Hackers have been utilizing a legitimate, licensed copy of the evasion framework Shellter in information stealer campaigns, Elastic Security Labs warns.
The commercial evasion tool has been used for over a decade by offensive security services providers to bypass antimalware solutions, for security evaluations, without the need to modify their utilities to prevent detection.
Shellter’s developers have implemented safeguards to prevent the malicious use of their framework, and only sell their products to companies that pass a rigorous vetting process.
Since late April 2025, however, Elastic observed multiple infostealer campaigns abusing Shellter to package payloads. The software, Shellter Elite version 11.0, was released on April 16.
After analyzing the payloads, the security firm identified numerous artifacts resembling the capabilities of Shellter Elite, thus proving that the framework was used to pack them.
The tool was abused by Lumma, Arechclient2 (Sectop RAT), and Rhadamanthys, but Elastic also identified a threat actor that was selling the evasion framework on a hacking forum.
Based on the analysis of the payloads’ license expiry datetime, self-disarm date, and infection start datetime settings, Elastic hypothesizes that threat actors acquired a single copy of Shellter Elite and abused it in their attacks.
The Shellter Project has confirmed that the threat actors were using a Shellter Elite copy, explaining that it had been stolen from a customer, but blamed Elastic for not notifying it about its findings earlier.
“We discovered that a company which had recently purchased Shellter Elite licenses had leaked their copy of the software. This breach led to malicious actors exploiting the tool for harmful purposes, including the delivery of infostealer malware,” Shellter said.
According to Shellter, it identified the issue after Elastic added detection for Shellter Elite-derived samples to its tools, and decided to postpone the release of a new Shellter version to add a patch to it.
It was only after Elastic published their blog and provided the identified manipulated samples that Sellter was able to identify the affected customer and mitigate the threat.
“Elastic Security Labs chose to act in a manner we consider both reckless and unprofessional. They were aware of the issue for several months but failed to notify us. Due to this lack of communication, it was sheer luck that the implicated customer did not gain access to our upcoming release,” Shellter said.
“Had we not postponed the launch for unrelated personal reasons, they would have received a new version with enhanced runtime evasion capabilities—even against Elastic’s own detection mechanisms,” it continued.
Related: Microsoft 365 Direct Send Abused for Phishing
Related: Cloudflare Tunnels Abused in New Malware Campaign
Related: TeamFiltration Abused in Entra ID Account Takeover Campaign
