Key Findings:

• A new packer-as-a-service offering called "Shanya" has been gaining popularity among ransomware groups.

• Shanya offers features like AMSI bypass, UAC bypass, runtime protection, and anti-VM/sandbox evasion.

• Early samples of the Shanya crypter contained revealing information about its purpose and development.

• The Shanya packer has been detected in a wide geographic distribution, with higher prevalence in certain countries like Tunisia and the UAE.

• The packed executables exhibit techniques to evade detection and analysis.

Background

Near the end of 2024, references to a new offering called "VX Crypt" appeared on underground forums, credited to an entity called "Shanya." The features described, such as AMSI bypass, runtime protection, and anti-VM capabilities, match the characteristics of the packer we have found in various malware samples.

Early Samples and Artifacts

The early samples of the Shanya crypter contained revealing information, such as the executable name "shanya_crypter.exe" and DLL names that included the word "f■ckav," indicating its purpose of bypassing security solutions.

Geographic Distribution

Analysis of Shanya-packed malware samples detected by Sophos shows a wide geographic distribution, with higher prevalence in certain countries like Tunisia and the UAE, as well as clustering in the Shenzhen area of China.

Under the Hood: The Packed Executables

The packed executables created by the Shanya packer exhibit techniques to evade detection and analysis, such as obfuscation, anti-debugging measures, and runtime protection. These features are designed to make the malware more difficult to analyze and detect.

Sources

• https://news.sophos.com/en-us/2025/12/06/inside-shanya-a-packer-as-a-service-fueling-modern-attacks/

• https://malware.news/t/inside-shanya-a-packer-as-a-service-fueling-modern-attacks/102354