CyberHappenings logo
Home Browse About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

Ransomware gangs leverage Shanya EXE packer to evade EDR detection

First reported
Last updated
1 unique sources, 1 articles

Summary

Hide ▲

Multiple ransomware gangs, including Medusa, Qilin, Crytox, and Akira, are using the Shanya packer-as-a-service platform to deploy payloads that disable endpoint detection and response (EDR) solutions. The Shanya service emerged in late 2024 and has been observed in various regions, including Tunisia, the UAE, Costa Rica, Nigeria, and Pakistan. The service provides customized payloads with unique encryption and compression, making detection difficult. Sophos researchers found that Shanya performs checks for EDR solutions by triggering unhandled exceptions or crashes under user-mode debuggers, disrupting automated analysis. The payloads are inserted into a memory-mapped copy of 'shell32.dll,' never touching the disk, and are decrypted and decompressed in memory. The EDR killers use legitimately signed and unsigned drivers to disable security products, with the signed driver used for privilege escalation and the unsigned driver executing kill commands based on a hardcoded list of processes and services.

Timeline

  1. 09.12.2025 02:00 1 articles · 23h ago

    Ransomware gangs adopt Shanya EXE packer to evade EDR detection

    Multiple ransomware gangs, including Medusa, Qilin, Crytox, and Akira, have been observed using the Shanya packer-as-a-service platform to deploy payloads that disable endpoint detection and response (EDR) solutions. The service emerged in late 2024 and has been observed in various regions, including Tunisia, the UAE, Costa Rica, Nigeria, and Pakistan. The payloads are customized with unique encryption and compression, making detection difficult. Sophos researchers found that Shanya performs checks for EDR solutions by triggering unhandled exceptions or crashes under user-mode debuggers. The payloads are inserted into a memory-mapped copy of 'shell32.dll' and decrypted in memory. The EDR killer uses legitimately signed and unsigned drivers to disable security products.

    Show sources
    Open in new tab

Information Snippets