Ransomware Gangs Turn to Shanya EXE Packer to Outsmart EDR Solutions

Ransomware Gangs Turn to Shanya EXE Packer to Outsmart EDR Solutions

Alex Cipher's Profile Pictire Alex Cipher 8 min read

Ransomware gangs have found a formidable new ally in the Shanya EXE packer, a tool that’s rapidly changing the rules of the cybercrime game. Unlike traditional malware packers, Shanya specializes in keeping malicious payloads invisible to most security tools by executing them entirely in memory. This means no suspicious files are ever written to disk, leaving endpoint detection and response (EDR) solutions blind to the initial stages of an attack (BleepingComputer).

What makes Shanya especially dangerous is its ability to inject decrypted payloads into legitimate Windows DLLs, such as shell32.dll, making the malicious code appear as part of normal system operations. Add to this a suite of anti-analysis tricks—like crashing debuggers and evading sandboxes—and you have a packer that’s tailor-made for modern ransomware campaigns. The service even generates unique loader stubs and encryption algorithms for each customer, ensuring that every attack looks different and is harder to detect.

The real-world impact is already being felt. Major ransomware groups, including Akira and Medusa, have adopted Shanya, leading to a surge in successful attacks across regions from Tunisia to Costa Rica. With ransomware gangs extorting over $2.1 billion between 2022 and 2024, the stakes for defenders have never been higher (BleepingComputer).

How the Shanya EXE Packer Outsmarts EDR: Technical Tricks and Real-World Impact

Memory-Only Payload Decryption and Execution

A core technical innovation of the Shanya EXE packer is its ability to keep malicious payloads entirely in memory, never writing them to disk during the critical stages of execution. When a threat actor submits a payload to the Shanya service, the returned file is encrypted and compressed within a custom wrapper. Upon execution on a victim system, this wrapper decrypts and decompresses the payload only in memory, avoiding the creation of any new files on disk that could be detected by traditional antivirus or endpoint detection and response (EDR) solutions (BleepingComputer).

The decrypted payload is then injected into a memory-mapped copy of a legitimate Windows DLL, typically shell32.dll. This technique leverages the fact that shell32.dll is a standard system library with valid executable sections and a normal file path, making the injected code appear legitimate to superficial scans. The header and .text section of the DLL are overwritten in memory with the malicious code, but the file on disk remains untouched. This approach significantly complicates detection, as security tools relying on file system monitoring or signature-based scanning are rendered ineffective.

This memory-only execution strategy is particularly effective against EDR products that monitor for suspicious file writes or modifications. By never touching the disk, Shanya-packed malware bypasses a primary detection vector, allowing ransomware operators to proceed with their attacks undetected until much later stages.

Evasion of Automated Analysis and Debugging Environments

Shanya incorporates advanced anti-analysis techniques specifically designed to disrupt automated malware analysis and debugging. One notable method involves calling the RtlDeleteFunctionTable function in an invalid context. This operation is intentionally crafted to trigger unhandled exceptions or crashes when the malware is executed within user-mode debuggers or sandbox environments (BleepingComputer).

By causing the analysis environment to crash or hang before the payload is fully executed, Shanya prevents researchers and automated tools from capturing the complete behavior of the malware. This not only delays the development of detection signatures but also hinders incident response teams from understanding the full scope of the attack.

Additionally, the packer is designed to detect and evade common sandbox artifacts and virtualized environments, further reducing the likelihood of successful analysis. These anti-debugging and anti-sandboxing features are continually updated, ensuring that Shanya remains effective against evolving security research techniques.

Custom Loader Stubs and Unique Encryption Algorithms

A distinguishing feature of Shanya is its use of custom loader stubs and individualized encryption algorithms for each customer and payload. When a threat actor submits a payload, the service generates a unique loader stub that is responsible for decrypting and loading the payload into memory. This stub is not reused across customers or payloads, making it extremely difficult for security vendors to develop generic detection signatures (BleepingComputer).

The loader stub employs a unique encryption algorithm for each packed file, further complicating detection efforts. Even if one variant is reverse-engineered and a detection signature is created, it is unlikely to match other payloads packed by Shanya due to the individualized nature of the stubs and encryption routines.

This approach to “stub uniqueization” and per-customer encryption ensures that each instance of a Shanya-packed payload appears distinct at both the binary and behavioral levels. Security products that rely on static analysis, hash-based detection, or behavioral heuristics are thus forced to treat each new sample as a novel threat, overwhelming their capacity to keep up with the volume and diversity of attacks.

Privilege Escalation and Kernel-Level EDR Disabling

Shanya-powered campaigns have been observed deploying sophisticated EDR killer components that operate at the kernel level, leveraging both signed and unsigned drivers to disable security products. The attack chain typically involves the following steps (BleepingComputer):

  1. Deployment of Signed Driver for Privilege Escalation:
    The EDR killer drops a legitimately signed driver, such as ThrottleStop.sys (also known as rwdrv.sys from TechPowerUp), which contains a vulnerability allowing arbitrary kernel memory writes. This signed driver is used to escalate privileges from user mode to kernel mode, bypassing Windows security mechanisms that would otherwise block unsigned drivers.

  2. Activation of Unsigned Malicious Driver:
    Alongside the signed driver, an unsigned driver (hlpdrv.sys) is deployed. This driver is responsible for disabling security products based on commands received from the user-mode component.

  3. Enumeration and Termination of Security Processes:
    The user-mode component enumerates all running processes and installed services, comparing them against a hardcoded list of known EDR and antivirus products. For each match, a “kill” command is sent to the malicious kernel driver, which terminates the process or disables the service at the kernel level.

This multi-stage approach is highly effective, as it allows attackers to neutralize even advanced EDR solutions that operate with elevated privileges. By leveraging a signed driver for initial privilege escalation, Shanya-powered malware can bypass driver signature enforcement, a key security feature in modern Windows environments.

Real-World Impact: Ransomware Campaigns and Geographic Spread

Since its emergence in late 2024, the Shanya packer has rapidly gained traction among major ransomware groups, including Medusa, Qilin, Crytox, and especially Akira, which is reported to be the most frequent user of the service (BleepingComputer). The adoption of Shanya has been observed in ransomware incidents across diverse geographies, with samples detected in Tunisia, the United Arab Emirates, Costa Rica, Nigeria, and Pakistan, according to telemetry data from Sophos Security.

The real-world impact of Shanya’s technical innovations is significant:

  • Increased Success Rate of Ransomware Attacks:
    By reliably disabling EDR solutions before data theft and encryption, Shanya-packed payloads allow ransomware operators to execute their attacks with minimal risk of early detection or intervention.

  • Diversification of Attack Vectors:
    Shanya is not limited to a single ransomware family or campaign. Its packer-as-a-service model enables a wide range of threat actors to access advanced evasion capabilities, democratizing sophisticated attack techniques.

  • Proliferation of Secondary Malware:
    Beyond ransomware, Shanya has been used to package other types of malware, such as CastleRAT in recent ClickFix campaigns, indicating its versatility and broad appeal within the cybercriminal ecosystem.

  • Operational Challenges for Defenders:
    The combination of memory-only execution, anti-analysis features, and kernel-level EDR disabling presents a formidable challenge for defenders. Traditional detection and response strategies are rendered ineffective, forcing organizations to invest in more advanced behavioral analytics and memory forensics capabilities.

  • Financial and Reputational Damage:
    The enhanced stealth provided by Shanya has contributed to the success of high-profile ransomware incidents, with the Financial Crimes Enforcement Network (FinCEN) reporting that ransomware gangs extorted over $2.1 billion from 2022 to 2024 (BleepingComputer). The use of Shanya is likely a contributing factor to the increasing sophistication and impact of these attacks.

In summary, the Shanya EXE packer represents a significant advancement in the ongoing arms race between ransomware operators and security defenders. Its technical sophistication, widespread adoption, and real-world impact underscore the urgent need for organizations to rethink their approach to endpoint security and incident response.

Final Thoughts

The Shanya EXE packer is more than just another tool in the ransomware arsenal—it’s a game-changer that’s forcing defenders to rethink their entire approach to endpoint security. By combining memory-only execution, anti-analysis features, and kernel-level EDR disabling, Shanya has set a new standard for stealth and effectiveness in cyberattacks (BleepingComputer).

For organizations, this means that traditional defenses relying on file-based detection or static signatures are no longer enough. The rise of Shanya underscores the urgent need for advanced behavioral analytics, memory forensics, and proactive threat hunting. As ransomware gangs continue to innovate, defenders must stay agile, leveraging emerging technologies and sharing intelligence to keep pace with these evolving threats.

References

Related Articles