Redazione RHC : 9 July 2025 10:50
Shellter Project, maker of a commercial downloader for bypassing antivirus and EDR systems, has reported that hackers are using its Shellter Elite product for attacks. This is because one of its customers released a copy of the software online. According to the manufacturer, the abuse has been ongoing for several months, and while security researchers have noticed the activity, Shellter representatives were not notified until recently.
The company emphasizes that this is the first known case of product misuse since the introduction of the strict licensing model in February 2023. “We discovered that a company that recently purchased Shellter Elite licenses has released its copy of the software,” Shellter said in a statement. “This leak has led attackers to use the tool for malicious purposes, including distributing infosealer programs.”
Shellter Elite is a commercial downloader designed to bypass antivirus and EDR systems. It is often used by security professionals (pentesters and red teams) to stealthily deploy payloads in legitimate Windows binaries. The product uses polymorphism to bypass static analysis and, at runtime, employs techniques such as AMSI and ETW bypass, debugging and virtual environment protection, call stack masking, hook removal prevention, and the ability to launch decoys.
In a report published last week (July 3, 2025), Elastic Security Labs reported that several attackers are using Shellter Elite v11.0 to deploy infostealer, including Rhadamanthys, Lumma, and Arechclient2. Researchers discovered that this activity has been ongoing since at least April, and that the malware’s distribution method relies on YouTube comments and phishing emails. Based on unique license timestamps, researchers hypothesized that the attackers used a single leaked copy of the software, a fact later officially confirmed by Shellter representatives.
Furthermore, Elastic has developed detection capabilities for malicious samples created using version 11.0, so payloads created using this version of Shellter Elite can already be detected. In turn, the developers have released Elite version 11.1, which will be distributed only to verified customers, except those who leaked the previous version. The vendor also called Elastic Security Labs’ lack of cooperation “reckless and unprofessional” and criticized the researchers for not informing the company of their findings sooner.
“They had been aware of the issue for months, but failed to notify us. Instead of working together to combat the threat, they chose to hide the information and publish a surprise disclosure, prioritizing publicity over security,” the Shellter Project stated. However, it should be noted that the researchers provided Shellter with all the samples and information necessary to identify the responsible client. The company apologized to its “loyal customers” and emphasized that it does not collaborate with cybercriminals, expressing its willingness to cooperate with law enforcement if necessary.
Redazione