New TangleCrypt Packer Hides EDR Killer, But Coding Flaws Cause Ransomware to Crash Unexpectedly

In the high-stakes game of ransomware, threat actors are constantly refining their camouflage. A new report from WithSecure’s STINGR Group has unveiled “TangleCrypt,” a previously undocumented malware packer discovered during the investigation of a recent Qilin ransomware attack. While the tool demonstrates advanced encryption techniques designed to hide “EDR killers,” analysts found it riddled with coding flaws that can cause the malware to crash unexpectedly.

The discovery stems from an incident in early September 2025, where investigators recovered artifacts used to blind defensive systems before encryption began. The packer was used to conceal STONESTOP, a specialized executable designed to forcefully terminate security software.

According to the analysis, “The packer was found on two executables used in a recent ransomware attack and their payloads were both identified as an EDR killer known as STONESTOP that leverages the malicious ABYSSWORKER driver.”

The STONESTOP payload works by registering a kernel driver—ABYSSWORKER—which masquerades as a legitimate component. In this specific campaign, the malicious driver was found “masquerading as a CrowdStrike Falcon Sensor driver.” Once active, the malware “contains a list of executable names and uses the driver to terminate all running processes matching an item in this list.”

TangleCrypt earns its name through a complex, multi-layered approach to obfuscation. Instead of appending data to the end of a file, TangleCrypt embeds its malicious cargo deep within the file’s resource section.

WithSecure researchers detailed the obfuscation chain: “The payload is stored inside the PE Resources via multiple layers of base64 encoding, LZ78 compression and XOR encryption.”

One of the packer’s most distinct features is its flexibility. It allows the attacker to decide how the malware runs based on a simple configuration string hidden in the code. “The loader supports two methods of launching the payload: in the same process or in a child process.” Researchers confirmed that “the chosen method is defined by a string appended to the embedded payload,” allowing threat actors to toggle between injection techniques easily.

Despite these advanced stealth features, TangleCrypt appears to be a work in progress. The analysis reveals that the malware developers made critical errors in re-implementing standard Windows functions, leading to instability.

“Although the packer has an overall interesting design, we identified several flaws in the loader implementation that may cause the payload to crash or show other unexpected behaviour.”

One notable glitch involves how the malware handles administrative privileges. If executed without the necessary permissions, the packer fails to initialize specific environment variables properly, causing it to self-destruct. “Inconsistencies found in its loader implementation can cause certain packed executables to behave unexpectedly, which may explain why TangleCrypt is not widely observed in the wild.”

The discovery of TangleCrypt serves as a case study in the varying quality of tools available in the cybercriminal underground. While the encryption concepts were sound, the execution betrayed a lack of rigorous testing.

“However, this also highlights varying capabilities of malware development: rapid development, limited testing and general carelessness can introduce bugs that ultimately reduce its effectiveness.”

For defenders, the emergence of TangleCrypt reinforces the need to look beyond known file signatures. “As EDR killers and their supporting infrastructure continue to evolve, defenders must anticipate not only sophisticated techniques, but also fast-moving, imperfect implementations that may appear in real attacks.”

Rate this post

Related Posts:

Found this helpful?

Leave a Reply Cancel reply