Pierluigi Paganini
July 09, 2025
Elastic Security Labs has identified several malware campaigns using the commercial AV/EDR evasion tool SHELLTER. The tool was originally built for legitimate red team operations, however, threat actors have now adopted it to bypass security measures and deploy malware. Since April 2025, attackers have repeatedly used SHELLTER in infostealer attacks, as shown by license metadata. To counter this abuse, Elastic released a dynamic unpacker to analyze and detect SHELLTER-protected binaries more effectively.
“In mid-June, our research identified multiple financially motivated infostealer campaigns that have been using SHELLTER to package payloads beginning late April 2025. Evidence suggests that this is the Shellter Elite version 11.0, which was released on April 16, 2025.” reads the report published by Elastic Security Labs.
A company that bought Shellter Elite licenses leaked their copy, leading threat actors to use the tool in infostealer campaigns. The vendor has identified the issue and subsequently addressed the problem.
“Following the publication of the article “Taking SHELLTER: a commercial evasion framework abused in-the-wild” by Elastic Security Labs, we discovered that a company which had recently purchased Shellter Elite licenses had leaked their copy of the software. This breach led to malicious actors exploiting the tool for harmful purposes, including the delivery of infostealer malware.” wrote the company. “Despite our rigorous vetting process—which has successfully prevented such incidents since the launch of Shellter Pro Plus in February 2023—we now find ourselves addressing this unfortunate situation.”
The creators of Shellter criticized Elastic Security Labs for what they called a reckless and unprofessional disclosure. They claimed Elastic was aware of the malicious abuse of Shellter Elite for months but chose not to notify them, instead opting for a surprise exposé to gain publicity. According to Shellter’s team, this decision risked public safety and undermined both Elastic’s own detection products and broader community trust.
The statement underlined Shellter’s commitment to vetting its customers and cooperating with authorities, while calling for better communication between red and blue team communities in the cybersecurity industry.
In June, Elastic Security Labs discovered multiple malware campaigns using Shellter Elite to protect their malware, as confirmed by license metadata in the binaries. Threat actors rapidly adopted the tool’s evasive capabilities across different operations. Notably, a campaign spreading the LUMMA stealer began using Shellter in late April, with some malware files hosted on MediaFire, though the original infection method remains unclear.
Starting in May, threat actors used Shellter-protected malware in phishing campaigns targeting YouTubers with fake sponsorship offers from brands like Udemy and Duolingo. Victims received .rar files containing legitimate promo content alongside a hidden ARECHCLIENT2 (SECTOP RAT) infostealer. Meanwhile, RHADAMANTHYS infostealer was spread via YouTube comments on game hack videos, linking to malware hosted on MediaFire. Both stealers used Shellter to evade detection with low antivirus flagging.
Elastic Security Labs released a dynamic unpacker that uses static and dynamic analysis to extract payloads from binaries protected by SHELLTER.
“Elastic Security Labs is releasing a dynamic unpacker for binaries protected by SHELLTER. This tool leverages a combination of dynamic and static analysis techniques to automatically extract multiple payload stages from a SHELLTER-protected binary.” continues Elastic Security Labs..
“As SHELLTER offers a wide range of optional features, this unpacker is not fully comprehensive, although it does successfully process a large majority of tested samples. Even with unsupported binaries, it is typically able to extract at least one payload stage.
For safety reasons, this tool should only be executed within an isolated virtual machine. During the unpacking process, potentially malicious executable code is mapped into memory. Although some basic safeguards have been implemented, they are not infallible.”
On May 16th, researchers behind the X user @darkwebinformer warned of the sale of Shellter Elite v11.0 on a popular forum. This is the same version of the tool that attackers used in the campaigns observed by Elastic Security Labs.
🚨Shellter Elite v11.0 up for sale on a popular forum pic.twitter.com/RsCNY8nJ70
— Dark Web Informer – Cyber Threat Intelligence (@DarkWebInformer) May 16, 2025
Given that cracked versions of Cobalt Strike and Brute Ratel C4 have already ended up in the hands of cybercriminals and nation-state actors, it’s not far-fetched to expect Shellter might follow the same path.
“Despite the commercial OST community’s best efforts to retain their tools for legitimate purposes, mitigation methods are imperfect. They, like many of our customers, face persistent, motivated attackers. Although the Shellter Project is a victim in this case through intellectual property loss and future development time, other participants in the security space must now contend with real threats wielding more capable tools.” concludes the report.
In September 2022, threat actors cracked the Brute Ratel C4 (BRC4) post-exploitation toolkit and leaked it for free in the cybercrime underground.
In June 2022, researchers from Palo Alto Networks Unit 42 warned that threat actors are abusing legitimate adversary simulation software BRc4 in their campaigns to evade detection.
In July 2022, Sophos investigated an incident involving the use of the Brute Ratel tool in the wild, alongside Cobalt Strike, that was carried out by ALPHV/BlackCat ransomware gang.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, malware)
Security / November 03, 2025
