Threat actors are now misusing Shellter, a legitimate red teaming tool, to spread stealer malware. This exploitation comes after a company that recently purchased Shellter Elite licenses inadvertently leaked their copy, enabling malicious campaigns to leverage the tool for distributing infostealers.
The Shellter Project team has since released an update to address the vulnerability, expressing their disappointment despite having a rigorous vetting process in place.
Elastic Security Labs reported the abuse of Shellter since April 2025, specifically noting its use in propagating Lumma Stealer, Rhadamanthys Stealer, and SectopRAT. Shellter is a powerful evasion framework that allows bypassing antivirus and EDR software, and Elastic identified multiple financially motivated campaigns employing Shellter Elite version 11.0. The tool’s ability to embed self-modifying, polymorphic shellcode within legitimate programs helps it evade static detection and signatures.
It is believed that some campaigns, including those distributing SectopRAT and Rhadamanthys Stealer, adopted the tool after version 11 became available on a cybercrime forum in mid-May. These campaigns used lures such as sponsorship opportunities for content creators and YouTube videos offering gaming mods. Lumma Stealer attacks using Shellter were reportedly disseminated via payloads hosted on MediaFire in late April 2025.
This situation mirrors past instances where cracked versions of other legitimate offensive security tools like Cobalt Strike and Brute Ratel C4 have fallen into the hands of cybercriminals.
The Shellter Project criticized Elastic for allegedly prioritizing publicity over public safety and for not notifying them promptly before publishing their findings. Elastic Security Labs, however, defended their actions, stating they became aware of suspicious activity on June 18, 2025, and promptly investigated. They emphasize their commitment to transparency, responsible disclosure, and a “defender-first” mindset, publishing findings quickly to inform the security community about emerging threats and techniques used to bypass security controls.
Reference:
