Hackers have been found misusing Shellter, a tool originally meant for ethical red teaming, to deliver Stealer malware. The vendor reported that a Shellter Elite license purchased by a client was leaked, allowing attackers to weaponize their tool for delivering infostealer malware. The incident prompted the developers to release a security update.
Shellter’s enhanced vetting measures, established since the February 2023 rollout of Pro Plus, failed to catch the misuse. Elastic Security Labs later discovered that their tool had been quietly exploited to deploy Lumma, Rhadamanthys, and SectopRAT (or ArechClient2) as far back as April 2025.
Shellter is a tool designed to help red teams bypass antivirus and EDR solutions. However, Elastic discovered that its version 11.0, released on April 16, had been adopted by financially motivated actors to conceal malware within seemingly normal programs. These payloads use polymorphic, self-altering shellcode to avoid detection.
The malware was spread in multiple ways. SectopRAT and Rhadamanthys were linked to social engineering lures such as fake sponsorships and YouTube videos promoting gaming cheats, particularly for Fortnite. Lumma was spread through download links on MediaFire.
This isn’t the first time legitimate red-teaming tools, like cracked copies of Cobalt Strike or Brute Ratel, have ended up in the hands of malicious actors. Security researchers at Elastic Labs have flagged an evolving threat landscape, highlighting that attackers are using stealthier techniques that put defenders under pressure.
The Shellter Project team has expressed their disappointment with Elastic, alleging that the company failed to communicate with them in a timely manner. In Response, Elastic responded by saying they became aware of suspicious behavior involving the tool on June 18 and took time to investigate before publishing their findings. The team stood by its decision that sharing findings quickly helps defenders stay ahead of the curve.
