In yet another instance of threat actors repurposing legitimate tools for malicious purposes, it has been discovered that hackers are exploiting a popular red teaming tool called Shellter to distribute stealer malware.
The company behind the software said a company that had recently purchased Shellter Elite licenses leaked their copy, prompting malicious actors to weaponize the tool for infostealer campaigns. An update has since been released to plug the issue.
"Despite our rigorous vetting process – which has successfully prevented such incidents since the launch of Shellter Pro Plus in February 2023 – we now find ourselves addressing this unfortunate situation," the Shellter Project Team said in a statement.
The response comes shortly after Elastic Security Labs released a report about how the commercial evasion framework is being abused in the wild since April 2025 to propagate Lumma Stealer, Rhadamanthys Stealer, and SectopRAT (aka ArechClient2).
Shellter is a potent tool that allows offensive security teams to bypass antivirus and endpoint detection and response (EDR) software installed on endpoints.
Elastic said it identified multiple financially motivated infostealer campaigns using SHELLTER to package payloads beginning late April 2025, with the activity leveraging Shellter Elite version 11.0 released on April 16, 2025.
"Shellter-protected samples commonly employ self-modifying shellcode with polymorphic obfuscation to embed themselves within legitimate programs," the company said. "This combination of legitimate instructions and polymorphic code helps these files evade static detection and signatures, allowing them to remain undetected."
It's believed that some of the campaigns, including those delivering SectopRAT and Rhadamanthys Stealer, adopted the tool after version 11 went up for sale on a popular cybercrime forum in mid-May, using lures related to sponsorship opportunities targeting content creators as well as through YouTube videos claiming to offer gaming mods like Fortnite cheats.
The Lumma Stealer attack chains leveraging Shellter, on the other hand, are said to have been disseminated via payloads hosted on MediaFire in late April 2025.
With cracked versions of Cobalt Strike and Brute Ratel C4 previously finding their way to the hands of cybercriminals and nation-state actors, it wouldn't be entirely a surprise if Shellter follows a similar trajectory.
"Despite the commercial OST community's best efforts to retain their tools for legitimate purposes, mitigation methods are imperfect," Elastic said. "Although the Shellter Project is a victim in this case through intellectual property loss and future development time, other participants in the security space must now contend with real threats wielding more capable tools."
The Shellter Project, however, criticized Elastic for "prioritizing publicity over public safety" and for acting in a manner that it said was "reckless and unprofessional" by not notifying them quickly.
In a statement shared with The Hacker News, Elastic Security Labs said it became aware of potentially suspicious activity on June 18, 2025 and that it's committed to "transparency, responsible research, and openness." The entire statement from the company is below -
Our research publication, which describes several financially motivated threats and the commercial AV/EDR evasion framework (Shellter), was conducted in line with our commitment to transparency, responsible disclosure, and a defender-first mindset. The Elastic Security Labs team became aware of potentially suspicious activity on June 18, 2025, and promptly began investigating behaviors we identified as previously undetected malicious activity using publicly available information and telemetry voluntarily shared by our users. Following our initial investigation and after rigorous analysis, we determined that the publicly available tool, Shellter, was being used for evasion purposes. Our findings were published within two weeks of this determination.
We publish our findings directly and transparently to inform defenders as quickly as possible, as is industry standard and part of the work for our customers and users. Our priority is to inform the security community promptly and accurately about our research. We believe the public interest is best served by disclosing research as quickly as possible, once a thorough analysis has been concluded, to help defenders respond to emerging threats, including techniques used to bypass security controls.
Elastic Security Labs is composed of malware researchers, data scientists, offensive security engineers, and intelligence analysts who have uncovered dozens of novel threats and adversary tradecraft. Our work consistently helps organizations stay ahead of emerging threats, and we remain committed to operating with professionalism, integrity, and a defender-first mindset.
The Shellter Project Team has put out a follow-up statement, emphasizing that it did not have any issue with Elastic Security Labs publishing its findings, but that the company "could have informed us earlier" to allow it to respond or act in a timely manner.
"Moving forward, we plan to allocate development resources toward strengthening our DRM mechanisms," it said in a post on July 10, 2025. "While this incident was not the result of a direct attack on our DRM, but rather the consequence of someone leaking their licensed copy of the software, it has highlighted the need for additional safeguards."
The makers of Shellter also said their end goal is to make it harder to distribute unauthorized copies of the tool, regardless of whether the intention was malicious or accidental.
(The story was updated after publication to include a response from Elastic Security Labs and follow-up announcement from the Shellter Project Team.)
