Shanya: The "Packer-as-a-Service" Powering the Ransomware Boom

How a new tool is helping Akira, Medusa, and Qilin gangs silence EDR solutions before they even start encrypting.

Key Takeaways

• What is it? Shanya is a “Packer-as-a-Service” that obfuscates malware and kills antivirus/EDR software.

• Who uses it? Major ransomware gangs like Akira, Qilin, and Medusa.

• How does it work? It uses “Bring Your Own Vulnerable Driver” (BYOVD) attacks, leveraging a flaw in the legitimate ThrottleStop.sys driver to gain kernel access.

• Why it matters: It turns legitimate Windows components (consent.exe) into weapons, making detection incredibly difficult.

The ransomware ecosystem is industrializing. It is no longer just about writing the encryption code; it is about the supply chain of tools used to deploy it.

In late 2024 and throughout 2025, a new player emerged: Shanya.

Unlike traditional packers that simply hide malware from antivirus scanners, Shanya is an offensive tool. It doesn’t just hide; it fights back. It creates a “blind spot” on the victim’s machine by actively terminating Endpoint Detection and Response (EDR) solutions.

Here is a deep dive into how Shanya works, why it is replacing older tools like HeartCrypt, and what defenders need to look for.

The Concept: Shanya in Plain English

Before we look at the code, let’s explain the mechanics simply.

Imagine a bank robber (the Ransomware) trying to enter a vault. Usually, there is a security guard (the EDR) watching the door.

1. The Disguise (The Packer): Shanya wraps the robber in a disguise so the guard doesn’t recognize them immediately.

2. The Trojan Horse (Side-Loading): The robber walks in holding hands with a trusted employee (a legitimate Windows file like consent.exe). The guard lets them pass because they trust the employee.

3. The Silencer (The EDR Killer): Once inside, Shanya doesn’t just sneak past the guard; it uses a specialized tool to knock the guard unconscious.

4. The Result: With the guard down, the robber (Ransomware) can take their time emptying the vault without anyone triggering an alarm.

Shanya is a service that sells this “Disguise and Silencer” kit to any criminal willing to pay.

echnical Deep Dive: Under the Hood

For the analysts and engineers reading this, here is specifically how Shanya achieves evasion and termination.

1. The Packer Architecture

Shanya is designed to be hostile to reverse engineers. Analysis of sample 6645297... reveals:

• PEB Manipulation: Instead of storing configuration data (like API addresses) in obvious places, Shanya hides them in the Process Environment Block (PEB), specifically using the GdiHandleBuffer offset. It allows the malware to execute without typical memory patterns that scanners look for.

• The “Double DLL” Load: This is a clever evasion technique.

  1. The loader spawns a legitimate system DLL (often shell32.dll) into memory.

  2. It loads a second instance of that DLL into the user code memory space.

  3. It overwrites the .text section of that second instance with its decrypted payload.

  4. Result: To a casual observer or basic tool, the process looks like it’s just running shell32.dll, but the executable code inside is actually malware.

2. The Kill Chain: Bring Your Own Vulnerable Driver (BYOVD)

The most dangerous component of Shanya is the EDR killer. To kill an EDR (which usually has high-level self-protection), you need Kernel (Ring 0) privileges.

Shanya achieves this by exploiting a legitimate driver.

• The Weapon: ThrottleStop.sys (a legitimate driver for CPU tuning).

• The Vulnerability: CVE-2025-7771. This driver allows a user to read/write kernel memory via the MmMapIoSpace function.

• The Attack:

  1. Shanya drops ThrottleStop.sys and a malicious unsigned driver (hlpdrv.sys).

  2. It uses the vulnerability in ThrottleStop to trick the Windows kernel into allowing the malicious driver to load.

  3. Once loaded, the malicious driver has unrestricted access to system memory.

3. The Target List

Once Shanya has kernel access, it iterates through a hardcoded “Kill List” of processes and services. It doesn’t matter if these services are set to “Auto-Restart”—Shanya runs a loop that kills them the moment they try to come back online.

Targets include:

Sophos, CrowdStrike (Falcon), SentinelOne, Carbon Black, Cylance, ESET, Kaspersky, Palo Alto Cortex, and Windows Defender (MsMpEng.exe).

Real-World Impact

It’s been observed Shanya being used across four hemispheres in 2025. It is not limited to one group; it is a mercenary tool.

The “Hotel” Campaign

In September 2025, a campaign targeting the hospitality industry used a fake Booking.com “ClickFix” page.

• The lure: A script urged hotel staff to verify a booking.

• The payload: It downloaded consent.zip.

• The execution: It ran consent.exe (legitimate Microsoft UAC binary), which side-loaded wmsgapi.dll (Shanya).

• The outcome: It deployed CastleRAT, a backdoor used for persistence.

This proves Shanya isn’t just for ransomware; it is a delivery truck for any malware requiring stealth.

How to Hunt the Hunter: A Defender’s Playbook

Defense doesn’t have to be dry checklists. Think of stopping Shanya as a game of “Spot the Imposter.” Shanya relies on looking like a legitimate Windows admin until the very last second.

Here is how you ruin their surprise party.

1. The “No Overclocking” Rule (Kill the Driver)

Let’s be real: Nobody needs to overclock the CPU on an accounting server.
Shanya’s entire kill chain relies on ThrottleStop.sys—a tool for gamers and PC enthusiasts—to break into the kernel.

• ** The Play:** Treat ThrottleStop.sys (and its alias rwdrv.sys) like contraband. If this file appears in your environment, it’s not a user trying to get more FPS in Excel; it’s an intruder loading a weapon.

• The Move: Implement the Microsoft Vulnerable Driver Blocklist immediately. It’s like updating the “Banned” photo list at a club entrance. If the driver shows up, the bouncer (Windows) should throw it out on sight.

2. “Stranger Things”: The Case of consent.exe

consent.exe is a boring, standard Windows file. It usually lives quietly in C:\Windows\System32.
Shanya, however, drags consent.exe out of its home and forces it to party in weird places like C:\Users\Downloads or %TEMP%.

• The Play: If you see consent.exe running from anywhere except System32, that is not a Windows process. That is a skinwalker.

• The Logic: Genuine administrative tools do not run from the “Downloads” folder.

• The Trap: Set your SIEM to scream if consent.exe spawns a child process or makes an internet connection. consent.exe asks for permission; it doesn’t download files.

3. Silence is an Alarm (The Dead Canary)

We are used to alerts being loud. Shanya relies on making things quiet. It kills your EDR agent so it can’t send an alert.

• The Play: Invert your thinking. Don’t just watch for “Malware Detected.” Watch for “Agent Offline.”

• The Scenario: If five computers in your Finance department suddenly stop reporting to the cloud console at the same time, don’t assume it’s a network glitch. Assume they just had their throats cut.

• The Move: Treat “Heartbeat Lost” as a Sev-1 incident. If the guard dog stops barking, assume the house is being robbed.

4. The “Registry Rattle”

Before Shanya kills the EDR, it often tries to mess with the settings, specifically looking at the DisableAntiSpyware registry keys.

• The Play: Put a bell on the door. Monitor the registry keys for Windows Defender and your specific EDR.

• The Logic: Legitimate software almost never tries to edit these keys. The moment something touches HKLM\...\Windows Defender, it’s hostile. Isolate the machine immediately—don’t wait for a human to review it.

5. Final Boss Move: Tamper Protection

Think of Tamper Protection as wearing a bulletproof vest.
Shanya tries to stab the EDR process to death. If Tamper Protection is off, the EDR dies. If it is on, the EDR might still take a beating, but it will stay alive long enough to scream for help.

• The Check: Go to your dashboard right now. Is Tamper Protection enabled? If not, you’re playing on “Hard Mode” for no reason.

The Final Verdict

Shanya isn’t just another piece of malware; it’s a status update on the state of cybercrime in 2025.

We are no longer fighting “hackers” in hoodies. We are fighting a supply chain. One group builds the access, another builds the ransomware, and groups like the creators of Shanya build the “silencers” that let them walk through the front door.

The uncomfortable truth? Your endpoint protection is only as good as the operating system’s trust model. As long as Windows trusts a driver simply because it has a valid digital signature, tools like Shanya will exist.

We cannot wait for Microsoft to fix the driver ecosystem.

• Trust nothing blindly.

• Assume your EDR can die.

• Hunt for the silence.

The war isn’t over, but now you know what the enemy is packing.

The Hunter’s Cheat Sheet (IOCs)

Here are the fingerprints left at the crime scene. Feed these into your SIEM, EDR, or threat intelligence platform.

The “Kill Kit” (Files to Block)

If you see these, the house is already on fire.

• ThrottleStop.sys / rwdrv.sys

  • What it is: The vulnerable driver (the key to the kernel).

  • Context: Unless you are running a gaming café, this has no business on your network.

  • Hash: 16f83f056177c4ec24c7e99d01ca9d9d6713bd0497eeedb777a3ffefa99c97f0

• hlpdrv.sys

  • What it is: The malicious killer driver.

  • Context: Unsigned, nasty, and lethal to EDRs.

• mustard64.dll

  • What it is: The internal name often found in Shanya payloads.

  • Context: A weird condiment name in your System32 folder? Dead giveaway.

The DNA (Hashes)

• The EDR Killer Variant:
  6645297a0a423564f99b9f474b0df234d6613d04df48a94cb67f541b8eb829d1

• The Loaded Gun (Consent.zip):
  59906b022adfc6f63903adbdbb64c82881e0b1664d6b7f7ee42319019fcb3d7e

The Call Home (Network)

Block these domains. They are the distribution points.

• biokdsl[.]com/upd

• biklkfd[.]com/upd

Found this breakdown useful? Subscribe for more no-nonsense threat intel.