Elastic Security Labs recently discovered that a full-featured commercial evasion tool—called SHELLTER—has been hijacked by cybercriminals to silence anti-malware tools, steal information and run undetected on victims’ systems.
Developed and sold to legitimate “red teams”—security firms that test defenses—SHELLTER now seems to be aiding real cyberattacks. That’s a problem.
SHELLTER has been around for more than a decade. It’s used by ethical pen‑testers to wrap payloads in a way that hides them from AV and EDR systems. But versions with advanced evasion features—what Elastic calls “Elite”—are powerful enough that criminal groups can weaponize them.
Since April 2025, several infostealer campaigns use SHELLTER-protected loaders to drop malware. Elastic found that the compromised kit is version Elite 11.0, released April 16 2025. That means skilled crooks now have turnkey access to advanced stealth capabilities.
Who’s using it, and how
Researchers from Elastic spotted multiple financially motivated malware operations deploying SHELLTER to wrap various info‑stealers. Among these:
- LUMMA – first surfacing late April. Spread via files on MediaFire.
- ARECHCLIENT2 (aka SECTOP RAT) – tied to phishing lures promising YouTube sponsorships or brand deals. Delivered in RAR archives with fake promotional content.
- RHADAMANTHYS – spread via YouTube comments on game-hacking or mod videos, linking to malicious downloads on MediaFire.
All of them include a SHELLTER-protected EXE. Tests in VirusTotal show these are slipping through detection—thanks to polymorphic junk code, encrypted payloads, API unhooking tricks, and memory protections.
What makes SHELLTER Elite tick
Elastic’s report explains a heap of anti‑analysis stealth tricks built into the Elite version. Here are the big ones:
1. Polymorphic shellcode + junk code
SHELLTER adds self-modifying, timed garbage into loaders. That breaks signature detection and static analysis.
2. Loading a clean ntdll.dll
Loads a fresh copy of system DLLs to skip AV/EDR hooks. It does this either by file mapping or from KnownDLLs.
3. AES-128 CBC encryption + LZNT1 compression
Payload is compressed then encrypted, with key/IV either built in or fetched from a remote server.
4. DLL preloading + broken call stacks
Loads common Windows modules (e.g., advapi32.dll, wininet.dll) in ways that hide the real origin of the call.
5. Unlinking AV/EDR modules from the PEB
Removes telltale signs from the process’s module list—the malware deletes decoy DLL names from memory .
6. Time-based API hashing
Computes API addresses on the fly using time seeds and obfuscated hashes to hide import resolution .
7. Built‑in kill‑switch (license expiry + self‑disarm)
Each loader has three embedded dates: license expiry, infection start, and self‑destruct. If the date passes, it will shut itself down.
8. Memory scanning avoidance
It fluctuates memory permissions, decodes code only when needed, and wipes footprints to evade YARA/scanners.
9. Indirect syscalls + call stack corruption
It uses trampoline-based syscalls to avoid user-mode hooks, and deliberately cuts call stacks to confuse detection.
10. VM/hypervisor checks + anti-debugging
Looks for signs of virtual environments or debuggers, both in user-mode and kernel-mode.
11. AMSI bypass in two ways
It tampers with AMSI in memory or breaks its COM lookup, and falls back to rewriting the vtable of AMSI COM objects.
12. Vectored exception handler proxy
Uses fake pages and exception handlers to redirect legit API calls through handler code, hiding real execution paths.
That’s a lot. SHELLTER Elite combines features tailor-made to outsmart both static and dynamic defenses.
How it spreads:
Elastic’s timeline shows who’s using this:
- LUMMA – spotted late April on MediaFire. Likely the first wave .
- On May 16, a user on X/Twitter (@DarkWebInformer) posted that SHELLTER Elite v11.0 was being sold on a forum, with an escrow service acting as middle‑man .
- May onward – spear‑phish targeting YouTubers via ARECHCLIENT2 with fake sponsorship content .
- RHADAMANTHYS – distributed via YouTube comments on game‑hack videos.
In each case, the final payload is wrapped in SHELLTER, which gives attackers a stealth boost.
Who’s to blame?
The Shellter Project sells both a free and paid version. The free version only supports 32-bit executables and is well-known to researchers. The Elite version (which includes the advanced features above) costs money and is meant for professional red teams. The Project says they have controls—like EULAs, vetting and geographic limits—but it looks like someone got Elite and reversed, rented, or leaked it.
Elastic notes that only one copy of Elite seems in the wild. The same license expiry date is hard-coded in multiple samples, which strongly suggests a single compromised license.
Shellter Project itself recently said they are investigating how Elite was misused and are working with Elastic. They stress they don’t support criminal use.
What comes next
Elastic predicts:
- More underground sell-offs of SHELLTER Elite.
- Criminal syndicates or even nation-state actors adopting the kit.
- The Shellter Project will update Elite to disable or track illicit copies.
- Attackers will reverse those counter-measures and evolve their toolkits .
Wrapping up
SHELLTER started as a red‑team tool to test defenses. Now it’s being turned against those same defenses. Criminals have built stealth loaders around real info-stealers and are slipping past protections.
Elastic’s unpacker and detection guides give defenders a fighting chance. But defenders must stay alert. Next generation evasion tools are already in play.
Quick glossary
- SHELLTER – Loader built with Elite features (v11.0).
- Shellter Project – Company behind SHELLTER.
- Elite – Paid version with advanced stealth tricks.
- Infostealer – Malware that steals data (like LUMMA, ARECHCLIENT2, RHADAMANTHYS).
- AV/EDR – Antivirus and endpoint threat detection.
- VM – Virtual machine sandbox.
- YARA – Rule-based detection language.
