In yet another example of threat actors reusing legal tools for malicious purposes, hackers have been found using a popular red teaming tool called shelters to distribute steeler malware.
The company behind the software said that the company that recently purchased a Shellter Elite license leaked a copy, urging malicious actors to weaponize the tools of their Infostealer campaign. An update was then released to plug in the issue.
“We have found ourselves tackling this unfortunate situation despite the rigorous review process that has successfully prevented such incidents since the launch of Shellter Pro Plus in February 2023,” the Shellter Project team said in a statement.
This response comes shortly after the Elastic Security Lab released a report on how commercial avoidance frameworks have been abused in the wild to propagate Lumma Stealer, Rhadamanthys Stealer, and Sectoprat (aka Arechclient2) since April 2025.
Shellter is a powerful tool that allows offensive security teams to bypass antivirus and endpoint detection and response (EDR) software installed on endpoints.
Elastic said it had leveraged Shelter Elite Version 11.0 on April 16, 2025 to identify multiple financially motivated infosealer campaigns using shelter to package payloads since late April 2025.
“Shelt-protected samples generally use self-correcting shellcode with polymorphic obfuscation to incorporate themselves into legitimate programs,” the company said. “This combination of legitimate instructions and polymorphic code helps these files avoid static detection and signatures, leaving them undetectable.”
Some of the campaigns offering theft of Sectoprat and Rhadamanthys are believed to have adopted the tool after version 11 was sold in the popular cybercrime forum in mid-May, using a YouTube video that offers game modes like game modes like Fortnite Mod, using lures related to sponsorship opportunities targeting content creators.
Meanwhile, the Lumma Stealer attack chain is said to have become popular via payloads hosted on MediaFire in late April 2025.
It’s not surprising that Shellter follows a similar trajectory, as cracked versions of Cobalt Strike and Brute Ratel C4 have previously found ways to go to the hands of cybercriminals and nation-state actors.
“Despite the best efforts of the commercial OST community to retain tools for legitimate purposes, mitigation methods are incomplete,” Elastic said. “While shelter projects are victims of this case through intellectual property loss and future development times, other participants in the security space must contest the actual threats wielding more competent tools.”
However, the shelter project criticized its resilience for “prioritizing publicity for public safety” and for acting in a way that was said to be “reckless and professional” by notifying it quickly.
Source link
