Shellter Project, which makes a commercial AV/EDR evasion loader for penetration testing, admitted that hackers exploited its Shellter Elite product in assaults after a client leaked a copy of the software.
The exploitation has been ongoing for several months, and despite security researchers detecting the activity in the wild, Shellter has not received notification. The vendor stated that this is the first recorded case of misuse since implementing its stringent license policy in February 2023.
"We discovered that a company which had recently purchased Shellter Elite licenses had leaked their copy of the software," Shellter noted in a statement. "This breach led to malicious actors exploiting the tool for harmful purposes, including the delivery of infostealer malware.”
Exploitation in the wild
Security experts (red teams and penetration testers) employ Shellter Elite, a commercial AV/EDR evasion loader, to covertly install payloads inside authentic Windows binaries while avoiding EDR tools during security engagements. In addition to dynamic runtime evasion through AMSI, ETW, anti-debug/VM checks, call stack and module unhooking avoidance, and decoy execution, the product offers static evasion through polymorphism.
Elastic Security Labs reported on July 3rd that numerous hacking outfits, including Rhadamanthys, Lumma, and Arechclient2, had been utilising Shellter Elite v11.0 to launch infostealers. Elastic researchers discovered that the activity began in at least April, with the distribution mechanism relying on YouTube comments and phishing emails. Based on the unique licensing timestamps, the researchers speculated that the threat actors were utilising a single leaked copy, which Shellter later validated.
Elastic has designed detections for v11.0-based samples, thus payloads created using that version of Shellter Elite are now detectable. Shellter launched Elite version 11.1, which will only be available to authorised clients, excluding the one who leaked the prior version. Elastic Security Labs' lack of contact was deemed "reckless and unprofessional" by the vendor, who criticised Elastic for failing to notify them of their findings earlier.
"They were aware of the issue for several months but failed to notify us. Instead of collaborating to mitigate the threat, they opted to withhold the information in order to publish a surprise exposé—prioritizing publicity over public safety," Shellter noted.
However, Elastic gave Shellter the necessary samples to identify the problematic client. The firm apologised to its "loyal customers" and underlined that it does not interact with cybercriminals, stating a willingness to work with law authorities when necessary.