The Unit 42 team at Palo Alto Networks has documented a prolonged and low-visibility campaign targeting government bodies
The post Ashen Lepus (WIRTE) Targets Middle East Governments with Stealthy AshTag Malware Toolkit appeared first on Penetration Testing Tools.
In the autumn of 2025, files began circulating in the public domain that are attributed to the Iranian
The post Deep Leak: APT35 Hackers’ Payroll, Kashef Surveillance System, and 2004 Nuclear Spy Document Exposed appeared first on Penetration Testing Tools.
A tool has been released into the public domain that enables covert monitoring of user activity on WhatsApp
The post Invisible Surveillance: Tool Exploits WhatsApp/Signal Network Latency to Track User Activity appeared first on Penetration Testing Tools.
Apple has released out-of-band patches addressing two zero-day vulnerabilities that were already being exploited in real-world attacks. The
The post Apple Emergency Patch: Two WebKit Zero-Days Actively Exploited in Targeted iOS Attacks appeared first on Penetration Testing Tools.
多个勒索软件团伙正借助一款名为Shanya的打包即服务平台,为其恶意载荷进行封装,以便在受害设备上禁用终端检测与响应解决方案。
打包服务可为网络犯罪分子提供专用工具,其核心作用是对恶意载荷进行封装处理,通过混淆恶意代码的方式,规避多数主流安全工具及杀毒引擎的检测。
据Sophos Security的遥测数据显示,Shanya打包服务于2024年末开始出现,此后使用率大幅攀升,采用该服务的恶意软件样本已在突尼斯、阿联酋、哥斯达黎加、尼日利亚、巴基斯坦等国被监测到。
目前已确认使用该服务的勒索软件团伙包括Medusa、Qilin、Crytox及Akira,其中Akira是该打包服务的最频繁使用者。
在勒索软件攻击中使用的Shanya打包器
Shanya打包服务的工作机制
威胁者需先将其恶意载荷提交至Shanya平台,平台会返回经定制化封装的“打包版”载荷,该过程会同时采用加密与压缩技术。
该服务主打生成载荷的唯一性,其宣传内容强调自身具备非标准模块内存加载、系统加载器桩函数独立封装能力,且每位客户在购买后,均可获得专属(相对)独立的桩函数及独特的加密算法。
加载器中的垃圾代码
具体来看,恶意载荷会被植入Windows系统DLL文件shell32.dll的内存映射副本中。尽管该DLL文件的可执行区段与文件大小看似合规,文件路径也无异常,但其文件头与.text区段已被解密后的恶意载荷覆盖。
值得注意的是,载荷在打包文件内处于加密状态,而在执行阶段,它会在内存中完成解密与解压,随后直接注入shell32.dll副本,全程不会写入磁盘,以此降低被检测的概率。
研究人员还发现,Shanya会通过在无效上下文下调用RtlDeleteFunctionTable函数,对终端检测与响应解决方案进行探测。这一操作会在用户态调试器环境中触发未处理异常或程序崩溃,从而在载荷完全执行前干扰自动化分析流程。
对EDR系统的禁用流程
勒索软件团伙通常会在攻击的数据窃取与加密阶段前,先禁用目标设备上运行的EDR工具,其执行流程一般通过DLL侧加载实现:将合法Windows可执行文件(如consent.exe)与经Shanya打包的恶意DLL(如msimg32.dll、version.dll、rtworkq.dll或wmsgapi.dll)进行组合加载。
根据Sophos的分析,这款EDR禁用工具会释放两款驱动程序:
1. 一款是由TechPowerUp签名的合法驱动ThrottleStop.sys(又称rwdrv.sys),该驱动存在可实现任意内核内存写入的漏洞;
2. 另一款是未签名的hlpdrv.sys驱动。其中,签名驱动用于实现权限提升,而hlpdrv.sys则会根据用户态下发的指令,对各类安全产品实施禁用操作。其用户态组件会先枚举当前运行的进程及已安装的服务,再将结果与内置的庞大硬编码列表进行比对,一旦匹配成功,便会向恶意内核驱动发送“终止”指令。
目标服务的部分列表
除了专注于禁用EDR的勒索软件操作者外,研究人员近期还监测到ClickFix攻击活动也在利用Shanya服务对CastleRAT远控木马进行封装。勒索软件团伙往往依赖打包服务来实现EDR禁用工具的隐蔽部署。
Ningbo is a major port city on China’s eastern seaboard, a key industrial hub of Zhejiang Province and
The post Geely Launches World’s Largest Safety Center in Ningbo, Targeting Zero Fatalities & Zero Data Leaks appeared first on Penetration Testing Tools.
If it already felt as though smartphone security advice had devolved into an endless catalogue of prohibitions, here
The post New Security Default: CERT-FR Urges Users to Fully Disable Wi-Fi When Not Active appeared first on Penetration Testing Tools.
MangaGamer has issued a warning about a potential supply-chain attack: in the latest print run of the physical
The post Supply Chain Alert: MangaGamer Higurashi USB Installers Compromised with Possible Floxif Malware appeared first on Penetration Testing Tools.
The GNOME Shell Extensions team has decided to tighten moderation rules in the EGO catalog in response to
The post Quality Control: GNOME Extensions Catalog Rejects Submissions with Unvetted AI-Generated Code appeared first on Penetration Testing Tools.
The 0patch team has reported that while analyzing CVE-2025-59230 in the Windows Remote Access Connection Manager (RasMan)—a flaw
The post Unpatched RasMan Zero-Day Allows Local System Takeover via DoS Crash and RPC Spoofing appeared first on Penetration Testing Tools.