Shellter Elite Exploited in Malware Campaigns After License Leak

Shellter Project, the developer behind the commercial AV/EDR evasion tool Shellter Elite, has confirmed that cybercriminals abused the software in real-world attacks following a license leak from a paying customer.

The unauthorized use persisted for several months before being publicly identified by cybersecurity researchers. Despite this, Shellter claims it received no direct notification about the abuse.

According to the vendor, this marks the first recorded case of misuse since it enforced a stricter licensing system in February 2023.

“We found that a recent customer leaked their licensed copy of Shellter Elite, which was subsequently weaponized by malicious actors to deliver infostealer malware,” the company stated.

Shellter has since issued a software update to mitigate the impact, though this release will not be provided to the compromised customer.

🎮 AI Avatar & Character Tools

Malicious Use of Shellter Elite in the Wild

Shellter Elite is a legitimate red team tool used by security professionals to embed payloads into clean Windows executables while avoiding detection by endpoint defense systems like EDRs and antivirus programs. It supports advanced static and runtime evasion techniques, including polymorphism, AMSI bypass, ETW evasion, anti-VM and anti-debugging methods, and more.

However, in a report published on July 3rd, researchers at Elastic Security Labs revealed that multiple threat actors were exploiting version 11.0 of Shellter Elite to distribute infostealers such as Rhadamanthys, Lumma, and Arechclient2. The campaign reportedly began as early as April, with payloads spread via phishing emails and malicious YouTube comments.

Elastic analysts determined that the attackers were likely using a single leaked copy of the product — a suspicion that Shellter has since validated.

To counter this, Elastic has released detection signatures tailored to artifacts created with version 11.0, allowing security teams to flag malicious binaries generated using the leaked tool.

Shellter Responds with Version 11.1 and Criticism

In response to the abuse, Shellter released version 11.1 of Shellter Elite, restricting distribution exclusively to pre-screened and trusted clients. The original customer responsible for the leak has been permanently excluded from future access.

Shellter also criticized Elastic Security Labs for what it described as irresponsible conduct, accusing the firm of failing to notify them directly about the misuse, despite detecting it in active campaigns.

“We consider Elastic’s silence on this issue both reckless and unprofessional,” Shellter added.

However, despite the initial lack of communication, Elastic Security Labs eventually supplied Shellter Project with the forensic samples needed to pinpoint the source of the leak. This allowed the vendor to verify the identity of the offending customer responsible for the unauthorized distribution.

In its public statement, Shellter expressed regret over the incident and extended an apology to its loyal customer base, emphasizing that the company remains firmly opposed to malicious activity.

"We do not support or cooperate with cybercriminals in any capacity," Shellter stated, adding that it is fully prepared to assist law enforcement should any investigation arise from the incident.