Ethical Hacking News
Ransomware gangs have turned to a packer-as-a-service platform named Shanya to evade detection, using it to deploy payloads that disable endpoint detection and response solutions on victim systems. This development has significant implications for cybersecurity, as it allows these malicious actors to carry out their nefarious activities with relative impunity.
The Shanya packer-as-a-service platform is being used by ransomware gangs to evade endpoint detection and response solutions. The service, which emerged in late 2024, has been spotted in various countries, including Tunisia, UAE, Costa Rica, Nigeria, and Pakistan. Malware samples using Shanya have been observed to disable EDR tools, allowing attackers to carry out nefarious activities with relative impunity. The packer service works by inserting malicious payloads into a memory-mapped copy of the Windows DLL file 'shell32.dll.' The use of Shanya is particularly concerning as it allows ransomware groups to disable EDR tools before data theft and encryption stages. Sophos has observed ClickFix campaigns employing Shanya to package CastleRAT malware, highlighting its widespread use and potential impact on cybersecurity. Cybersecurity professionals must be vigilant in detecting and mitigating the use of Shanya by malicious actors.
Ransomware gangs have turned to a packer-as-a-service platform named Shanya to help them deploy payloads that disable endpoint detection and response solutions on victim systems. This development has significant implications for cybersecurity, as it allows these malicious actors to evade detection and carry out their nefarious activities with relative impunity.
The Shanya packer operation emerged in late 2024 and has grown in popularity significantly, with malware samples using it being spotted in various countries including Tunisia, the UAE, Costa Rica, Nigeria, and Pakistan. Among the ransomware groups confirmed to have used this service are Medusa, Qilin, Crytox, and Akira, with the latter being the one that uses the packers service most often.
Shanya works by taking malicious payloads from threat actors and returning a "packed" version with a custom wrapper, using encryption and compression. This process involves inserting the payload into a memory-mapped copy of the Windows DLL file 'shell32.dll.' The payload is decrypted and decompressed while still entirely in memory, and then inserted into the 'shell32.dll' copy file, never touching the disk.
This approach allows Shanya to perform checks for endpoint detection and response (EDR) solutions by calling the 'RtlDeleteFunctionTable' function in an invalid context. This triggers an unhandled exception or a crash when running under a user-mode debugger, disrupting automated analysis before full execution of the payload.
The use of Shanya is particularly concerning as it allows ransomware groups to disable EDR tools running on the target system before the data theft and encryption stages of the attack. The execution usually occurs via DLL side-loading, combining a legitimate Windows executable with a Shanya-packed malicious DLL.
According to analysis from Sophos, the EDR killer drops two drivers: a legitimately signed ThrottleStop.sys (rwdrv.sys) from TechPowerUp, which contains a flaw enabling arbitrary kernel memory writing, and the unsigned hlpdrv.sys. The signed driver is used for privilege escalation, while hlpdrv.sys disables security products based on commands received from user mode.
Apart from ransomware operators focused on EDR disabling, Sophos has also observed recent ClickFix campaigns employing the Shanya service to package the CastleRAT malware. This highlights the widespread use of Shanya and its potential impact on cybersecurity.
The report from Sophos includes a detailed technical analysis of some of the payloads packed with Shanya, as well as indicators of compromise (IoCs) associated with Shanya-powered campaigns. The authors emphasize that ransomware gangs often rely on packer services to prepare EDR killers for being deployed undetected.
In light of this development, cybersecurity professionals and organizations must be vigilant in detecting and mitigating the use of Shanya by malicious actors. This may involve implementing advanced threat detection tools and enhancing incident response procedures to address the evolving landscape of ransomware attacks.
Related Information:
https://www.ethicalhackingnews.com/articles/Ransomware-Gangs-Use-Shanya-EXE-Packer-to-Evade-Detection-ehn.shtml
https://www.bleepingcomputer.com/news/security/ransomware-gangs-turn-to-shanya-exe-packer-to-hide-edr-killers/
Published: Mon Dec 8 18:07:43 2025 by llama3.2 3B Q4_K_M
