Shanya EXE Packer: How Ransomware Gangs Hide EDR Killers

A new packer-as-a-service platform called Shanya is being widely adopted by ransomware groups to conceal EDR (Endpoint Detection and Response) killers inside their payloads.

Key Points

• Emergence: Shanya appeared in late 2024 and has grown rapidly in use.
• Geographic spread: Samples detected in Tunisia, UAE, Costa Rica, Nigeria, and Pakistan (Sophos telemetry).
• Ransomware groups using Shanya:
  • Medusa
  • Qilin
  • Crytox
  • Akira (most frequent user).

How Shanya Works

• Workflow:
  1. Threat actors submit payloads → Shanya returns a “packed” version.
  2. Payload wrapped with custom encryption & compression.
  3. Each customer gets a unique stub with its own encryption algorithm.
• Technical tricks:
  • Payload injected into a memory-mapped copy of shell32.dll.
  • DLL looks legitimate but its .text section is overwritten with malicious code.
  • Payload never touches disk → harder for AV/EDR to detect.
  • Uses junk code and non-standard module loading to evade analysis.
• Anti-analysis feature: Calls RtlDeleteFunctionTable in an invalid context → causes debugger crashes, disrupting automated analysis.

Disabling EDR

• DLL side-loading: Combines legitimate Windows executables (e.g., consent.exe) with Shanya-packed malicious DLLs (msimg32.dll, version.dll, rtworkq.dll, wmsgapi.dll).
• Driver abuse:
  • Drops ThrottleStop.sys (rwdrv.sys) — a legitimately signed driver with a flaw allowing arbitrary kernel memory writes → used for privilege escalation.
  • Drops hlpdrv.sys (unsigned) → disables security products based on user-mode commands.
• User-mode component:
  • Enumerates processes and services.
  • Compares against a hardcoded list of EDR/AV tools.
  • Sends “kill” commands to the malicious driver for each match.

Other Observed Campaigns

• ClickFix campaigns: Using Shanya to package CastleRAT malware.
• Shows Shanya’s versatility beyond ransomware, supporting broader malware ecosystems.

Defensive Recommendations

• Monitor for DLL side-loading involving unusual DLLs (msimg32.dll, version.dll, etc.).
• Check for suspicious drivers:
  • ThrottleStop.sys misuse.
  • Presence of hlpdrv.sys.
• Look for anomalies in shell32.dll memory mapping.
• Hunt for IoCs published by Sophos in their technical analysis.
• Block packer services: Detect obfuscated payloads with memory-only execution patterns.

Why It Matters

Shanya demonstrates how packer-as-a-service offerings are industrializing ransomware operations. By making payloads stealthier and harder to analyze, attackers can reliably disable defenses before encryption and data theft.