Multiple ransomware gangs are using a packer-as-a-service platform named Shanya to help them deploy payloads that disable endpoint detection and response solutions on victim systems.

Packer services provide cybercriminals with specialized tools to package their payloads in a way that obfuscates malicious code to evade detection by most known security tools and antivirus engines.

The Shanya packer operation emerged in late 2024 and has grown in popularity significantly, with malware samples using it being spotted in Tunisia, the UAE, Costa Rica, Nigeria, and Pakistan, as per telemetry data from Sophos Security.

Among the ransomware groups confirmed to have used it are Medusa, Qilin, Crytox, and Akira, with the latter being the one that uses the packers service most often.

How Shanya works

Threat actors submit their malicious payloads to Shanya, and the service returns a “packed” version with a custom wrapper, using encryption and compression.

The service promotes the singularity of the resulting payloads, highlighting the “non-standard module loading into memory, wrapper over the system loaderStub uniqueization,” with “each customer receiving their own (relatively) unique stub with a unique encryption algorithm upon purchase.”

The payload is inserted into a memory-mapped copy of the Windows DLL file ‘shell32.dll.’ This DLL file has valid-looking executable sections and size, and its path appears normal, but its header and .text section have been overwritten with the decrypted payload.

While the payload is encrypted inside the packed file, it is decrypted and decompressed while still entirely in memory, and then inserted into the ‘shell32.dll’ copy file, never touching the disk.

Sophos researchers found that Shanya performs checks for endpoint detection and response (EDR) solutions by calling the ‘RtlDeleteFunctionTable’ function in an invalid context.

This triggers an unhandled exception or a crash when running under a user-mode debugger, disrupting automated analysis before full execution of the payload.

Disabling EDRs

Ransomware groups typically seek to disable EDR tools running on the target system before the data theft and encryption stages of the attack.

The execution usually occurs via DLL side-loading, combining a legitimate Windows executable such as ‘consent.exe’ with a Shanya-packed malicious DLL like msimg32.dll, version.dll, rtworkq.dll, or wmsgapi.dll.

According to the analysis from Sophos, the EDR killer drops two drivers: a legitimately signed ThrottleStop.sys (rwdrv.sys) from TechPowerUp, which contains a flaw enabling arbitrary kernel memory writing, and the unsigned hlpdrv.sys.

The signed driver is used for privilege escalation, while hlpdrv.sys disables security products based on commands received from user mode.

The user-mode component enumerates running processes and installed services, then compares the results against entries in an extensive hardcoded list, sending a “kill” command to the malicious kernel driver for each match.

Apart from ransomware operators focused on EDR disabling, Sophos has also observed recent ClickFix campaigns employing the Shanya service to package the CastleRAT malware.

Sophos notes that ransomware gangs often rely on packer services to prepare EDR killers for being deployed undetected.

The researchers provide a detailed technical analysis of some of the payloads packed with Shanya.

The report also includes indicators of compromise (IoCs) associated with Shanya-powered campaigns.