Full Report
In yet another instance of threat actors repurposing legitimate tools for malicious purposes, it has been discovered that hackers are exploiting a popular red teaming tool called Shellter to distribute stealer malware. The company behind the software said a company that had recently purchased Shellter Elite licenses leaked their copy, prompting malicious actors to weaponize the tool for
Analysis Summary
# Tool/Technique: Shellter
## Overview
Shellter is a popular red teaming and offensive security tool being exploited by threat actors to distribute stealer malware. It functions as a commercial evasion framework that allows payloads to bypass standard antivirus (AV) and endpoint detection and response (EDR) software. The tool was weaponized after leaked licenses allowed malicious actors access.
## Technical Details
- Type: Tool (Exploited Evasion Framework)
- Platform: Endpoints (Implied, as it handles AV/EDR evasion)
- Capabilities: AV/EDR evasion, payload packaging, self-modifying shellcode generation, polymorphic obfuscation.
- First Seen: Weaponization linked to activity starting late April 2025 (using version 11.0 released April 16, 2025).
## MITRE ATT&CK Mapping
While Shellter itself is a tool, its abuse maps directly to evasion tactics:
- **TA0005 - Defense Evasion**
- T1027 - Obfuscated Files or Information
- T1055 - Process Injection (Implied by embedding within legitimate programs for evasion)
- T1622 - Evade Defenses
## Functionality
### Core Capabilities
- Packaging malware payloads to evade static detection and signatures.
- Embedding payloads within legitimate programs.
### Advanced Features
- Utilizes **self-modifying shellcode** with **polymorphic obfuscation** to enhance evasion, making static analysis difficult.
## Indicators of Compromise
*Note: No specific IoCs for the *malware* distributed by Shellter (Lumma Stealer, Rhadamanthys Stealer, SectopRAT) are provided, only indicators related to the *abuse* of Shellter.*
- File Hashes: [Not provided]
- File Names: [Not provided]
- Registry Keys: [Not provided]
- Network Indicators: [Not provided]
- Behavioral Indicators: Samples exhibiting self-modifying shellcode and polymorphic characteristics when interacting with security products. Use of Shellter Elite version 11.0 observed.
## Associated Threat Actors
- Financially motivated threat actors (Campaigns distributing Lumma Stealer, Rhadamanthys Stealer, and SectopRAT).
- Actors targeting content creators and using lures related to gaming mods (Fortnite cheats).
## Detection Methods
- Signature-based detection: Ineffective against polymorphic, shellter-protected samples.
- Behavioral detection: Detection should focus on the behavior of the resulting shellcode (e.g., memory allocation patterns, self-modification, execution chains).
- YARA rules: Focus on known shellter protection artifacts or specific strings related to the bundled malware.
## Mitigation Strategies
- **Patching/Vetting:** The Shellter Project attempted to address the issue via an update, suggesting the licensed user leak was the initial vector. Monitoring for unauthorized distribution of commercial security tools is crucial for developers.
- **Advanced EDR/Behavioral Analysis:** Rely on endpoint solutions capable of detecting execution anomalies, process injection, and polymorphic code behavior, rather than static file signatures.
- **Supply Chain Security:** Be aware that leaked commercial tools (like Cobalt Strike, Brute Ratel C4, and now Shellter) can become common tools for cybercriminals.
## Related Tools/Techniques
- Cobalt Strike (Hacked/cracked versions previously used by threat actors)
- Brute Ratel C4 (Hacked/cracked versions previously used by threat actors)
- Lumma Stealer (Malware distributed using Shellter)
- Rhadamanthys Stealer (Malware distributed using Shellter)
- SectopRAT / ArechClient2 (Malware distributed using Shellter)