TangleCrypt: A Sophisticated But Buggy Malware Packer
Summary:
TangleCrypt is a previously undocumented Windows malware packer, designed to hide malicious payloads inside what appear to be benign executable files. TangleCrypt stores the original payload within PE resources, while the rest of the file is mostly the loader code itself. Researchers at WithSecure Labs who uncovered the technical details of TangleCrypt say this method is atypical for malware packers, which often insert completely irrelevant code and data to make the file harder to analyze.
To protect the original payload from being detected, TangleCrypt uses multiple layers of encoding, compression, and encryption: first base64 encoding, then LZ78 compression, then XOR encryption. At runtime, the TangleCrypt loader decodes, decompresses and decrypts the payload.
TangleCrpyt supports two methods for payload execution. The first method involves decrypting and executing the payload in the same process memory. The other method involves creating a suspended child process into which the decrypted payload is written. The chosen method is defined by a string appended to the embedded payload.
Researchers at WithSecure Labs uncovered TangleCrypt while responding to a Qilin ransomware attack in September 2025. During the investigation, they found executables protected by both TangleCrypt and VMProtect, alongside a kernel driver impersonating a CrowdStrike Falcon Sensor component. The embedded payload was STONESTOP, an EDR‑killer that leverages the ABYSSWORKER driver to shut down security processes before ransomware execution.
Security Officer Comments:
Malware packers like TangleCrypt are valuable to actors as they enable the execution of malicious payloads like STONESTOP while evading detection and analysis. According to researchers at WithSecure, TangleCrypt employs a few anti-analysis techniques to hinder both static and dynamic analysis. Techniques like string encryption are used to obfuscate key strings and function calls within the executable, making it harder for researchers to identify malicious behavior just by looking at the code. The malware packer also utilizes dynamic import resolution to further complicate analysis by loading crucial functions and libraries only during runtime, making it difficult for analysts to map out the full scope of the malware’s actions without actually executing it in a controlled environment.
Suggested Corrections:
Organizations should prioritize advanced endpoint detection and response solutions that focus on behavioral analysis and memory, as these can detect threats that traditional file-based methods may miss. Implementing least-privilege access policies can be effective at limiting TangleCrypt’s ability to register malicious drivers like ABYSSWORKER. Furthermore, regularly updating software, segmenting networks, and keeping strong backups in place can help prevent lateral movement and reduce the impact of infections.
Link(s):
https://labs.withsecure.com/publications/tanglecrypt
TangleCrypt is a previously undocumented Windows malware packer, designed to hide malicious payloads inside what appear to be benign executable files. TangleCrypt stores the original payload within PE resources, while the rest of the file is mostly the loader code itself. Researchers at WithSecure Labs who uncovered the technical details of TangleCrypt say this method is atypical for malware packers, which often insert completely irrelevant code and data to make the file harder to analyze.
To protect the original payload from being detected, TangleCrypt uses multiple layers of encoding, compression, and encryption: first base64 encoding, then LZ78 compression, then XOR encryption. At runtime, the TangleCrypt loader decodes, decompresses and decrypts the payload.
TangleCrpyt supports two methods for payload execution. The first method involves decrypting and executing the payload in the same process memory. The other method involves creating a suspended child process into which the decrypted payload is written. The chosen method is defined by a string appended to the embedded payload.
Researchers at WithSecure Labs uncovered TangleCrypt while responding to a Qilin ransomware attack in September 2025. During the investigation, they found executables protected by both TangleCrypt and VMProtect, alongside a kernel driver impersonating a CrowdStrike Falcon Sensor component. The embedded payload was STONESTOP, an EDR‑killer that leverages the ABYSSWORKER driver to shut down security processes before ransomware execution.
Security Officer Comments:
Malware packers like TangleCrypt are valuable to actors as they enable the execution of malicious payloads like STONESTOP while evading detection and analysis. According to researchers at WithSecure, TangleCrypt employs a few anti-analysis techniques to hinder both static and dynamic analysis. Techniques like string encryption are used to obfuscate key strings and function calls within the executable, making it harder for researchers to identify malicious behavior just by looking at the code. The malware packer also utilizes dynamic import resolution to further complicate analysis by loading crucial functions and libraries only during runtime, making it difficult for analysts to map out the full scope of the malware’s actions without actually executing it in a controlled environment.
Suggested Corrections:
Organizations should prioritize advanced endpoint detection and response solutions that focus on behavioral analysis and memory, as these can detect threats that traditional file-based methods may miss. Implementing least-privilege access policies can be effective at limiting TangleCrypt’s ability to register malicious drivers like ABYSSWORKER. Furthermore, regularly updating software, segmenting networks, and keeping strong backups in place can help prevent lateral movement and reduce the impact of infections.
Link(s):
https://labs.withsecure.com/publications/tanglecrypt