Multiple ransomware groups have been using a packer-as-a-service called Shanya to deliver payloads designed to disable endpoint detection and response (EDR) tools on victim machines, security researchers reported. Telemetry linked to packed samples has been observed in Tunisia, the United Arab Emirates, Costa Rica, Nigeria and Pakistan, and operators identified as using the service include Medusa, Qilin, Crytox and Akira, with Akira appearing to be the most frequent user.
Shanya accepts malicious payloads and returns a packed executable that uses a custom wrapper, encryption, compression and per-customer stub uniqueization to frustrate signature-based detection. The service inserts the decrypted payload into a memory-mapped copy of the legitimate Windows DLL _shell32.dll_, leaving the malicious code only in memory so it never touches disk.
Sophos researchers found that the packer performs runtime checks for EDR presence by invoking functions such as RtlDeleteFunctionTable in an invalid context, a technique that can trigger unhandled exceptions or crashes under user-mode debuggers and disrupt automated analysis before the payload fully executes.
Operators typically execute Shanya-packed components via DLL side-loading, pairing a legitimate Windows executable such as _consent.exe_ with a packed malicious DLL (examples include _msimg32.dll_, _version.dll_, _rtworkq.dll_ and _wmsgapi.dll_). The EDR disabling sequence drops two drivers: a signed ThrottleStop.sys (rwdrv.sys) whose flaw can be abused for arbitrary kernel memory writes and an unsigned driver hlpdrv.sys that receives commands from user mode to disable security products.
The user-mode component enumerates running processes and installed services and compares those results to a large hardcoded list; when a match is found the component issues a “kill” command to the malicious kernel driver to stop the targeted security software. Researchers also noted ClickFix campaigns using Shanya to package CastleRAT, and provided a detailed technical analysis and a set of indicators of compromise for Shanya-powered activity.