Shellter Project, the vendor of a commercial AV/EDR evasion loader for penetration testing, confirmed that hackers used its Shellter Elite product in attacks after a customer leaked a copy of the software.
The abuse has kept going for several months and even though security researchers caught the activity in the wild, Shellter did not receive a notification.
The vendor underlined that this is the first known incident of misuse since it introduced its strict licensing model in February 2023.
"We discovered that a company which had recently purchased Shellter Elite licenses had leaked their copy of the software," Shellter says in a statement.
"This breach led to malicious actors exploiting the tool for harmful purposes, including the delivery of infostealer malware."
An update, which would not reach the "malicious customer," has been released to address the issue.
Shellter Elite abused in the wild
Shellter Elite is a commercial AV/EDR evasion loader used by security professionals (red teams and penetration testers) to deploy payloads stealthily within legitimate Windows binaries, evading EDR tools during security engagements.
The product features static evasion through polymorphism, and dynamic runtime evasion via AMSI, ETW, anti-debug/VM checks, call stack and module unhooking avoidance, and decoy execution.
In a report on July 3rd, Elastic Security Labs disclosed that multiple threat actors have been abusing Shellter Elite v11.0 to deploy infostealers, including Rhadamanthys, Lumma, and Arechclient2.
... continue reading