A commercially licensed penetration testing tool—Shellter Elite—has been abused by cybercriminals to distribute info-stealing malware after it was leaked by a licensed customer. The Shellter Project confirmed the unauthorized usage and revealed that malicious actors have used the tool’s evasion capabilities to launch real-world attacks for months without prior notification from the researchers who discovered the misuse.
Commercial Penetration Tool Leaked and Abused by Threat Actors
Shellter Elite is a legitimate tool designed for red teams and penetration testers to stealthily inject payloads into Windows binaries. It bypasses detection tools such as EDR and antivirus through static and dynamic evasion techniques—including AMSI bypass, polymorphism, anti-debugging, and call stack integrity checks.
In a statement, Shellter confirmed that a newly onboarded customer leaked their copy of the software, allowing threat actors to repackage it for malicious campaigns.
“This breach led to malicious actors exploiting the tool for harmful purposes, including the delivery of infostealer malware,” said the Shellter Project.
Attacks in the Wild Used Shellter to Deliver Infostealers
Security analysts at Elastic Security Labs disclosed that attackers have been using Shellter Elite version 11.0 since at least April 2025 to deliver a series of info-stealing malware, including:
- Rhadamanthys
- Lumma
- Arechclient2
The attackers spread malicious payloads using phishing emails and even comments on YouTube, leveraging Shellter’s evasion engine to bypass endpoint defenses. Based on license timestamps embedded in the payloads, analysts concluded that a single leaked version was being reused across multiple campaigns—an assessment later confirmed by Shellter itself.
Shellter’s Response and Frustration with Researchers
While Shellter has since released version 11.1 of Shellter Elite—only distributed to verified customers—the company was vocal about its frustration with Elastic Security Labs. The vendor criticized the researchers for not disclosing the abuse earlier, arguing that delayed notification may have hindered mitigation efforts.
“They were aware of the issue for several months but failed to notify us. Instead of collaborating to mitigate the threat, they opted to withhold the information in order to publish a surprise exposé—prioritizing publicity over public safety,” Shellter stated.
Elastic has since provided the necessary data to help Shellter identify the source of the leak.
Ongoing Security Measures and Commitment to Ethical Use
Shellter reiterated that it does not support or collaborate with cybercriminals and maintains strict controls over its licensing process. The vendor apologized to its customer base and stated it is willing to cooperate with law enforcement agencies to address any misuse.
The company emphasized this was the first known case of abuse since its strict licensing model was introduced in February 2023. An update has been rolled out that excludes the leaked version and prevents further malicious use by the identified customer.
