Full Report
The company behind AV/EDR evasion tool Shellter has confirmed the product is being used by threat actors
Analysis Summary
# Tool/Technique: Shellter
## Overview
Shellter is a tool primarily used by professional Red Teams and penetration testers to evade detection by antivirus (AV) and Endpoint Detection and Response (EDR) security solutions while probing a client's attack surface. However, the developers have confirmed that unauthorized or malicious actors are now misusing this legitimate tool in the wild to deploy malware, such as infostealers.
## Technical Details
- Type: Tool (AV/EDR Evasion Tool)
- Platform: Not explicitly stated, but typically targets Windows/PE files given its evasion focus against standard endpoint security.
- Capabilities: Evasion of modern security products (AV/EDR), injection/modification of executables.
- First Seen: The article mentions Shellter Pro Plus launched in February 2023, implying the tool has been around prior to that. The misuse was reported in July 2025.
## MITRE ATT&CK Mapping
Based on the description of evading security products and deploying malware, the following tactics are relevant:
- TA0005 - Defense Evasion
- T1027 - Obfuscated Files or Information (Implied, often used in conjunction with evasion tools)
- T1055 - Process Injection (Common technique for shellcode execution/hiding)
- TA0001 - Initial Access (If used to bypass initial defense checks)
## Functionality
### Core Capabilities
- Allows security professionals to test the effectiveness of security stacks against advanced payloads.
- Designed to hide malicious activity from standard security monitoring tools.
### Advanced Features
- The specific tier "Shellter Elite" is mentioned, suggesting different product tiers with varying levels of sophistication or features.
- Vetting processes are in place (for Shellter Pro Plus) designed to prevent unauthorized use by malicious actors.
## Indicators of Compromise
Since Shellter is a legitimate tool being *abused*, the primary IOCs relate to the malware it is used to deploy (e.g., infostealers). Specific indicators for Shellter itself are not provided in the text, likely due to its nature as a widely used penetration testing utility.
- File Hashes: [Not provided]
- File Names: [Not provided, likely variant names of the final payload]
- Registry Keys: [Not provided]
- Network Indicators: Attacks observed involved the deployment of **infostealers**. (Specific C2 details for the campaigns utilizing Shellter were not detailed in the provided abstract.)
- Behavioral Indicators: The core behavior is the successful circumvention of AV/EDR protection.
## Associated Threat Actors
- Red Teams and Penetration Testers (Intended Users)
- Threat Actors using the tool illicitly (Confirms misuse by "malicious actors"). The article references an incident where **Dragonfly 2.0** attackers probed the energy sector, though it doesn't explicitly state Dragonfly 2.0 used Shellter in *that* specific instance, only linking to related information.
## Detection Methods
- **Behavioral detection:** Monitoring for techniques commonly associated with code caves, process injection, or unusual execution flows typical of penetration testing tools once the tool is used outside expected parameters.
- Signature-based detection: Standard AV/EDR systems are being tested by this tool, indicating the goal is bypassing existing signatures.
## Mitigation Strategies
- **Robust EDR/AV Configuration:** Ensure heightened security settings are employed to detect evasion techniques rather than just known malware signatures.
- **Behavioral Monitoring:** Focus on monitoring system calls, memory modifications, and process injection, which are common methods used by tools like Shellter to achieve evasion.
- **Vendor Communication Protocol:** Security vendors (like Elastic) should collaborate with legitimate tool developers (like Shellter Project) for responsible disclosure rather than immediate public disclosure, allowing time for patches or countermeasures.
## Related Tools/Techniques
- **Cobalt Strike:** Mentioned as another commercial tool highly prized by threat actors for similar purposes (post-exploitation frameworks and beaconing).
- Other AV/EDR Evasion Tools/Loaders.