Shanya Packer-as-a-Service: New Ransomware Tool That Kills EDR

Learn how Shanya, a new packer-as-a-service used by ransomware to evade EDR, conceals malware and disables security tools.

Packer technology works as an enveloping mechanism for malicious codes and acts as a stealth enhancer. The main functionality of Shanya is based on PaaS, which packs pre-existing ransomware codes with an exclusive encryption shell. As a result, malware attacks that can be detected via antivirus tools might not be noticed at all. It deserves mention that Shanya seems to have replaced its predecessor, HeartCrypt Packer, with considerable support from some ransomware gangs.

Researchers have noticed that Shanya has been in use across the world as of 2025, and it shows that it has been widely adopted. It appears that PaaS tools like Shanya will not fade out anytime soon due to financial benefits associated with cybercrime and will remain an essential part of a ransomware toolkit as stealth packers and EDR killers.

What is Shanya Packer-as-a-Service?

  • Shanya emerged in late 2024 on dark-web forums under the alias “VX Crypt.”
  • It offers buyers a customized crypter, assigning a unique encryption method per customer.
  • This results in each malware sample appearing unique, as all payloads are packed with Shanya.
  • Shanya includes anti-analysis mechanisms.
  • Bypassing Windows .NET AMSI interfaces.
  • Refusing to execute on virtualized or sandboxed environments.
  • The loader first runs a legitimate program or DLL, and injects the malware afterward, keeping malicious activity hidden.
  • Shanya is typically delivered via phishing lures.
  • In one observed case, attackers used a fake Booking.com “ClickFix” email to trick victims into running a downloaded script.
  • That script then retrieved and executed a Shanya-packed payload, demonstrating how realistic phishing scenarios can deliver Shanya while keeping the malware concealed until execution.

Shanya The EDR Killer

A typical role played by Shanya is serving as an EDR killer before the execution of the ransomware. Generally, the packer drops two drivers on the targeted system: a legitimate and signed driver with the intention of evading early detections, and a malicious kernel driver. By taking advantage of privileges provided by the legitimate driver, the attacker gains write privileges and uses the malicious driver to kill and remove the security processes and services running on the targeted system. By doing so, it effectively removes all defenses, paving the way for an easy execution of the ransomware. The use of EDR-killer payload becomes a core service offered by Shanya.

Ransomware Groups and Real-World Campaigns

Notable ransomware gangs who have been noticed using the services of Shanya include Akira, Qilin, Crytox, and Medusa. These gangs will have access to the services offered by Shanya as opposed to developing their own packers. A specific attack campaign involved a booking .com-themed click fix email that contained a payload infected with Shanya, which launched a backdoor known as CastleRAT via a method known as DLL side loading, thus demonstrating the capabilities offered by Shanya.

The quick uptake of Shanya highlights a worrying trend: commoditized toolkits are fueling more sophisticated attacks. Even smaller gangs can now launch polished campaigns by leasing services like this.

Defending Against Shanya’s Threat

Cyber hygiene practices include staying up-to-date with EDR and endpoint security solutions. It is recommended to rely on threat intelligence capabilities that allow for preventing known packers and educating end-users on identifying phishing attacks like the ones related to ClickFix. It should also be considered that protecting EDR software against various threats, including interference with EDR drivers and processes, and EDR configuration set up with a focus on preventing threats like Shanya, plays an equally important role. A multi-layered defense strategy is necessary for combating threats posed by Shanya and similar malware.

MITRE ATT&CK Tactics, Techniques, and Procedures (TTPs)

Tactic Technique Procedure
Initial Access (TA0001) T1566.002 Phishing: Spearphishing Link Uses “ClickFix” lures (e.g., fake Booking.com updates) to deliver the initial payload.
Execution (TA0002) T1059.007 Command and Scripting Interpreter: Executes malicious JavaScript or PowerShell scripts to fetch and unpack the malware.
Privilege Escalation (TA0004) T1068 Exploitation for Privilege Escalation BYOVD: Abuses vulnerable signed drivers to gain kernel-level access.
Defense Evasion (TA0005) T1562.001 / T1027.002 Impair Defenses & Packing EDR Killer: Terminates security processes and wraps malware in a custom encryption shell.
Discovery (TA0007) T1057 Process Discovery: Enumerates running processes to identify and target specific EDR/AV agents for termination.
Defense Evasion (Anti-Analysis) T1497 Virtualization/Sandbox Evasion: Checks for VM environments or debuggers and refuses to execute if detected.
Command & Control (TA0011) T1071 Application Layer Protocol: Payload communicates with C2 servers (often via compromised legitimate sites).
Impact (TA0040) T1486 Data Encrypted for Impact: Facilitates the deployment of ransomware (e.g., Akira, Medusa) to encrypt the victim’s data.

Case Study: Xcitium vs. Shanya PaaS (Packer-as-a-Service)

During our controlled lab test, Xcitium successfully disrupted a Shanya-style DLL side-loading attempt at the exact moment it mattered: DLL load time. In this scenario, a seemingly legitimate executable (cons.exe) was placed in the same directory as a suspicious library (msimg32.dll). This technique is commonly used by attackers because Windows may prioritize loading a DLL from the application’s local folder, allowing a malicious library to be executed under the context of a trusted-looking process.

When we executed cons.exe, Xcitium’s Host Intrusion Prevention System (HIPS) immediately generated security events showing “Block unknown DLL” actions. The logs clearly identified the parent process (cons.exe) and the targeted libraries, including msimg32.dll. By blocking the DLL load, Xcitium prevented the malicious code from being mapped into memory, effectively stopping the chain before any payload could run, inject, or establish persistence.

This is a critical advantage against modern packer-as-a-service threats like Shanya, which are designed to evade traditional detection by delaying or hiding malicious behavior until runtime. Instead of relying solely on signatures or post-execution alerts, Xcitium enforced a preventive control that neutralized the attack path early and reduced the risk of follow-on activity such as credential theft, lateral movement, or ransomware encryption. The result was a clean, observable stop with clear telemetry for verification and reporting.

Indicators of Compromise (IOCs)

Since Shanya is a Packer-as-a-Service, the file hashes are constantly changing. Therefore, detection should focus primarily on behavioral indicators rather than static files.

  • Process Termination Attempts:
    • Look for cmd.exe or powershell.exe executing unusual taskkill or net stop commands targeting known security vendor processes (e.g., those associated with EDR, AV, or DLP solutions).
    • System log events (Event ID 7036/7045) indicating unexpected stopping or deletion of security-related services.
  • Suspicious Driver Loading (BYOVD):
    • Installation of new services pointing to .sys files from non-standard locations (e.g., %TEMP% or %APPDATA%).
    • Look for known vulnerable but legitimate drivers being dropped and loaded (e.g., older versions of drivers like mhyprot2.sys or similar, which Shanya may exploit).
  • High Entropy Files:
    • Any newly created executable files (.exe, .dll) exhibiting very high entropy (typically above 7.0), which strongly suggests heavy packing or encryption.
  • Process Injection/Hollowing:
    • A seemingly benign or legitimate Windows process (like svchost.exe or a commonly used utility) suddenly allocating executable memory and showing outbound network traffic or writing new files, indicating a payload implant.
  • Initial Access Scripts:
    • Files with double extensions (e.g., invoice.pdf.js or update.doc.vbs).
    • Common names found in phishing campaigns: ClickFix_Update.js, Booking_Ref_Order.exe, or other travel/shipping themed documents.
  • Malware Location:
    • Payloads often dropped in temporary directories (%TEMP%, C:\Windows\Temp) or user profile folders (%APPDATA%) before execution.
  • Beaconing Traffic:
    • Outbound connections to newly registered domains (NRDs) or suspicious IP addresses over standard HTTP/HTTPS ports, especially right after a new driver/service is installed.
    • Traffic associated with the specific ransomware family (Qilin, Medusa, Akira, etc.) that Shanya delivered.

Conclusion: A New Ransomware Economy Built on Stealth

Shanya Packer-as-a-Service exposes a critical shift in how modern ransomware succeeds.
Instead of developing new malware, attackers now invest in making existing ransomware invisible.

By wrapping payloads in unique encryption shells, abusing legitimate drivers, and deliberately disabling endpoint defenses before execution, Shanya turns ransomware into a polished, scalable business. No exploits are required. No noisy behavior is needed.
Just stealth, precision, and guaranteed execution.

This is ransomware optimized not for innovation but for reliability.

Why Traditional EDR Is Losing the Fight

Shanya exists for one purpose: to neutralize detection-based security before ransomware runs.

  • Each payload is uniquely packed, eliminating reusable signatures
  • Anti-analysis logic blocks sandboxes and virtual environments
  • Signed driver abuse enables kernel-level interference
  • Security processes are targeted before encryption begins
  • Malicious DLLs load under trusted executables

Any environment that allows unknown code to execute even briefly gives Shanya exactly what it needs to succeed.

How Xcitium Prevents Shanya From Ever Succeeding

With Xcitium Advanced EDR, powered by Xcitium’s patented Zero-Dwell platform, the attack fails at execution.

  • Shanya-packed payloads are stopped the moment they attempt to run
  • Malicious DLL side-loading is blocked immediately
  • EDR-killer drivers never gain control
  • Security tools remain active and protected
  • Ransomware never reaches the operating system

The attack chain collapses before defenses can be weakened or data can be touched.

Ransomware Depends on Time. Xcitium Takes It Away.

Shanya proves one thing clearly: modern ransomware only works when it’s allowed to run.

Xcitium denies that opportunity entirely.

When ransomware is the threat, the outcome is simple:
Xcitium = No Ransomware.

Related Posts

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top