TangleCrypt is a newly identified packer for Windows malware, recently analyzed by WithSecure's STINGR Group. Found in executables linked to a ransomware attack, TangleCrypt conceals its payload using multiple layers of base64 encoding, LZ78 compression, and XOR encryption. The packer supports two methods for launching its payload—within the same process or in a child process—determined by a specific string in the payload. While TangleCrypt employs basic anti-analysis techniques like string encryption, these can be easily bypassed, revealing a design with several flaws that may lead to crashes or other unexpected behavior. The packer is associated with a malware known as STONESTOP, which targets security products, primarily Microsoft Defender. During the investigation, the researchers found that all STONESTOP samples they examined were packed with VMProtect, but the two samples from their incident response case exhibited unique characteristics. Unlike typical HeartCrypt-packed samples, these had relocations and fewer resource entries, leading the researchers to classify them as distinct. The loader code in both samples was identical, yet the execution behavior differed significantly—one decrypted the payload in its own memory, while the other spawned a child process for decryption. TangleCrypt’s design aims to obscure its malicious payload by lowering the overall entropy of the sample, making detection more challenging. The study highlights that TangleCrypt's anti-analysis measures are minimal, primarily involving an Access Violation exception trick that can be easily circumvented. The detailed investigation sheds light on the operational tactics of current threat actors and underscores the importance of ongoing research into emerging malware techniques.