A newly discovered Windows malware packer named TangleCrypt has emerged as a serious threat in ransomware attacks, specifically designed to evade endpoint detection and response (EDR) solutions.
The packer was first observed during a September 2025 ransomware incident involving Qilin ransomware, where threat actors deployed it alongside the ABYSSWORKER driver to disable security tools before encrypting victim systems.
TangleCrypt works by hiding malicious payloads through multiple layers of encoding, compression, and encryption. The original executable is stored within PE resources using base64 encoding, LZ78 compression, and XOR encryption.
This multi-layer approach makes it difficult for traditional security tools to detect the actual malware hidden inside the packed executable.
WithSecure Labs security researchers identified the malware during an incident response investigation, recovering artifacts including two executables packed with TangleCrypt and VMProtect, along with a kernel driver masquerading as a CrowdStrike Falcon Sensor driver.
The payload embedded in these executables was identified as STONESTOP, an EDR-killer tool that uses the ABYSSWORKER driver to terminate security processes running on the system forcibly.
The packer employs string encryption and dynamic import resolving to hinder both static and dynamic analysis.
Although malware authors commonly use these techniques, the TangleCrypt implementation lacks advanced anti-analysis mechanisms, making manual unpacking relatively straightforward for experienced analysts.
Payload Execution Mechanism
TangleCrypt supports two distinct methods for launching its payload, determined by a configuration string appended to the embedded executable.
The first method, identified by the string “exex64_amd64_block_”, decrypts and executes the payload within the same process memory.
The second method, marked with “exex64_amd64__riin”, creates a suspended child process and writes the decrypted payload into it before resuming execution.
.webp "TangleCrypt Windows Packer with Ransomware Payloads Evades EDR Using ABYSSWORKER Driver 3")
When executed, the loader first decrypts a small resource entry containing a numeric key, such as “175438”. This key is then used to XOR-decrypt the larger payload stored in the PE resources.
The decryption process follows a specific sequence where a base64-encoded string is decoded, then LZ78 decompressed, decoded again from base64, and finally XOR-decrypted to reveal the original executable.
Upon successful unpacking, the STONESTOP payload checks for administrative privileges and registers the ABYSSWORKER driver if elevated rights are present.
The driver then terminates processes matching a predefined list of security product names, effectively blinding the system’s defenses before ransomware deployment begins.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
