Shanya

Shanya is a packer-as-a-service (PaaS) / crypter used to obfuscate and load malicious payloads, and is increasingly associated with ransomware operations. Sophos reported that it emerged on underground forums in late 2024, where a related offering called VX Crypt was attributed to an entity named "Shanya." Advertised features included non-standard in-memory module loading, unique stubs per customer, AMSI bypass for .NET assemblies, anti-VM and anti-sandbox behavior, and optional sideloading. It has also been referred to by other researchers as TangleCrypt and possibly the Armillaria loader.

Technically, Shanya uses heavy junk-code obfuscation, dynamic API resolution via custom hashing, and anti-analysis checks involving RtlDeleteFunctionTable. It decrypts and decompresses payloads in memory and loads them by mapping a second copy of shell32.dll, overwriting the image header and .text section with the decrypted payload, and altering module metadata in the PEB to disguise the mapped image. Sophos also reported that Shanya stores a pointer to an internal configuration table in the PEB GdiHandleBuffer field. Observed sample naming included shanya_crypter.exe and DLL names derived from "Shanya."

A major observed use case is packaging an EDR killer used ahead of ransomware deployment. In these cases, Shanya-packed malware commonly uses DLL side-loading with legitimate binaries such as consent.exe and malicious DLLs including msimg32.dll, version.dll, rtworkq.dll, and wmsgapi.dll. The EDR killer drops a legitimate vulnerable TechPowerUp driver, ThrottleStop.sys or rwdrv.sys, together with a malicious unsigned kernel driver, hlpdrv.sys. The user-mode component enumerates targeted security-product services and processes and sends kill commands to the kernel driver to disable protections. Reporting cited first observed deployment near the end of April 2025 in a Medusa ransomware attack, with later use in Akira, Qilin, and Crytox operations.

Shanya has also been used outside pure ransomware deployment chains. Sophos linked it to delivery of BumbleBee, ChuChuka, Lumma, WHT downloader, StealC, and CastleRAT. In September 2025 it was associated with a Booking.com-themed ClickFix campaign targeting hotels, in which PowerShell downloaded content from biokdsl[.]com/upd or biklkfd[.]com/upd, retrieved consa[.]zip (SHA256: 59906b022adfc6f63903adbdbb64c82881e0b1664d6b7f7ee42319019fcb3d7e), side-loaded wmsgapi.dll via consent.exe, and ultimately deployed CastleRAT.

Sophos observed Shanya globally during 2025, with relatively higher prevalence in Tunisia and the United Arab Emirates, and detections in China concentrated around Shenzhen. The reporting characterizes Shanya as taking over part of the role previously played by HeartCrypt in enabling malware delivery and defense evasion for multiple criminal operators.