Shellter Framework Hijacked – Red Team Tool Abused to Launch Infostealer Campaigns

by | Jul 9, 2025 | News

Post Views: 167

Join our Patreon Channel and Gain access to 70+ Exclusive Walkthrough Videos.

Reading Time: 3 Minutes

Red Team Tool Shellter Abused in Real-World Infostealer Attacks

A Security Asset Turned Liability

Threat actors are actively abusing a commercial red team framework—Shellter Elite v11.0—to stealthily deliver malware payloads in financially motivated infostealer campaigns. Originally developed for sanctioned security testing, Shellter’s anti-virus/EDR evasion capabilities are now being used by cybercriminals to evade detection and execute post-exploit malware in the wild.

Security researchers from Elastic Security Labs began tracking the misuse in late April 2025, shortly after the tool’s official release on April 16. The version used in attacks was illegally acquired, allowing threat actors to seamlessly integrate its capabilities into multiple malware distribution operations.

Infostealers in the Wild: Lumma, Sectop RAT & Rhadamanthys

Multiple Campaigns, One Loader

Elastic identified several malware campaigns abusing Shellter as a loader, each deploying different info-stealing malware strains:

Lumma Stealer: Delivered via unknown vectors, with payloads hosted on MediaFire.
Sectop RAT (aka Lumma Stealer): Embedded in archive files (.rar) attached to phishing emails impersonating brands like Udemy, Skillshare, Duolingo, and Pinnacle Studio.
Rhadamanthys Stealer: Distributed via YouTube videos related to game mods and hacking, with malicious links in video comments.

In one Rhadamanthys case, a single malicious file was submitted to analysis platforms over 120 times, showing widespread distribution.

See Also: So, you want to be a hacker?
Offensive Security, Bug Bounty Courses

Discover your weakest link. Be proactive, not reactive. Cybercriminals need just one flaw to strike.

Advanced Evasion Tactics Leveraged by Shellter

Shellter offers a robust set of features designed for bypassing detection, now used maliciously:

Polymorphic shellcode: Helps evade static detection by embedding self-modifying code within legitimate binaries.
Call stack evasion: Hides origin of calls like LoadLibraryExW or LdrLoadDll to prevent analysis.
Preload system modules: Ensures critical Windows DLLs (e.g., networking or crypto libraries) are loaded for payload execution.
AV/EDR bypasses: Techniques include API unhooking, unlinking modules, memory scan evasion, and debugger detection.

Elastic noted these techniques were key in obfuscating the delivery and execution of malware in all observed campaigns.

Implications for the Security Community

The abuse of Shellter affects both the tool’s creators and the broader security ecosystem:

Shellter Project suffers intellectual property loss and now faces the challenge of releasing a more restrictive version.
Defenders and vendors must now respond to real-world threats using tools once reserved for ethical use.
Elastic researchers caution that nation-state groups could adopt Shellter for stealthy cyber operations.

A New Defensive Tool: Elastic’s Shellter Unpacker

To help defenders, Elastic Security Labs released a dynamic unpacker for Shellter-protected binaries. It combines static and dynamic analysis to extract payloads for inspection and reverse engineering.

However, analysts warn:

“The unpacker should only be used inside isolated virtual machines, as executable malware code is mapped into memory during analysis.”

Though not flawless, the tool processes most tested samples and can extract at least one payload stage even from unsupported binaries.

Are u a security researcher? Or a company that writes articles about Cyber Security, Offensive Security (related to information security in general) that match with our specific audience and is worth sharing? If you want to express your idea in an article contact us here for a quote: [email protected]

Source: darkreading.com

Source Link