Shanya Packer-as-a-Service: How AI Spots EDR Killers

EDR bypass isn’t a “someday” problem. It’s a business model now.

Shanya is a packer-as-a-service operation that wraps ransomware and other payloads in obfuscation, then adds something nastier: an EDR killer designed to shut down the very tools most companies rely on to catch ransomware early. Sophos documented Shanya’s spread across 2025 and observed it used by multiple ransomware gangs. That should change how you think about endpoint security going into 2026.

This post is part of our AI in Cybersecurity series, and I’m going to take a clear stance: if your detection strategy assumes your EDR will always be alive, you’re building on sand. The good news is that AI-powered threat detection (done right) can spot the anomalies around packing and EDR tampering—often early enough to contain the blast radius.

Packer-as-a-service is the “enabler layer” ransomware needed

Packer-as-a-service (PaaS) exists for one reason: to raise the success rate of attacks without requiring attackers to be experts. Ransomware-as-a-service made extortion scalable; packer-as-a-service makes evasion scalable.

Here’s the practical difference:

• RaaS gives criminals a ransomware payload and an affiliate model.
• PaaS (packers) gives criminals a way to change the outer appearance and runtime behavior of malware so signatures, static scanning, and some sandboxing fall behind.

Shanya follows the path carved by earlier operations (Sophos and other reporting have pointed to prior packer ecosystems such as HeartCrypt). The pattern is consistent: when defenders tune detection for one packer, threat actors rotate to another that’s “hot” this month.

Why this matters to defenders

Packers aren’t new. What’s new is commercialization plus rapid iteration:

1. A packer service updates its techniques.
2. Multiple ransomware groups adopt it.
3. Security teams chase new hashes and slightly different binaries.

That cycle favors the attacker unless you’re also operating at machine speed.

Shanya’s EDR killer changes the incident timeline

Shanya isn’t just trying to hide. It’s trying to turn off the lights.

According to Sophos’ reporting, Shanya functions as an EDR killer that drops both:

• a clean (legitimate) driver associated with real software, and
• a malicious unsigned kernel driver that abuses the clean one to gain capabilities like write access.

From there, it can target processes and services tied to security products for termination and deletion.

This is the part teams underestimate: EDR killing is an “incident acceleration” tactic. It compresses your response window.

The operational impact (what it looks like at 2 a.m.)

Once EDR components are disabled, several things happen fast:

• Telemetry drops or becomes inconsistent across endpoints.
• Your SOC loses confidence in “all clear” signals.
• Containment shifts from “isolate the infected host” to “assume lateral movement.”

Shanya has reportedly shown up in campaigns associated with ransomware groups including Akira, Medusa, Qilin, and Crytox. Sophos also tied similar techniques into social-engineering delivery chains (for example, ClickFix-style lures) and DLL side-loading to deploy remote access tooling.

If you’ve ever wondered why some ransomware events feel like they go from “normal morning” to “everything encrypted” in under an hour, EDR-kill tactics are a big reason.

What AI can catch when packed malware tries to look “normal”

AI can’t magically decrypt every packer or “see through” every obfuscation trick. But AI-driven threat detection can reliably flag inconsistencies in behavior, especially when the attacker has to do noisy things like loading drivers and tampering with security services.

Here’s the core idea:

Packing changes how malware looks. EDR killing changes what malware does. Behavior is harder to fake at scale.

Where AI-based detection has an advantage

Well-built AI security analytics (including models tuned for endpoint, identity, and network signals) can detect Shanya-like activity by focusing on patterns such as:

• Driver-loading anomalies: unusual kernel driver loads, especially unsigned or newly dropped drivers, and suspicious parent/child process relationships.
• Living-off-the-land plus tamper chains: sequences where benign utilities or legitimate drivers are abused to reach privileged actions.
• Security control interference: attempts to stop, disable, or delete services associated with security tooling.
• Cross-host weak signals: small, individually “meh” events that become meaningful when correlated across endpoints.

AI is at its best when it does correlation humans can’t do quickly—like noticing that three different endpoints in two business units experienced the same rare service-stop pattern within 12 minutes, after a similar file-write path and execution chain.

What AI still struggles with (and how to compensate)

AI struggles when you have:

• thin telemetry (limited endpoint visibility),
• inconsistent logging (missing identity or DNS data), or
• ungoverned endpoints (contractor devices, unmanaged BYOD).

The fix isn’t “buy more AI.” The fix is make the signals reliable:

• standardize audit policies,
• enforce endpoint baselines,
• centralize driver and kernel event visibility,
• treat identity logs as first-class detection data.

AI can only detect what you actually measure.

A defensive playbook for Shanya-style packers (practical and fast)

If you’re reading this in December 2025, you’re likely heading into year-end change freezes, reduced staffing, and a spike in opportunistic attacks. That’s exactly when evasion tooling thrives.

Here’s what works in real environments.

1) Protect the protector (EDR hardening)

Your EDR should be treated as critical infrastructure, not just another agent.

Prioritize:

• Tamper protection: enable it, test it, and restrict who can disable it.
• Driver block rules: maintain deny lists for known abused drivers; alert on any endpoint that attempts to load risky drivers.
• Least privilege for endpoint admin: if attackers get local admin early, EDR killing gets much easier.

A blunt truth: many “EDR bypasses” are actually “endpoint admin compromises” followed by tampering.

2) Detect the chain, not the file

Packed malware exists to break file-focused detection. So flip the model.

Look for chained behaviors:

1. Initial access (phishing, fake update prompts, drive-by)
2. Execution with unusual parent process lineage
3. Dropped driver(s) or service creation
4. Attempts to stop security tooling
5. Credential access or lateral movement
6. Ransomware deployment

AI-driven detections are particularly strong here because they can score the sequence—not just one event.

3) Build “EDR died” alerts (seriously)

Most teams alert on malware. Fewer teams alert on loss of visibility.

You want high-confidence alarms for:

• EDR service stopped unexpectedly
• Sensor heartbeat missing (per host and at fleet level)
• Sudden drop in endpoint event volume correlated with other suspicious activity

This is one of the most valuable “simple” detections you can add, and it pairs well with AI correlation.

4) Segment for ransomware reality

Segmentation isn’t glamorous, but it changes outcomes.

• Separate workstation networks from server networks.
• Limit SMB and admin shares to what’s necessary.
• Restrict lateral movement paths with identity-aware controls.

When attackers deploy packers and EDR killers, they’re betting on fast spread. Segmentation forces them to slow down.

5) Rehearse your response when EDR is partially blind

If Shanya’s goal is to degrade detection, practice operating without your preferred tools.

Run a tabletop where:

• 15% of endpoints lose EDR telemetry.
• Your SOC must decide containment actions with imperfect data.
• You validate alternate sources (network, identity, backup integrity, AD changes, DNS logs).

The goal is confidence under uncertainty.

“Can AI stop this before encryption?” Yes—if it’s deployed correctly

AI can help you stop Shanya-like attacks earlier than traditional approaches, but only if it’s part of an end-to-end detection and response strategy.

Here’s a realistic “AI-assisted win” path I’ve seen work:

• AI flags an unusual driver-load plus service-stop attempt on one endpoint.
• Correlation finds a similar early-stage pattern on two other endpoints.
• Automated response isolates hosts and forces credential resets for impacted accounts.
• Threat hunting pivots on the behavioral pattern (not hashes) to find more infections.
• Recovery stays limited to a few endpoints instead of an org-wide outage.

That’s the promise of AI in cybersecurity when it’s treated as decision support plus automation, not a magic oracle.

Attackers are productizing evasion. Defenders need to productize detection.

What to do next (if Shanya is on your radar)

If you only do three things this month:

1. Audit your EDR tamper protection and admin controls (verify who can disable agents and how).
2. Add alerts for driver anomalies and security service termination (and test them).
3. Deploy AI-driven correlation across endpoint + identity + network signals to catch the chain, not the artifact.

If you’re building your 2026 roadmap for the AI in Cybersecurity program, this is a strong place to focus: anomaly detection for evasion techniques and automated response when visibility degrades.

Ransomware groups will keep paying for packers and EDR killers because it raises conversion rates. The question worth asking going into the new year is simpler: If a small set of endpoints goes dark, do you get a high-priority alert—or do you find out after encryption starts?