware binaries.

Four signing accounts were cycled in just six weeks, with a replacement always staged before the previous one expired.

The most trust-breaking aspect of this campaign involves how signed binaries appear to security tools and end users.

When inspected, the certificate chain reads as “Microsoft Identity Verification Root CA,” meaning Windows SmartScreen raises no alarm, and a user manually checking the signature sees exactly what they would see on a legitimate Microsoft binary.

All four Azure Trusted Signing accounts have since been reported to Microsoft MSRC prior to publication.

DLL Sideloading and the Kill Chain

The infection mechanism at the heart of FUD Crypt relies on DLL sideloading, where a malicious DLL is placed alongside a legitimate application so it loads automatically when that application runs.

The platform supports 20 carrier profiles spanning popular software including Zoom, ProtonVPN, Slack, Visual Studio Code, OneDrive, CCleaner, and a profile using WindowsDF.exe, a renamed Windows Defender wrapper that loads mpclient.dll, the same library Defender uses for its scan engine.

Task Manager would show what appears to be Windows Defender loading a Defender component, while the malicious payload executes underneath.

Once the DLL fires, a layered defense evasion stack runs before the payload is handled.

It uses two independent methods to disable the Windows Antimalware Scan Interface (AMSI): one through a direct memory patch that forces AmsiScanBuffer to return an error immediately, and another using CPU hardware breakpoints with a vectored exception handler that intercepts execution without touching amsi.dll directly.

Event Tracing for Windows (ETW) is silenced with a single-byte patch, cutting off user-mode telemetry. The process then masquerades as explorer.exe by rewriting fields in the Process Environment Block before fetching the encrypted payload from Dropbox, with Catbox.moe as a fallback.

Persistence is wired in automatically on every connection. The C2 server at mstelemetrycloud.com, deliberately named to resemble Microsoft infrastructure, pushes a WindowsUpdateSvc registry run key pointing to the agent binary the moment a machine first connects.

Enterprise builds additionally register a scheduled task named MicrosoftEdgeUpdateCore set to run at the highest privilege on every logon, mimicking a legitimate Edge update service.

Security teams should monitor for unusual DLL sideloading from software directories, registry run key entries referencing mstelemetry.exe, scheduled tasks named MicrosoftEdgeUpdateCore, and outbound WebSocket connections to mstelemetrycloud.com.

Behavioral monitoring that tracks memory protection changes and process masquerading offers the strongest detection opportunity, since hash-based detection is bypassed by the platform’s per-build polymorphic triple-layer encryption.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.