Leaked Red Team Tool ‘Shellter Elite’ Used to Deliver Info-Stealers

A commercial red teaming tool is now in the hands of threat actors, raising concerns about tool leakage, responsible disclosure, and trust in the offensive security ecosystem.

Hackers Exploit Shellter Elite Following Leak

Shellter Project, the developer of Shellter Elite—a commercial payload loader built for evading antivirus and EDR (Endpoint Detection and Response) systems—has confirmed that its tool is being actively used in real-world attacks. The misuse began after a licensed customer leaked a copy of the software online, according to a company statement.

The unauthorized use, which had been quietly ongoing for several months, only came to the vendor's attention recently despite prior observations by independent researchers.

“This is the first confirmed incident of malicious abuse since we introduced a strict licensing model in February 2023,” the company noted.

What Is Shellter Elite?

Shellter Elite is a red team utility designed for penetration testers and security professionals. It allows payloads to be covertly embedded into legitimate Windows binaries. Its feature set includes:

• Polymorphic code injection to bypass static detection
• Runtime evasion techniques, such as AMSI (Antimalware Scan Interface) and ETW (Event Tracing for Windows) bypass, anti-debugging, and virtual machine detection
• Call stack spoofing to avoid behavioral detection
• Hook avoidance and decoy execution to further frustrate analysis

While legitimate use is intended for controlled environments and simulations, the leak has enabled malicious actors to weaponize the tool in real-world campaigns.

Elastic Security Labs Uncovers Abuse

On July 3, 2025, Elastic Security Labs published a report revealing that several threat actors had begun using Shellter Elite v11.0 to distribute information-stealing malware. Payloads identified included Rhadamanthys, Lumma, and Arechclient2.

According to Elastic’s analysis:

• Malicious campaigns date back to April 2025
• Distribution vectors included YouTube comments and phishing emails
• All malware samples shared a unique license timestamp, suggesting a single leaked copy was in circulation

After Shellter reviewed the evidence, the vendor confirmed Elastic’s findings, acknowledging that the leak originated from a recently licensed customer.

Elastic also contributed by publishing detection rules for Shellter-generated payloads, making samples created with version 11.0 easier to identify going forward.

Shellter Responds—and Criticizes the Disclosure

In response, Shellter released Shellter Elite v11.1, available only to vetted customers, explicitly excluding the user responsible for the leak.

However, the vendor did not shy away from criticizing Elastic’s handling of the situation. In a pointed statement, Shellter accused the research team of choosing publicity over collaboration:

“They knew for months but chose secrecy over collaboration, prioritizing headlines over security. That’s reckless and unprofessional.”

Despite the criticism, Shellter acknowledged that Elastic provided valuable malware samples, which helped them trace the origin of the leak.

The company also issued an apology to its legitimate customers, reaffirming its commitment to ethical red teaming and distancing itself from cybercriminal abuse. Shellter stated it is prepared to cooperate with law enforcement if needed.

Key Takeaways

A leaked red team tool is being actively used to deploy info-stealers in the wild.
Malware was delivered via phishing emails and YouTube comment sections.
Elastic Security Labs developed detection signatures to identify affected payloads.
Shellter Project has issued a patched version and criticized Elastic for delayed disclosure.

Final Word

This incident highlights the fragile line between offensive security tools and their misuse. While red team frameworks like Shellter Elite serve a legitimate purpose, leaks—especially by customers—can lead to real-world damage. It also raises uncomfortable but necessary questions about researcher responsibility, disclosure timelines, and accountability within the security industry.

For now, Shellter Elite remains a legitimate red team asset—but its future may depend on how both vendors and researchers handle security breaches behind the scenes.