A new and sophisticated Windows malware packer, dubbed TangleCrypt, has emerged as a significant threat in recent ransomware attacks. Its primary objective is to bypass Endpoint Detection and Response (EDR) security solutions, a capability first observed in conjunction with the Qilin ransomware and the ABYSSWORKER kernel driver during a September 2025 incident. Threat actors are leveraging TangleCrypt to neutralize security measures before deploying destructive ransomware payloads on victim systems.
This advanced packer achieves its stealth through a multi-layered obfuscation process, employing a combination of encoding, compression, and encryption to conceal malicious code within seemingly legitimate executables. Security researchers at WithSecure Labs identified TangleCrypt during an incident response investigation, recovering packed executables that utilized both TangleCrypt and VMProtect, alongside a kernel driver designed to mimic a CrowdStrike Falcon Sensor driver. The embedded payload was identified as STONESTOP, an EDR-killing tool that utilizes the ABYSSWORKER driver to forcefully terminate security processes, thus creating an unhindered environment for the subsequent ransomware deployment.
Understanding TangleCrypt’s Evasion Techniques
TangleCrypt meticulously hides its malicious payloads through a series of deliberate obfuscation steps. The original executable is embedded within the Portable Executable (PE) resources, typically encoded using Base64, compressed with LZ78, and then further protected by XOR encryption. This layered approach is specifically designed to confound traditional signature-based and heuristic detection methods, making it exceptionally difficult for standard security software to identify the actual malware concealed within the packed file.
Further hindering analysis, TangleCrypt implements string encryption and dynamically resolves import functions. While these techniques are common among malware developers, the specific implementation within TangleCrypt is described as lacking highly advanced anti-analysis mechanisms. This relative simplicity allows experienced security analysts to manually unpack the malware, providing valuable insights into its inner workings, albeit after considerable effort.
Payload Execution Mechanism of TangleCrypt
The execution of the TangleCrypt payload is dictated by a configuration string appended to the embedded executable, which determines one of two distinct launch methods. The first method, identified by the string “exex64_amd64_block_”, is designed to decrypt and execute the payload directly within the memory space of the current process. This inline execution can sometimes be harder to trace as it doesn’t immediately spawn new processes.
In contrast, the second method, indicated by the string “exex64_amd64__riin”, adopts a more complex approach. It initiates the creation of a suspended child process. Then, prior to resuming the child process’s execution, the decrypted malicious payload is written into its memory. This technique allows the malware to run as a separate entity, potentially from a less suspicious parent process, adding another layer of obfuscation.
Upon initial execution, the TangleCrypt loader first extracts and decrypts a small numeric key from its resources, often a sequence of digits. This key is then employed to XOR-decrypt a significantly larger payload, which is also stored within the PE resources of the packed file. The total unpacking process involves a specific sequence: the Base64-encoded data is decoded, followed by LZ78 decompression, another round of Base64 decoding, and finally, the XOR decryption using the extracted key to reveal the original, unadulterated executable.
Once fully unpacked and ready for execution, the STONESTOP payload performs a crucial check for administrative privileges on the compromised system. If elevated rights are detected, it proceeds to register the ABYSSWORKER kernel driver. This driver is the key component in disabling defenses. It then systematically terminates any running processes that match a predefined list of known security product names. By forcibly shutting down these critical security processes, the malware effectively blinds the system’s defenses, paving the way for the subsequent, unimpeded deployment of ransomware.
The ongoing development and utilization of sophisticated packers like TangleCrypt highlight the persistent cat-and-mouse game between cybercriminals and cybersecurity professionals. As EDR solutions become more robust, malware developers are compelled to innovate their evasion tactics. The next steps in observing TangleCrypt will likely involve tracking its broader adoption by various ransomware families and analyzing any potential updates or modifications to its evasion techniques. Organizations are advised to ensure their EDR solutions are up-to-date and to implement comprehensive security hygiene practices to mitigate the risk of such advanced threats.