A highly advanced “packer-as-a-service” known as Shanya, also referred to as VX Crypt, has become the preferred weapon for ransomware gangs seeking to evade security tools.
According to a new research from cybersecurity company Sophos, Shanya, which was first spotted on underground Russian forums in late 2024. Since then, it has quickly become popular with major ransomware groups, including Akira, Medusa, Qilin, and Cryptox, as well as several ClickFix distribution campaigns.
Recent activity shows Shanya-packed malware appearing across several regions, including the UAE, Tunisia, Costa Rica, Nigeria, and Pakistan, according to the telemetry data from Sophos Security.
A New Successor To HeartCrypt
Promoted as a high-end solution for malware obfuscation and stealth, the services advertise:
- AMSI bypass for .NET malware
- Non-standard module loading
- UAC bypass
- Anti-VM and anti-sandbox detection
- Runtime protection for native and 32-bit binaries
Sophos researchers confirmed that the tool quickly replaced earlier favorites like HeartCrypt, especially among groups seeking a reliable endpoint detection tool (EDR) evasion.
How Shanya Operates
At its core, Shanya transforms ransomware payloads into highly obfuscated, memory-only executables to bypass modern detection tools and prepare a system for ransomware deployment. Attackers begin by uploading their malware to the Shanya packer-as-a-service platform, which encrypts the payload and wraps it in a custom loader. This loader is engineered to decrypt and execute the malware directly in memory, avoiding any disk artifacts that traditional antivirus tools could detect.
One of Shanya’s most dangerous techniques is in-memory DLL replacement: the loader creates a memory-mapped clone of a legitimate DLL such as shell32.dll, overwrites its header and code section with the decrypted malicious payload, and runs the modified DLL under an innocent filename like msimg32.dll or wmp.dll.
To avoid detection by researchers and automated sandboxes, Shanya incorporates anti-VM checks, junk code, API hashing, and deliberate calls (like invalid RtlDeleteFunctionTable) that crash debuggers, while hiding key configuration data inside obscure structures within the Windows PEB.
Beyond simple obfuscation, Shanya also deploys a dedicated built-in EDR (Endpoint Detection & Response) killing module — typically using DLL side-loading and a bring-your-own-vulnerable-driver (BYOVD) attack. It loads the vulnerable ThrottleStop.sys driver to gain kernel-level privileges and then installs a custom malicious driver (hlpdrv.sys) that disables EDR processes, removes hooks, and shuts down kernel callbacks.
With the defenses down, ransomware actors can deploy their payloads with almost no resistance, making Shanya a critical enabler in many of today’s high-impact ransomware campaigns.
Why Shanya’s Evolution Matters
Researchers warn that Shanya reflects a growing shift in the cybercrime ecosystem. Instead of developing their own complex evasion tools, attackers can now rely on packer-as-a-service platforms that offer plug-and-play stealth, encryption, and anti-detection capabilities to attackers of any skill level.
This lowers the barrier to entry dramatically, enabling inexperienced actors to launch attacks with the same level of concealment once reserved for advanced groups. With ransomware operators increasingly purchasing and funding these services, tools like Shanya are expected to evolve further — and remain a persistent threat for defenders.
