Inside Shanya, a Packer-As-A-Service Fueling Modern Attacks
Summary:
Shanya is packer-as-a-service that has been promoted on underground forums since late 2024. Under this model, cybercriminals can pay to have their malware re-packed and encrypted to avoid detection. According to researchers at Sophos, Shanya provides customers with a customized loader and unique encryption routine, making every packed file different. The loader is also heavily obfuscated and generates its decrypter in memory at runtime, preventing analysts from easily examining the code and helping the payload slip past traditional signature-based defenses.
Shanya features an AMSI bypass for .NET malware. This prevents Windows’ built-in scripting scanner from inspecting in-memory code, allowing .NET-based payloads to execute without being flagged. The packer also supports privilege escalation, enabling attackers to configure their payloads to request elevated privileges automatically and, in some cases, bypass User Account Control prompts, giving the malware system-level access with minimal user interaction.
Shanya can further equip packed samples with autorun persistence, ensuring the payload launches automatically on boot or user login, helping attackers maintain a foothold after system restarts. Additionally, it employs variable API hashing, where every build uses a slightly different hashing algorithm to look up Windows API functions at runtime. This means the same malware can appear entirely different across deployments, complicating detection.
Security Officer Comments:
Shanya’s capabilities extend beyond basic obfuscation and encryption. The service has repeatedly been used to disable or interfere with antivirus and EDR solutions, clearing the way for high-impact intrusions such as ransomware attacks. Campaigns using Shanya often pair the loader with a dedicated EDR killer, a module that abuses a vulnerable but legitimate driver to gain kernel-level privileges and terminate security processes and services. By terminating such processes before deploying the final payload, attackers have been able to execute ransomware like Akira, Medusa, Qilin, and Crytox with little to no intervention. Overall, the ability to disable endpoint protections and create a path for follow-on malware has made Shanya an increasingly attractive tool for threat actors in 2025.
Suggested Corrections:
Shanya was recently spotted in ClickFix campaign in September 2025 that targeted hotels. In this attack, victims were presented with a fake “booking[.]com verification” page that resembled a CAPTCHA, tricking users into downloading a file that contained a Shanya-packed DLL. Once executed, a legitimate Windows program (consent[.]exe) acted as the loader, which then fetched and unpacked the malicious components, ultimately delivering the CastleRAT backdoor
To defend against similar attacks, organizations should train staff to recognize Click-Fix verification lures, block suspicious downloads, and prevent trusted programs from loading unexpected DLLs. Implementing application whitelisting, keeping security tools updated, and limiting administrative privileges can also help stop Shanya-packed malware before it can run.
Link(s):
https://news.sophos.com/en-us/2025/12/06/inside-shanya-a-packer-as-a-service-fueling-modern-attacks/
Shanya is packer-as-a-service that has been promoted on underground forums since late 2024. Under this model, cybercriminals can pay to have their malware re-packed and encrypted to avoid detection. According to researchers at Sophos, Shanya provides customers with a customized loader and unique encryption routine, making every packed file different. The loader is also heavily obfuscated and generates its decrypter in memory at runtime, preventing analysts from easily examining the code and helping the payload slip past traditional signature-based defenses.
Shanya features an AMSI bypass for .NET malware. This prevents Windows’ built-in scripting scanner from inspecting in-memory code, allowing .NET-based payloads to execute without being flagged. The packer also supports privilege escalation, enabling attackers to configure their payloads to request elevated privileges automatically and, in some cases, bypass User Account Control prompts, giving the malware system-level access with minimal user interaction.
Shanya can further equip packed samples with autorun persistence, ensuring the payload launches automatically on boot or user login, helping attackers maintain a foothold after system restarts. Additionally, it employs variable API hashing, where every build uses a slightly different hashing algorithm to look up Windows API functions at runtime. This means the same malware can appear entirely different across deployments, complicating detection.
Security Officer Comments:
Shanya’s capabilities extend beyond basic obfuscation and encryption. The service has repeatedly been used to disable or interfere with antivirus and EDR solutions, clearing the way for high-impact intrusions such as ransomware attacks. Campaigns using Shanya often pair the loader with a dedicated EDR killer, a module that abuses a vulnerable but legitimate driver to gain kernel-level privileges and terminate security processes and services. By terminating such processes before deploying the final payload, attackers have been able to execute ransomware like Akira, Medusa, Qilin, and Crytox with little to no intervention. Overall, the ability to disable endpoint protections and create a path for follow-on malware has made Shanya an increasingly attractive tool for threat actors in 2025.
Suggested Corrections:
Shanya was recently spotted in ClickFix campaign in September 2025 that targeted hotels. In this attack, victims were presented with a fake “booking[.]com verification” page that resembled a CAPTCHA, tricking users into downloading a file that contained a Shanya-packed DLL. Once executed, a legitimate Windows program (consent[.]exe) acted as the loader, which then fetched and unpacked the malicious components, ultimately delivering the CastleRAT backdoor
To defend against similar attacks, organizations should train staff to recognize Click-Fix verification lures, block suspicious downloads, and prevent trusted programs from loading unexpected DLLs. Implementing application whitelisting, keeping security tools updated, and limiting administrative privileges can also help stop Shanya-packed malware before it can run.
Link(s):
https://news.sophos.com/en-us/2025/12/06/inside-shanya-a-packer-as-a-service-fueling-modern-attacks/