Red Team Tool Shellter Abused in Real-World Infostealer Attacks
A Security Asset Turned Liability
Threat actors are actively abusing a commercial red team framework—Shellter Elite v11.0—to stealthily deliver malware payloads in financially motivated infostealer campaigns. Originally developed for sanctioned security testing, Shellter’s anti-virus/EDR evasion capabilities are now being used by cybercriminals to evade detection and execute post-exploit malware in the wild.
Security researchers from Elastic Security Labs began tracking the misuse in late April 2025, shortly after the tool’s official release on April 16. The version used in attacks was illegally acquired, allowing threat actors to seamlessly integrate its capabilities into multiple malware distribution operations.
Infostealers in the Wild: Lumma, Sectop RAT & Rhadamanthys
Multiple Campaigns, One Loader
Elastic identified several malware campaigns abusing Shellter as a loader, each deploying different info-stealing malware strains:
- Lumma Stealer: Delivered via unknown vectors, with payloads hosted on MediaFire.
- Sectop RAT (aka Lumma Stealer): Embedded in archive files (.rar) attached to phishing emails impersonating brands like Udemy, Skillshare, Duolingo, and Pinnacle Studio.
- Rhadamanthys Stealer: Distributed via YouTube videos related to game mods and hacking, with malicious links in video comments.
In one Rhadamanthys case, a single malicious file was submitted to analysis platforms over 120 times, showing widespread distribution.