VTA-004546 – Shanya The Silent Engine Behind Modern Stealth Attacks

Shanya, a sophisticated packer-as-a-service (PaaS) advertised as VX Crypt, has quickly become a go-to tool for ransomware operators seeking to evade endpoint detection and response (EDR) solutions. Unlike basic obfuscators, Shanya provides custom stubs with unique encryption algorithms for each buyer, enabling non-standard module loading directly into memory via wrappers around the system loader. This service, linked to a Telegram handle, promises features like AMSI bypass for .NET payloads, anti-VM checks and runtime protections inspired by tools like Indy, setting it apart from predecessors by offering tailored evasion for diverse malware families.

What distinguishes Shanya from typical packers like HeartCrypt is its proactive EDR-killing capabilities, often deployed before ransomware encryption to dismantle defenses. In analyzed infections, Shanya-packed loaders such as msimg32.dll sideloaded via consent.exe drop vulnerable drivers like ThrottleStop.sys alongside a malicious kernel driver (hlpdrv.sys) to terminate security processes and services from vendors including Sophos. This kernel-level disruption, targeting EDR callbacks and hooks (e.g, via RtlDeleteFunctionTable checks), creates a window for payloads like Akira, Qilin or CastleRAT to execute uninterrupted, a step beyond mere hiding.

Shanya’s loader employs clever stealth tactics, such as storing configuration tables in the Process Environment Block (PEB) at GdiHandleBuffer offsets and duplicating shell32.dll in user code space overwriting its headers with compressed payloads loaded via LdrLoadDll while renaming modules like “mustard64.dll” to blend in. Observed in global campaigns peaking in late 2025, particularly in the UAE and Tunisia, it has fueled attacks like Medusa ransomware and ClickFix scams distributing CastleRAT through PowerShell downloads from domains like biokdsl.com. Sophos detections such as ATK/Shanya-B highlight its spread, underscoring the need for behavioral monitoring of anomalous DLL loads and driver abuses in incident response.

Severity:
Medium

Attack Surface:
Endpoint, Endpoint OS

Tactics:
Defense Evasion, Execution, Initial Access, Persistence

Techniques:
T1027 – Obfuscated/Encrypted Files & Information
T1140 – Deobfuscate/Decode Files or Information
T1036 – Masquerading
T1055 – Process Injection
TA0005 – Defense Evasion
TA0002 – Execution
TA0004 – Privilege Escalation
TA0003 – Persistence

References:
1. https://news.sophos.com/en-us/2025/12/06/inside-shanya-a-packer-as-a-service-fueling-modern-attacks/
2. https://github.com/sophoslabs/IoCs/blob/master/2025-12%20shanya%20iocs.csv

Indicator of Compromise:
1. https://otx.alienvault.com/pulse/6937b180df5b3cd0b5fbf576

SuperPRO’s Threat Countermeasures Procedures:
1.Upgrade Windows endpoints to Windows 11 to leverage updated kernel-level memory protection and Smart App Control.
2.Enable Microsoft Defender ASR (Attack Surface Reduction) rules, especially, block executable content from email and webmail clients. Block process creations from PSExec and WMI
3.Deploy Sophos Intercept X, CrowdStrike Falcon Insight or Microsoft Defender for Endpoint with behavior-based detection enabled, heuristic scanning set to High and script scanning and AMSI integration turned on.
4.Block the following file types at gateway “.exe, .scr, .dll, .bat, .ps1, .hta”. Compressed archives containing executables (.zip, .rar)
5.Enable sandbox detonation (Cisco Secure Malware Analytics, Cuckoo Sandbox) for all attachments.
6.Use SSL inspection and TLS 1.2/1.3 visibility to catch hidden payload downloads.
7.Block outbound traffic to known malware C2 via threat intelligence feeds.

Contributed by: Thivya