Cybersecurity

Ransomware Gangs Turn To Shanya Exe Packer To Hide EDR Killers

2025-12-09 0 views admin
Ransomware Gangs Turn To Shanya Exe Packer To Hide EDR Killers

Multiple ransomware gangs are using a packer-as-a-service platform named Shanya to help them deploy payloads that disable endpoint detection and response solutions on victim systems.

Packer services provide cybercriminals with specialized tools to package their payloads in a way that obfuscates malicious code to evade detection by most known security tools and antivirus engines.

The Shanya packer operation emerged in late 2024 and has grown in popularity significantly, with malware samples using it being spotted in Tunisia, the UAE, Costa Rica, Nigeria, and Pakistan, as per telemetry data from Sophos Security.

Among the ransomware groups confirmed to have used it are Medusa, Qilin, Crytox, and Akira, with the latter being the one that uses the packers service most often.

Threat actors submit their malicious payloads to Shanya, and the service returns a “packed” version with a custom wrapper, using encryption and compression.

The service promotes the singularity of the resulting payloads, highlighting the “non-standard module loading into memory, wrapper over the system loaderStub uniqueization,” with “each customer receiving their own (relatively) unique stub with a unique encryption algorithm upon purchase.”

The payload is inserted into a memory-mapped copy of the Windows DLL file ‘shell32.dll.’ This DLL file has valid-looking executable sections and size, and its path appears normal, but its header and .text section have been overwritten with the decrypted payload.

While the payload is encrypted inside the packed file, it is decrypted and decompressed while still entirely in memory, and then inserted into the ‘shell32.dll’ copy file, never touching the disk.

Sophos researchers found that Shanya performs checks for endpoint detection and response (EDR) solutions by calling the ‘RtlDeleteFunctionTable’ function in an invalid context.

This triggers an unhandled exception or a crash when running under a user-mode debugger, disrupting automated analysis before full execution of the payload.

Source: BleepingComputer

🏷️ Tags

securitymalwareransomwarethreat

More from Cybersecurity

Beware: Paypal Subscriptions Abused To Send Fake Purchase Emails

Beware: Paypal Subscriptions Abused To Send Fake Purchase Emails

2025-12-14 0
Cybervolk’s Ransomware Debut Stumbles On Cryptography Weakness

Cybervolk’s Ransomware Debut Stumbles On Cryptography Weakness

2025-12-13 0
Cisa Adds Actively Exploited Sierra Wireless Router Flaw Enabling...

Cisa Adds Actively Exploited Sierra Wireless Router Flaw Enabling...

2025-12-13 0
Apple Issues Security Updates After Two Webkit Flaws Found...

Apple Issues Security Updates After Two Webkit Flaws Found...

2025-12-13 0

Trending

1

CVE-2025-61481: Critical Remote Code Execution Vulnerability in MikroTik RouterOS & SwitchOS

2025-10-27 • 189 views
2

CVE-2025-43939: Dell Unity OS Command Injection (High)

2025-10-30 • 148 views
3

Google disputes false claims of massive Gmail data breach

2025-10-30 • 130 views
4

Microsoft: DNS outage impacts Azure and Microsoft 365 services

2025-10-30 • 88 views
5

3.5B Accounts, 1 Critical Flaw: Meta Closes WhatsApp Data-Harvesting

2025-11-25 • 81 views