The Shellter Project, the vendor behind the commercial AV/EDR evasion framework Shellter, has confirmed that hackers have weaponized its Shellter Elite product following a customer leak.
Shellter, a dual-use offensive security tool widely used by red teams, helps penetration testers bypass antivirus and endpoint detection systems during sanctioned security assessments. However, its capabilities have now been exploited by threat actors in real-world attacks, according to the vendor.
The Shellter Project said the misuse stems from a breach involving a company that recently purchased Shellter Elite licenses. The organization reportedly leaked the software, enabling malicious actors to deploy infostealers and other malware in active campaigns.
“We discovered that a company which had recently purchased Shellter Elite licenses had leaked their copy of the software. This breach led to malicious actors exploiting the tool for harmful purposes, including the delivery of infostealer malware,” the company said. “Despite our rigorous vetting process—which has successfully prevented such incidents since the launch of Shellter Pro Plus in February 2023—we now find ourselves addressing this unfortunate situation.”
Security researchers at Elastic Security Labs have recently observed multiple financially motivated campaigns using Shellter to package and deliver infostealer malware since late April 2025. The findings suggest that attackers are using version 11.0 of Shellter Elite, released on April 16, 2025.
Although the Shellter Project released an update to mitigate the issue, the company admits it will not affect the already leaked version in the hands of unauthorized users. The vendor also said that it wasn’t informed of any abuse, despite signs of malicious exploitation appearing in the wild for several months.
