Inside Shanya, a packer-as-a-service fueling modern attacks
Dec. 21, 2025, 6:41 p.m.
Description
The Shanya crypter is a new packer-as-a-service offering gaining popularity among ransomware groups. It features advanced capabilities like non-standard module loading, unique stubs for each customer, AMSI bypass, anti-VM measures, and runtime protection. Early samples contained revealing artifacts, but later versions became more sophisticated. The packer has been used to deliver various malware families including an EDR killer and CastleRAT. It employs techniques like API hashing, anti-analysis checks, and DLL sideloading to evade detection. The EDR killer variant targets numerous security products and has been used in ransomware operations by groups like Akira, Qilin, and Crytox. A case study of CastleRAT distribution using Shanya to target hotels is also presented.
Tags
Date
- Created: Dec. 7, 2025, 2:07 p.m.
- Published: Dec. 7, 2025, 2:07 p.m.
- Modified: Dec. 21, 2025, 6:41 p.m.
Indicators
- 59906b022adfc6f63903adbdbb64c82881e0b1664d6b7f7ee42319019fcb3d7e
- 6645297a0a423564f99b9f474b0df234d6613d04df48a94cb67f541b8eb829d1
- http://biokdsl.com/upd
- http://biklkfd.com/upd
- http://biokdsl.com/upd'
Attack Patterns
- Lumma
- WHT downloader
- CastleRAT
- MEDUSA
- Bumblebee - S1039
- StealC
- ChuChuka
- Akira
- Qilin
- Crytox
- Shanya
Additional Informations
- Hospitality
- biklkfd.com
- biokdsl.com
- United Arab Emirates
- Tunisia
- Russian Federation
- China