FUDCrypt Generates Microsoft-Signed Malware With Persistence and C2
Key Takeaways FUDCrypt is a sophisticated Malware-as-a-Service (MaaS) platform that allows threat actors to generate highly evasive Windows malware without coding. The malware produced by FUDCrypt...
Key Takeaways
- FUDCrypt is a sophisticated Malware-as-a-Service (MaaS) platform that allows threat actors to generate highly evasive Windows malware without coding.
- The malware produced by FUDCrypt leverages Microsoft-signed certificates, enabling it to bypass Windows SmartScreen and appear legitimate to both security tools and end-users.
- FUDCrypt employs DLL sideloading, advanced defense evasion techniques (including AMSI and ETW disablement), and robust persistence mechanisms to maintain control over compromised systems.
- The platform has been actively used, with researchers identifying 200 registered users, 334 builds, and 2,093 commands executed across 32 compromised machines within a 38-day period.
FUDCrypt: A New Era of Microsoft-Signed Malware Generation
A new Malware-as-a-Service (MaaS) platform, dubbed FUDCrypt, has emerged, significantly lowering the barrier for cybercriminals to deploy highly advanced and evasive Windows malware. Operating from fudcrypt.net, this platform enables malicious actors to transform any uploaded Windows executable into a fully polymorphic, multi-stage deployment package, complete with Microsoft-signed certificates, automatic persistence, and an integrated command-and-control (C2) channel.
Table Of Content
The service offers various subscription tiers, ranging from $800 to $2,000 per month, providing subscribers with malware that effectively evades detection by antivirus software, Windows Defender, and Endpoint Detection and Response (EDR) solutions. This capability dramatically democratizes access to sophisticated attack tooling, allowing criminals with minimal technical expertise but sufficient budget to execute serious cyberattacks.
Operational Insights and Microsoft’s Unwitting Role
Analysts at Ctrl-Alt-Intel successfully infiltrated and mapped the complete server infrastructure of FUDCrypt. Their findings revealed a significant operational footprint, including 200 registered users, 334 confirmed malware builds, and 2,093 fleet commands issued to 32 distinct compromised machines over a 38-day observation period.
A particularly concerning discovery was the platform operator’s enrollment in Microsoft’s Azure Trusted Signing service. By passing identity verification using real-world credentials, the operator was able to generate Microsoft-rooted Authenticode signatures for their malicious binaries. This allowed the malware to appear as legitimately signed software, with the certificate chain displaying “Microsoft Identity Verification Root CA.” Consequently, Windows SmartScreen would not flag the binaries, and manual signature checks would present the same verification as a genuine Microsoft application. Researchers noted that four distinct signing accounts were cycled within a six-week period, with new accounts provisioned before existing ones expired, indicating a deliberate strategy to maintain signing capabilities. All four compromised Azure Trusted Signing accounts have since been reported to Microsoft MSRC.

Malware Delivery and Evasion Techniques
FUDCrypt’s infection chain primarily leverages DLL sideloading. This technique involves placing a malicious Dynamic Link Library (DLL) in the same directory as a legitimate application. When the legitimate application executes, it inadvertently loads the malicious DLL. The platform supports 20 “carrier profiles,” which include popular software like Zoom, ProtonVPN, Slack, Visual Studio Code, OneDrive, and CCleaner. A notable profile utilizes WindowsDF.exe, a renamed Windows Defender wrapper designed to load mpclient.dll—the same library used by Defender’s scan engine. This allows the malicious payload to execute under the guise of a legitimate Windows Defender process, making it extremely difficult to detect.
Once the malicious DLL is loaded, FUDCrypt deploys a multi-layered defense evasion stack. This includes two independent methods to disable the Windows Antimalware Scan Interface (AMSI): a direct memory patch forcing AmsiScanBuffer to return an error, and the use of CPU hardware breakpoints with a vectored exception handler to intercept execution without directly modifying amsi.dll. Event Tracing for Windows (ETW) is also silenced through a single-byte patch, cutting off user-mode telemetry. The process then further obfuscates its activity by masquerading as explorer.exe, rewriting fields in the Process Environment Block, before retrieving its encrypted payload from Dropbox, with Catbox.moe serving as a fallback.
Persistence and Command-and-Control
Persistence is automatically established upon the initial connection to the C2 server, which is deceptively named mstelemetrycloud.com to mimic legitimate Microsoft infrastructure. The C2 server pushes a WindowsUpdateSvc registry run key that points to the agent binary, ensuring the malware restarts with every system reboot. For “Enterprise” tier builds, an additional scheduled task named MicrosoftEdgeUpdateCore is registered to run with the highest privileges on every logon, further blending into legitimate system activities.
What You Should Do
- Monitor for Anomalous DLL Sideloading: Implement robust monitoring for unusual DLL loads from standard software directories, especially for applications like Zoom, ProtonVPN, Slack, Visual Studio Code, OneDrive, and CCleaner.
- Inspect Registry Run Keys and Scheduled Tasks: Regularly audit registry run key entries for suspicious executables, particularly those referencing
mstelemetry.exe. Look for scheduled tasks namedMicrosoftEdgeUpdateCoreor similar names that appear to mimic legitimate system services but have unusual configurations or paths. - Detect Outbound C2 Communications: Monitor network traffic for outbound WebSocket connections to known FUDCrypt C2 domains like
mstelemetrycloud.com. - Enhance Behavioral Monitoring: Focus on behavioral detection capabilities that can identify memory protection changes, process masquerading (e.g., processes attempting to appear as
explorer.exe), and attempts to disable security features like AMSI and ETW. Since FUDCrypt uses polymorphic encryption, hash-based detection is less effective. - Review Certificate Trust: While Microsoft-signed, organizations should maintain a heightened awareness of executables, even those with seemingly legitimate signatures, if their origin or behavior is suspicious.
Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.



No Comment! Be the first one.