Multiple ransomware groups are adopting a packer-as-a-service platform known as Shanya to conceal and deploy payloads designed to disable endpoint detection and response (EDR) systems, according to new research from Sophos.
Shanya, which emerged in late 2024, provides threat actors with a way to wrap their malware in highly customized, obfuscated code that bypasses most security tools. Telemetry shows it gains traction, with samples identified in Tunisia, the UAE, Costa Rica, Nigeria, and Pakistan. Among customers are such ransomware operations as Medusa, Qilin, Crytox, and Akira, with the latter appearing to be the most frequent user.
Customers submit malicious payloads to Shanya and receive a “packed” version that uses encryption, compression, and a specialized wrapper. The service advertises “non-standard module loading” and a unique stub and encryption algorithm for each buyer. During execution, the decrypted payload is injected entirely in memory into a tampered copy of the Windows shell32.dll, ensuring it never touches disk.
Sophos researchers say that Shanya also performs anti-analysis checks by abusing the RtlDeleteFunctionTable function, triggering crashes under debugging and hampering automated detection workflows.
Shanya-packed malware is typically delivered through DLL side-loading, pairing a legitimate Windows executable such as consent.exe with a malicious DLL. The EDR-disabling component drops two drivers: a vulnerable but validly signed ThrottleStop.sys used for privilege escalation, and an unsigned driver that receives kill commands from a user-mode component. This system enumerates running processes and services, targeting those on a hardcoded list of security tools.
Sophos has also observed the Shanya platform being used in recent ClickFix campaigns to package the CastleRAT malware.