Leaked Shellter Elite Tool Now Enabling Infostealer Attacks Worldwide

A new report details how the advanced hacking tool Shellter Elite was leaked and is now being used by cybercriminals. Learn about its evasion techniques and the infostealer campaigns.

Shellter Elite, a sophisticated tool for cybersecurity professionals, has fallen into the wrong hands, with its leaked copy being actively used by cybercriminals. This disclosure comes after security researchers at Elastic Security Labs identified its use in widespread attacks, leading to the deployment of several notorious infostealers. This research was shared with Hackread.com.

For your information, Shellter Elite is a specialised program intended for ethical hackers, also known as red teams or penetration testers, to help them test the defences of computer systems by deploying hidden software within normal Windows files, enabling evasion of EDR tools.

Elastic’s technical report highlights SHELLTER’s unique capabilities to evade analysis and detection, including polymorphic obfuscation, unhooking system modules, and encrypting payloads using AES-128 CBC.

The Shellter Project, the company behind the software, confirmed that a company which had recently purchased Shellter Elite licenses had leaked their copy. This breach allowed cybercriminals to use the tool for harmful activities, including spreading infostealer malware (software designed to steal sensitive personal information). Shellter stated this is the first known incident of misuse since their strict licensing model was introduced in February 2023, emphasising their strict vetting process.

Evidence from an underground hacker forum, as seen in a screenshot dated May 16, 2025, indicates the Shellter Elite v11.0 version is being offered to serious buyers. The forum post notes its high cost compared to similar tools like Brute Ratel or Cobalt Strike, and highlights its difficulty in obtaining. This online discussion underscores the black market interest in the leaked software.

Elastic Security Labs publicly reported on July 3 that multiple hacking groups have been exploiting Shellter Elite v11.0 since at least April 2025. They found that this activity started as early as April, with hackers distributing infostealers like Rhadamanthys, Lumma, and Arechclient2, through YouTube comments and phishing emails.

Elastic observed sophisticated evasion techniques in these malicious campaigns, such as API hashing obfuscation and advanced VM/sandbox and debugger detection. Based on unique license details, Elastic researchers believed the hackers were using a single leaked copy, a fact later confirmed by Shellter.

In response, Shellter has released an updated version, Elite 11.1, which will only be provided to carefully checked customers, specifically excluding the one responsible for the leak. Elastic has also developed new ways to detect payloads created with the older, leaked v11.0 version.

However, Shellter accused Elastic of “reckless and unprofessional” conduct, claiming they prioritised a “surprise exposé” over public safety by withholding details for months. This delay, Shellter noted, nearly resulted in the malicious actor receiving a more evasive update.

While criticising Elastic’s approach, Shellter did thank Devon Kerr from Elastic for providing samples that helped them confirm the customer’s identity. The Shellter Project also apologised to its customers and reaffirmed its commitment to cooperating with law enforcement against cybercriminals.

“The abuse of Shellter Elite is an urgent reminder that every security tool built for ethical offence can be weaponised against the organisations it was meant to protect,” said Ronen Ahdut, Head of Cyops at Cynet. “In this way, the hijacking of Shellter Elite exemplifies a structural vulnerability in the supply chain for offensive cybersecurity tools.”

“As Shellter’s compromise is investigated, cybersecurity leaders must take action to strengthen operational defences and increase vendor oversight,” Ronen emphasised.

This isn’t the first time a tool built for ethical hacking has ended up in the wrong hands. Cobalt Strike is one of the best-known examples, originally made for red teams to test network security, has been cracked and spread through underground forums for years.

Today, cybercriminals and ransomware gangs use it to breach systems and deploy malware, turning a tool meant to help companies protect themselves into something attackers use against them.