TangleCrypt Windows Packer: Evading EDR with ABYSSWORKER Driver and Ransomware Payloads

Quick Takeaways

1. TangleCrypt is a newly discovered Windows malware packer designed to evade detection, used in ransomware attacks like Qilin, employing multi-layer encoding, compression, and encryption to hide malicious payloads.

2. It conceals its executables through base64 encoding, LZ78 compression, and XOR encryption; this multi-layer approach complicates detection and analysis by traditional security tools.

3. The malware supports two payload execution methods—either decrypting and running within the current process or creating a suspended process, then injecting the payload—both controlled by a configuration string.

4. TangleCrypt employs string encryption and dynamic import resolving to hinder analysis, but lacks advanced anti-analysis features, allowing experienced analysts to manually unpack it, with payloads like STONESTOP aiming to disable security tools before ransomware deployment.

What’s the Problem?

In September 2025, a new Windows malware packer called TangleCrypt was discovered during a ransomware attack involving the Qilin ransomware. Threat actors used TangleCrypt alongside the ABYSSWORKER driver, which disables security tools, thereby facilitating system encryption. TangleCrypt operates by layering encoding, compression, and encryption to hide malicious payloads, making detection challenging for traditional security tools. Security researchers from WithSecure Labs identified the malware during an incident response, uncovering executables packed with TangleCrypt and a kernel driver disguised as a legitimate security sensor. The embedded payload, known as STONESTOP, functions as an EDR-killer, forcibly terminating security processes via the ABYSSWORKER driver and thereby undermining defenses before encrypting victim systems.

The malware employs string encryption and dynamic import resolution techniques, which complicate analysis but are not highly sophisticated, allowing skilled analysts to manually unpack the malware. TangleCrypt has two execution methods—one decrypts and runs the payload within the same process, while the other creates a suspended child process, injects the payload, and resumes it. The decryption sequence involves base64 decoding, LZ78 decompression, and XOR cryptography, revealing the original executable. Once active, the payload checks for administrative rights, registers the driver, and terminates security processes, effectively disabling defenses prior to ransomware deployment. This incident and analysis were reported by WithSecure Labs, highlighting the evolving tactics used by threat actors to evade detection and facilitate malicious activities.

Security Implications

The issue titled “TangleCrypt Windows Packer with Ransomware Payloads Evades EDR Using ABYSSWORKER Driver” poses a serious threat to any business’s cybersecurity. When attackers deploy this method, they can encode malicious ransomware payloads so well that traditional Endpoint Detection and Response (EDR) systems fail to spot them. As a result, the malware often slips into your network undetected, potentially encrypting critical data and disrupting operations. This can lead to significant financial loss, reputational damage, and operational downtime. Moreover, because the ABYSSWORKER driver helps the malware hide within the system, responding to such attacks becomes more complex and time-consuming. Consequently, any business—regardless of size or industry—is increasingly vulnerable to these sophisticated cyber threats, risking not only data security but also long-term stability.

Possible Actions

Quick action on threats like the TangleCrypt Windows Packer with Ransomware Payloads Evades EDR Using ABYSSWORKER Driver is crucial to contain damage and prevent widespread system compromise. Immediate response ensures vulnerabilities are addressed promptly, restoring security posture and minimizing potential downtime.

Containment and Isolation

• Isolate affected endpoints from the network to prevent further spread.
• Disable network sharing services and disconnect from external networks immediately.

Threat Identification

• Conduct a thorough forensic analysis to identify the scope and nature of the infection.
• Use advanced malware detection tools designed to recognize the specific tactics like ABYSSWORKER drivers.

Eradication Strategies

• Remove malicious files, drivers, and associated payloads from all affected systems.
• Ensure backup data is clean before restoring systems to operational status.

System Restoration

• Reimage or reinstall Windows OS where appropriate to eliminate hidden malware remnants.
• Apply the latest security patches and updates to prevent recurrence.

Enhanced Defenses

• Update and configure EDR solutions to detect the latest stealth techniques used by such malware.
• Deploy endpoint detection tools that monitor driver-level activities for early anomaly detection.

Preventive Measures

• Review and strengthen existing endpoint security policies.
• Conduct regular security training to raise awareness about evasive malware tactics.
• Establish continuous monitoring and automated alerts for suspicious activities.

Stay Ahead in Cybersecurity

Stay informed on the latest Threat Intelligence and Cyberattacks.

Access world-class cyber research and guidance from IEEE.

Disclaimer: The information provided may not always be accurate or up to date. Please do your own research, as the cybersecurity landscape evolves rapidly. Intended for secondary references purposes only.

Cyberattacks-V1cyberattack-v1-multisource