The cybercriminal landscape has recently witnessed the aggressive rise of “Shanya,” a potent packer-as-a-service and EDR killer now fueling major ransomware operations.
Emerging on underground forums in late 2024 under the alias “VX Crypt,” this tool was engineered to supersede previous market leaders like HeartCrypt.
Shanya effectively bridges the critical gap between initial access and final payload deployment, offering attackers a specialized toolkit designed specifically to blind security monitors and guarantee successful encryption.
Shanya operates through sophisticated DLL side-loading techniques, often compromising legitimate system binaries such as consent.exe to mask its execution.
Central to its attack methodology is the “Bring Your Own Vulnerable Driver” (BYOVD) tactic.
By dropping and exploiting legitimate but vulnerable drivers—most notably ThrottleStop.sys—the malware gains kernel-level privileges.
This elevation is critical, allowing it to bypass standard user-mode restrictions and directly attack the kernel callbacks used by endpoint protection platforms.
Sophos security analysts identified the malware’s escalating usage across global campaigns, linking it to high-profile ransomware families including Akira, Medusa, and Qilin.
The researchers noted that Shanya is not merely a protective packer but a proactive offensive weapon.
.webp "Shanya EDR Killer Leveraged by Ransomware Groups to Clear the Way for Ransomware Infection 3")
It systematically dismantles defenses before the ransomware payload is even decrypted, creating a defenseless environment where encryption processes can run uninterrupted.
This dual-functionality has made it particularly prevalent in targeted attacks across regions like the UAE and Tunisia.
Infection Dynamics and Kernel-Level Evasion
Shanya’s technical architecture reveals a heavy reliance on advanced obfuscation and anti-analysis mechanisms to survive scrutiny.
The initial loader is saturated with “junk code” to disrupt reverse engineering efforts.
.webp "Shanya EDR Killer Leveraged by Ransomware Groups to Clear the Way for Ransomware Infection 4")
To further evade detection, the malware proactively calls RtlDeleteFunctionTable with invalid contexts, attempting to crash debuggers.
It also conceals its configuration data within the Process Environment Block (PEB), utilizing the GdiHandleBuffer as a covert repository for API pointers, ensuring critical execution parameters remain hidden from memory scanners.
A defining characteristic of Shanya is its ruthless process termination capability. Once the kernel driver is active, the user-mode component initiates a scan of active services against a target list.
.webp "Shanya EDR Killer Leveraged by Ransomware Groups to Clear the Way for Ransomware Infection 5")
The malware iterates through these services, sending instructions to the kernel driver (hlpdrv.sys) to forcibly terminate them.
// Logic for iterating and terminating security services
while (!StrStrIA (v5, v6))
{
v6 = (&driver_list) [++v7]; // Iterate through target list
if (!v6) goto LABEL_14;
}
// DeviceIoControl sends kill command to malicious driver
if (!DeviceIoControl (hDevice, 0x222008u, &InBuffer, 8u, ...))
{
// Trigger termination routine
}The malware also employs a unique “double loading” technique, loading a second instance of a system DLL like shell32.dll and overwriting its header with the decrypted payload.
This seamless integration into legitimate memory spaces, often using names like mustard64.dll, exemplifies the advanced evasion tactics that make Shanya a critical threat.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
