SHELLTER Evasion Framework Abused: Elite v11.0 Packages LUMMA, RHADAMANTHYS, ARECHCLIENT2 Infostealers
Ddos 
SHELLTER Unpacker screenshot | Image: Elastic Security Labs
Elastic Security Labs has uncovered multiple malware campaigns leveraging the SHELLTER evasion framework—a product originally designed to aid red teams in simulating real-world attacks. What’s alarming is how quickly threat actors have adopted SHELLTER Elite v11.0 to deploy sophisticated infostealers such as LUMMA, RHADAMANTHYS, and ARECHCLIENT2 across a range of deceptive campaigns.
“SHELLTER is marketed to the offensive security industry for sanctioned security evaluations,” Elastic Security Labs explained. “However, beginning in late April 2025, we observed multiple financially motivated infostealer campaigns that have been using SHELLTER to package payloads.”
Originally built to bypass antivirus and EDR detection, SHELLTER provides offensive capabilities including polymorphic junk code, DLL preloading, memory scan evasion, and call stack corruption. Its commercial variant—Shellter Elite v11.0—offers a powerful suite of evasive techniques.
Among these are:
- Polymorphic Obfuscation: The loader injects malicious code into legitimate executables using self-modifying shellcode.
- Payload Encryption: Final payloads are encrypted with AES-128 CBC, either embedding the key or fetching it from a command-and-control server.
- API Obfuscation & Call Stack Evasion: Truncated or altered call stacks bypass common detection mechanisms used by AV/EDR products.
- AMSI Bypasses: It neutralizes Microsoft’s Antimalware Scan Interface through string patching and vtable corruption.
“SHELLTER bypasses user-mode hooks by using trampoline-based indirect syscalls,” the report reveals. “The continuous protection of key functionality during runtime complicates both analysis and detection efforts.”
Elastic Security Labs attributes a surge in malicious activity to the emergence of three major infostealers wrapped in SHELLTER’s cloak:
- LUMMA: Distributed via MediaFire-hosted payloads, the initial access vector remains unknown. Samples showed advanced evasion with minimal VirusTotal detections.
- ARECHCLIENT2 (aka SECTOP RAT): Targeting YouTube content creators, attackers used sponsorship-themed phishing emails, with download links to RAR archives bundling SHELLTER-protected stealers.
- RHADAMANTHYS: Spread through YouTube video comments promoting gaming hacks and mods, with one malicious sample submitted 126 times.
On May 16, a Twitter/X post from @DarkWebInformer highlighted the illicit sale of Shellter Elite v11.0 on a dark web forum. The product, typically bound by end-user license agreements and region-specific restrictions, had been compromised and was now fueling widespread malware deployment.
“Despite these [protective] efforts, highly motivated malicious actors remain a challenge,” Elastic’s report stated.
To counter this evolving threat, Elastic Security Labs has released a SHELLTER Unpacker. This tool is designed to extract malware stages from SHELLTER-protected binaries using a combination of static and dynamic analysis.
“Although some basic safeguards have been implemented, they are not infallible. For safety reasons, this tool should only be executed within an isolated virtual machine.”
Researchers can access the tool on Elastic’s GitHub repository.
Donate