Shanya is not clever. It is convenient. That is why ransomware gangs are using it. Instead of building their own obfuscation chains, they upload a payload and get back a packaged binary that most EDR sensors fail to flag. Stealth became something you buy instead of something you engineer.
The operation appeared in late 2024 and spread fast through 2025. Medusa, Qilin, Crytox, and Akira all used it. Telemetry shows packs surfacing everywhere from Tunisia to Nigeria to Costa Rica. That tells you this is not an APT trick. It is a commodity. Anyone with money and a payload can purchase evasion.
Stealth as a Commodity
Shanya wraps malware in a custom loader with memory-only decryption. The result never touches disk in a readable form. Attackers get a unique stub, unique encryption, and a unique wrapper every time. That alone defeats static signatures and suppresses heuristic alarms. It is the same logic behind cloud hosting and bulletproof servers. Outsource the problem. Buy the outcome.
Why Packer-as-a-Service Exists
Ransomware crews optimise for speed. They do not waste time building loaders, encryption layers, or anti-analysis logic. A service like Shanya ships all of that instantly. The economics are obvious. Lower development cost. Faster deployment. Higher success rate. It mirrors the rise of exploit kits a decade ago. The packaging layer became a standalone business.
Windows Keeps Making This Easy
Shanya injects the decrypted payload into a memory-mapped copy of shell32.dll. Windows accepts this because its trust model still assumes anything shaped like a DLL is legitimate. The system loader plays along even when the header and text section have been overwritten. Attackers also abuse a legitimately signed driver, ThrottleStop.sys, for arbitrary kernel writes. That alone tells you the code signing model is still broken.
EDR Has Blind Spots It Pretends Dont Exist
Shanya uses an invalid RtlDeleteFunctionTable call to crash user-mode debuggers and automated sandboxes. That buys time. The real damage comes from the EDR killer. It enumerates running services and feeds targets to a malicious kernel driver that disables them one by one. This happens before encryption. Before exfiltration. Before any chance of detection. The payload stays in memory, the loader looks clean, and the EDR never sees the knife coming.
Malware and Privacy Tools Share Techniques
Both avoid writing identifiable footprints. Both use non-standard loaders. Both rely on unpredictable memory states to frustrate inspection. The intent is what separates them. Malware uses stealth to harm people. Privacy tools use stealth to protect them. The overlap exists because surveillance and anti-surveillance fight on the same technical battlefield.
Shanya matters because it shows where the crimeware economy is heading. Attackers do not innovate. They subscribe. The infrastructure around them does the heavy lifting. When stealth becomes a service, defenders end up reacting to an ecosystem instead of a threat actor. And right now that ecosystem is expanding.
Blackout VPN exists because privacy is a right. Your first name is too much information for us.
Keep learning
FAQ
What is Shanya
A packer-as-a-service platform that wraps malware in a custom loader to bypass security tools.
Why are ransomware gangs using it
It removes the need to build their own evasion pipelines and improves success rates with minimal effort.
How does it bypass EDR tools
Through memory-only payload handling, debugger disruption, and a kernel-level EDR killer shipped with the packed files.
Why is Windows part of the problem
Its legacy trust model still allows side-loaded DLLs and abusable signed drivers to operate with minimal scrutiny.
What does this mean for defenders
They are no longer fighting ransomware groups directly but an entire industry that sells them ready-made evasion tools.