Shanya packer-as-a-service becomes a stealth layer for ransomware gangs
Threat Actor Meta
Summary
Hide ▲
Show ▼
Shanya has become a shared packing service for multiple ransomware gangs, giving operators a way to hide EDR-killing payloads and raise the odds of successful deployment. The service’s growth matters because it turns stealth tooling into a reusable criminal capability that can be bought and reused across campaigns. Telemetry shows packed malware in Tunisia, the UAE, Costa Rica, Nigeria, and Pakistan, underscoring the platform’s widening reach. Confirmed users include Medusa, Qilin, Crytox, and Akira, with Akira using it most often.
Related Happenings
Gentlemen ransomware EDR-killer tooling
Malware Activity
H score35
First: 19.06.2026 01:31
Last: 19.06.2026 01:31
Sources 1
About this happening:
**Gentlemen ransomware-as-a-service (RaaS)** is actively maintaining a suite of **EDR killers** led by **GentleKiller** to disable endpoint defenses before encryption. ESET says t...
Gentlemen ransomware EDR-killer tooling
Malware ActivityAbout this happening: **Gentlemen ransomware-as-a-service (RaaS)** is actively maintaining a suite of **EDR killers** led by **GentleKiller** to disable endpoint defenses before encryption. ESET says t...
Vidar infostealer market rise and distribution expansion
Malware Activity
H score30
First: 28.04.2026 22:07
Last: 28.04.2026 22:07
Sources 1
About this happening:
**Vidar** remains a long-running **infostealer** threat, and **Aryaka** reported a fresh campaign in **recent weeks** that adds **new obfuscation techniques** and stronger **steal...
Vidar infostealer market rise and distribution expansion
Malware ActivityAbout this happening: **Vidar** remains a long-running **infostealer** threat, and **Aryaka** reported a fresh campaign in **recent weeks** that adds **new obfuscation techniques** and stronger **steal...
The Gentlemen affiliate-driven RaaS expansion and enterprise scale-up
Threat Actor Meta
H score57
First: 21.04.2026 17:00
Last: 21.04.2026 17:00
Sources 1
About this happening:
**The Gentlemen** ransomware-as-a-service operation is using an operator-maintained **EDR-killer** portfolio, led by **GentleKiller**, to disable security software before encrypti...
The Gentlemen affiliate-driven RaaS expansion and enterprise scale-up
Threat Actor MetaAbout this happening: **The Gentlemen** ransomware-as-a-service operation is using an operator-maintained **EDR-killer** portfolio, led by **GentleKiller**, to disable security software before encrypti...
Akira group rapid double-extortion ransomware activity
Malware Activity
H score45
First: 02.04.2026 16:00
Last: 02.04.2026 16:00
Sources 1
About this happening:
**Akira** ransomware activity now includes **AdaptixC2** abuse in active intrusions, alongside the group’s **under-one-hour** to **under-four-hours** attack cadence. A **Silent Pu...
Akira group rapid double-extortion ransomware activity
Malware ActivityAbout this happening: **Akira** ransomware activity now includes **AdaptixC2** abuse in active intrusions, alongside the group’s **under-one-hour** to **under-four-hours** attack cadence. A **Silent Pu...
Beast ransomware group’s RaaS model and shared TTPs exposed through an open server
Threat Actor Meta
H score37
First: 20.03.2026 18:31
Last: 20.03.2026 18:31
Sources 1
About this happening:
An exposed **Beast ransomware group** server now shows its **RaaS operating model** and reusable toolset, complicating attribution across ransomware crews. The recovered materials...
Beast ransomware group’s RaaS model and shared TTPs exposed through an open server
Threat Actor MetaAbout this happening: An exposed **Beast ransomware group** server now shows its **RaaS operating model** and reusable toolset, complicating attribution across ransomware crews. The recovered materials...
Timeline
-
09.12.2025 02:00 2 articles · 7mo ago
Shanya adopted by ransomware gangs to hide EDR killers
Initial DisclosureSophos reports that multiple ransomware gangs are using the packer-as-a-service platform Shanya to wrap malicious payloads that disable endpoint detection and response solutions on victim systems. The service emerged in late 2024 and has been observed in Tunisia, the UAE, Costa Rica, Nigeria, and Pakistan; confirmed users include Medusa, Qilin, Crytox, and Akira, with Akira using it most often. Sophos also observed recent ClickFix campaigns using Shanya to package CastleRAT.
Show sources
- Ransomware gangs turn to Shanya EXE packer to hide EDR killers — www.bleepingcomputer.com — 09.12.2025 02:00
- Ransomware gangs turn to Shanya EXE packer to hide EDR killers — www.bleepingcomputer.com — 09.12.2025 02:00