In yet another instance of threat actors repurposing legitimate tools for malicious purposes, it has been discovered that hackers are exploiting a popular red teaming tool called Shellter to distribute stealer malware.
The company behind the software said a company that had recently purchased Shellter Elite licenses leaked their copy, prompting malicious actors to weaponize the tool for infostealer campaigns. An update has since been released to plug the issue.
“Despite our rigorous vetting process – which has successfully prevented such incidents since the launch of Shellter Pro Plus in February 2023 – we now find ourselves addressing this unfortunate situation,” the Shellter Project Team said in a statement.
The response comes shortly after Elastic Security Labs released a report about how the commercial evasion framework is being abused in the wild since April 2025 to propagate Lumma Stealer, Rhadamanthys Stealer, and SectopRAT (aka ArechClient2).
Shellter is a potent tool that allows offensive security teams to bypass antivirus and endpoint detection and response (EDR) software installed on endpoints.
Elastic said it identified multiple financially motivated infostealer campaigns using SHELLTER to package payloads beginning late April 2025, with the activity leveraging Shellter Elite version 11.0 released on April 16, 2025.
“Shellter-protected samples commonly employ self-modifying shellcode with polymorphic obfuscation to embed themselves within legitimate programs,” the company said. “This combination of legitimate instructions and polymorphic code helps these files evade static detection and signatures, allowing them to remain undetected.”
It’s believed that some of the campaigns, including those delivering SectopRAT and Rhadamanthys Stealer, adopted the tool after version 11 went up for sale on a popular cybercrime forum in mid-May, using lures related to sponsorship opportunities targeting content creators as well as through YouTube videos claiming to offer gaming mods like Fortnite cheats.
The Lumma Stealer attack chains leveraging Shellter, on the other hand, are said to have been disseminated via payloads hosted on MediaFire in late April 2025.
With cracked versions of Cobalt Strike and Brute Ratel C4 previously finding their way to the hands of cybercriminals and nation-state actors, it wouldn’t be entirely a surprise if Shellter follows a similar trajectory.
“Despite the commercial OST community’s best efforts to retain their tools for legitimate purposes, mitigation methods are imperfect,” Elastic said. “Although the Shellter Project is a victim in this case through intellectual property loss and future development time, other participants in the security space must now contend with real threats wielding more capable tools.”
The Shellter Project, however, criticized Elastic for “prioritizing publicity over public safety” and for acting in a manner that it said was “reckless and unprofessional” by not notifying them quickly.
