Shanya Crypter Is the New Ransomware Toolkit: Uses Kernel Driver Abuse to Kill EDR

A sophisticated new “packer-as-a-service” has emerged from the cybercriminal underworld, providing ransomware gangs with a powerful toolkit to bypass modern security defenses. Dubbed “Shanya” (or VX Crypt), this crypter has rapidly become a go-to utility for major threat actors including the Akira, Medusa, and Qilin ransomware groups, according to a new report from Sophos X-Ops.

First spotted on underground forums in late 2024, the service markets itself as a premium solution for evading antivirus detection. Operating under the name “Shanya”—which notably shares its name with a river in western Russia—the service promises advanced features such as AMSI bypasses for .NET assemblies, UAC (User Account Control) bypasses, and anti-virtual machine capabilities.

Sophos researchers note that this development marks a significant shift in the cybercrime ecosystem. “It is a fast-changing landscape, and now we are watching a new incarnation of the same type of service: the Shanya crypter – already favored by ransomware groups and taking over (to some degree) the role that HeartCrypt has played in the ransomware toolkit,” the report states.

The Shanya crypter employs aggressive obfuscation techniques to mask its payload. The loader code is filled with “miles of junk code” designed to confuse analysis tools.

One of its most distinct evasion methods involves manipulating the Windows Process Environment Block (PEB). The malware initializes a table of critical API addresses and hides a pointer to it within the GdiHandleBuffer field of the PEB, allowing subsequent stages of the malware to retrieve configurations seamlessly without alerting security monitors.

Furthermore, Shanya utilizes a “doppelganger” technique to load its payload. “The loader loads a second instance of a Windows system DLL,” typically shell32.dll. It then overwrites the text section of this legitimate DLL with its malicious payload. To further cover its tracks, it modifies the loaded module list to rename the DLL to bizarre or mocking names, such as mustard64.dll or even filenames containing offensive callouts to security researchers.

Perhaps the most dangerous application of the Shanya packer is its role as an “EDR Killer.” In observed attacks, the packer is used to side-load a malicious DLL (often named msimg32.dll) alongside a legitimate Windows executable (consent.exe).

Once executed, this tool drops two kernel drivers: a legitimate but vulnerable driver (such as ThrottleStop.sys) and a malicious unsigned driver (hlpdrv.sys). By abusing the vulnerable driver to gain kernel-level write access, the malware “sends a kill command to the malicious kernel driver,” effectively terminating the processes and services of a vast list of endpoint protection (EDR) products before the ransomware is deployed.

The tool’s footprint is global, with high infection rates relative to population detected in the UAE, Chile, and Italy.

Beyond ransomware, Shanya has been implicated in other cybercrime campaigns. In September 2025, it was used in a “Booking.com-themed ClickFix campaign” to deliver the CastleRAT backdoor. In this attack, a fake “verification” screen tricked users into executing a PowerShell script that downloaded a Shanya-packed payload hidden within a zip file.

As these tools become more accessible to cybercriminals, the barrier to entry for launching sophisticated, evasive attacks continues to lower.

Related Posts:

• Stealthy Process Injection: New Kernel Callback Table Technique Exposed
• Ghost Crypt & PureRAT: New Stealthy Malware Targets Accounting Firm via “Process Hypnosis”
• HORUS Protector: The New Undetectable Malware Crypter Threatening Cybersecurity
• New malware automatically detects computer configuration to determine mining or crypting