Elastic Security Labs has identified multiple financially motivated malware campaigns leveraging the commercial AV/EDR evasion framework, SHELLTER.
Originally designed as a legitimate tool for sanctioned red team engagements, SHELLTER (marketed as Shellter Pro Plus/Elite) is now being actively exploited by criminal groups, providing them with sophisticated methods for deploying infostealers and other payloads while evading detection by modern security products.
Commercial Security Tools Repurposed
SHELLTER’s dual-use nature has always posed risks, despite the Shellter Project’s due diligence and licensing controls.
Since late April 2025, threat actors have integrated SHELLTER specifically the Elite v11.0 version, released on April 16, 2025 into campaigns distributing well-known malware such as LUMMA, RHADAMANTHYS, and ARECHCLIENT2.
These operations are notable for their advanced evasion features, including polymorphic obfuscation, in-memory payload encryption, system module unhooking, and call stack manipulation.
Such built-in protections make static and dynamic analysis challenging, even for experienced analysts, and contribute to low detection rates across antivirus platforms.
Technical analysis of SHELLTER-protected samples reveals a wide set of capabilities. The loader commonly inserts polymorphic junk code into legitimate binaries, impeding static scanning and disassembly.
It utilizes manual mapping and unhooking of critical system modules like ntdll.dll to bypass user-mode API monitoring typically employed by AV/EDR solutions.
Payloads are encrypted using AES-128 CBC, with keys either embedded or fetched from attacker-controlled infrastructure.
This encryption is sometimes layered with compression using algorithms like LZNT1, further obfuscating the malicious content.
Advanced Loader SHELLTER
In terms of stealth, SHELLTER proactively preloads essential system DLLs and corrupts call stacks during their loading, effectively masking the origin of sensitive API calls from security hooks.
It also unlinks decoy security modules from the Process Environment Block (PEB), thereby defeating certain behavioral detection mechanisms.
API address resolution is hidden through time-based hashing and pointer obfuscation, while runtime memory protection restricts the exposure of malicious code, using dynamic permission toggling and in-memory encoding/decoding loops.
SHELLTER further incorporates anti-analysis features such as advanced sandbox and hypervisor detection, dual-mode debugger checks via user and kernel flags, and multiple AMSI bypass techniques including in-memory patching and targeted COM provider sabotage.
Notably, a vectored exception handler-based API proxy mechanism redirects sensitive calls through controlled exceptions, evading straightforward monitoring.
The campaigns tracked by Elastic Security indicate broad adoption by the criminal underground.
Initial access vectors include phishing lures (often targeting YouTube content creators with fake sponsorship offers) and malicious links distributed through social media and file-sharing services like MediaFire.
The loader’s advanced anti-analysis defenses have allowed new and existing infostealers to evade widespread detection and maintain persistent access to target systems.
Responding to this threat, Elastic Security Labs has released a dynamic unpacker specifically designed to extract payloads from SHELLTER-protected binaries, aiding defenders in rapid analysis and detection.
Nonetheless, the continued abuse of commercial red team tools serves as a stark reminder: as defensive vendors advance their own protections, so too do motivated adversaries adapt, often repurposing the very tools intended for ethical security testing.
Elastic Security anticipates that SHELLTER will remain an attractive asset for both cybercriminal and potentially nation-state groups.
In parallel, the Shellter Project is expected to harden future releases to counter the detection methods detailed in this analysis.
The broader offensive security community faces a renewed challenge to prevent legitimate tools from being subverted for malicious ends.
Indicators of Compromise (IOCs)
| Type | Name/Value | Description |
|---|---|---|
| SHA-256 | c865f24e4b9b0855b8b559fc3769239b0aa6e8d680406616a13d9a36fbbc2d30 | Endorphin.exe / RHADAMANTHYS (SHELLTER-protected) |
| SHA-256 | 7d0c9855167e7c19a67f800892e974c4387e1004b40efb25a2a1d25a99b03a10 | SUPERAntiSpyware.exe / UNKNOWN FAMILY |
| SHA-256 | b3e93bfef12678294d9944e61d90ca4aa03b7e3dae5e909c3b2166f122a14dad | Aac3572DramHal_x64.exe / ARECHCLIENT2 |
| SHA-256 | da59d67ced88beae618b9d6c805f40385d0301d412b787e9f9c9559d00d2c880 | Branster.exe / LUMMA (SHELLTER-protected) |
| SHA-256 | 70ec2e65f77a940fd0b2b5c0a78a83646dec17583611741521e0992c1bf974f1 | IMCCPHR.exe / UNKNOWN FAMILY |
| SHA-256 | 263ab8c9ec821ae573979ef2d5ad98cda5009a39e17398cd31b0fad98d862892 | Pinnacle Studio Advertising materials.rar / Lure |
| Domain | eaglekl.digital | LUMMA C2 Server |
| IPv4 | 185.156.72[.]80 | ARECHCLIENT2 C2 Server |
| IPv4 | 94.141.12[.]182 | plotoraus.shop (RHADAMANTHYS C2) |
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant updates
