Dissecting FudCrypt: A Real-World Malware Crypting Service Analysis
Essential information
- Published
- 22/04/2026 14:45
- Modified
- 22/04/2026 15:31
- Source / Author
- AlienVault
- Confidence
- 100/100
- Report type(s)
- threat-report
- Labels / Tags
- amsi-bypass azure-trusted-signing cmstplua-uac-bypass cryptor-as-a-service dll-sideloading etw-patching fudcrypt screenconnect
- Tags
- 2026-04-22 amsi bypass azure-trusted-signing cmstplua-uac-bypass cryptor-as-a-service dll sideloading etw-patching fudcrypt screenconnect
- Related entities
- 200 indicators, 198 observables, 11 others
Description
FudCrypt is a Cryptor-as-a-Service platform offering subscription-based malware obfuscation for $800 to $2,000 monthly. The service wraps customer payloads in multi-stage deployment packages featuring DLL sideloading, AMSI and ETW interference, silent UAC elevation via CMSTPLUA, and Windows Defender tampering through Group Policy. Analysis of recovered server infrastructure revealed 200 registered users, 334 builds, and comprehensive fleet C2 command history across 32 enrolled agents. The operator maintains a separate signing infrastructure using four Azure Trusted Signing accounts to sign operator-controlled binaries including fleet agents, native loaders, and ScreenConnect installers. The platform employs 20 undocumented DLL sideload carrier profiles, per-build polymorphic encryption with layered XOR-32, RC4-16, and custom S-box transforms, and an advanced development branch featuring indirect syscalls, module stomping, fiber-based execution, and Ekko sleep obfuscation. Server infrastructure included exp...