Dissecting FudCrypt: A Real-World Malware Crypting Service Analysis

This report documents the forensic recovery and technical analysis of "FUD Crypt", a commercial Malware‑as‑a‑Service platform that compiled and distributed Microsoft‑signed Windows malware by abusing Azure Trusted Signing. The analysis details the build pipeline, per‑build polymorphic packing, dual AMSI bypass methods and ETW tampering, silent UAC elevation via CMSTPLUA with PEB masquerade, advanced EDR evasion techniques (module stomping, indirect syscalls, fiber/callback execution, Ekko sleep), persistence and WebSocket C2 at mstelemetrycloud.com, operational telemetry (200 users in DB, 334 builds, 32 fleet machines), and extensive IOCs (signed artifacts, domains, IPs, registry and process indicators) for detection and mitigation.