Shanya packer-as-a-service becomes a stealth layer for ransomware gangs
Threat Actor Meta
Summary
Hide ▲
Show ▼
Shanya has become a shared packing service for multiple ransomware gangs, giving operators a way to hide EDR-killing payloads and raise the odds of successful deployment. The service’s growth matters because it turns stealth tooling into a reusable criminal capability that can be bought and reused across campaigns. Telemetry shows packed malware in Tunisia, the UAE, Costa Rica, Nigeria, and Pakistan, underscoring the platform’s widening reach. Confirmed users include Medusa, Qilin, Crytox, and Akira, with Akira using it most often.
Related Happenings
Vidar infostealer market rise and distribution expansion
Malware Activity
First: 28.04.2026 22:07
Last: 28.04.2026 22:07
Sources 1
About this happening:
**Vidar** remains a long-running **infostealer** threat, and **Aryaka** reported a fresh campaign in **recent weeks** that adds **new obfuscation techniques** and stronger **steal...
Vidar infostealer market rise and distribution expansion
Malware ActivityAbout this happening: **Vidar** remains a long-running **infostealer** threat, and **Aryaka** reported a fresh campaign in **recent weeks** that adds **new obfuscation techniques** and stronger **steal...
The Gentlemen affiliate-driven RaaS expansion and enterprise scale-up
Threat Actor Meta
First: 21.04.2026 17:00
Last: 21.04.2026 17:00
Sources 1
About this happening:
**The Gentlemen ransomware gang** is using a **legitimate vulnerable driver** to defeat enterprise defenses, weaponizing **ThrottleStop.sys** as **ThrottleBlood.sys** to kill **AV...
The Gentlemen affiliate-driven RaaS expansion and enterprise scale-up
Threat Actor MetaAbout this happening: **The Gentlemen ransomware gang** is using a **legitimate vulnerable driver** to defeat enterprise defenses, weaponizing **ThrottleStop.sys** as **ThrottleBlood.sys** to kill **AV...
Akira group rapid double-extortion ransomware activity
Malware Activity
First: 02.04.2026 16:00
Last: 02.04.2026 16:00
Sources 1
About this happening:
**Akira** ransomware activity now includes **AdaptixC2** abuse in active intrusions, alongside the group’s **under-one-hour** to **under-four-hours** attack cadence. A **Silent Pu...
Akira group rapid double-extortion ransomware activity
Malware ActivityAbout this happening: **Akira** ransomware activity now includes **AdaptixC2** abuse in active intrusions, alongside the group’s **under-one-hour** to **under-four-hours** attack cadence. A **Silent Pu...
Beast ransomware group’s RaaS model and shared TTPs exposed through an open server
Threat Actor Meta
First: 20.03.2026 18:31
Last: 20.03.2026 18:31
Sources 1
About this happening:
An exposed **Beast ransomware group** server now shows its **RaaS operating model** and reusable toolset, complicating attribution across ransomware crews. The recovered materials...
Beast ransomware group’s RaaS model and shared TTPs exposed through an open server
Threat Actor MetaAbout this happening: An exposed **Beast ransomware group** server now shows its **RaaS operating model** and reusable toolset, complicating attribution across ransomware crews. The recovered materials...
The Gentlemen RaaS split exposed by hastalamuerte
Threat Actor Meta
First: 19.03.2026 18:00
Last: 19.03.2026 18:00
Sources 1
About this happening:
**hastalamuerte** exposed the internal workings of **The Gentlemen** ransomware group, revealing a **Qilin-related RaaS split** that shows how affiliate-driven ecosystems can rapi...
The Gentlemen RaaS split exposed by hastalamuerte
Threat Actor MetaAbout this happening: **hastalamuerte** exposed the internal workings of **The Gentlemen** ransomware group, revealing a **Qilin-related RaaS split** that shows how affiliate-driven ecosystems can rapi...
Timeline
-
09.12.2025 02:00 2 articles · 5mo ago
Shanya adopted by ransomware gangs to hide EDR killers
Initial DisclosureSophos reports that multiple ransomware gangs are using the packer-as-a-service platform Shanya to wrap malicious payloads that disable endpoint detection and response solutions on victim systems. The service emerged in late 2024 and has been observed in Tunisia, the UAE, Costa Rica, Nigeria, and Pakistan; confirmed users include Medusa, Qilin, Crytox, and Akira, with Akira using it most often. Sophos also observed recent ClickFix campaigns using Shanya to package CastleRAT.
Show sources
- Ransomware gangs turn to Shanya EXE packer to hide EDR killers — www.bleepingcomputer.com — 09.12.2025 02:00
- Ransomware gangs turn to Shanya EXE packer to hide EDR killers — www.bleepingcomputer.com — 09.12.2025 02:00