Malware Payloads Deployed in the Wild Using Abused AV/EDR Evasion Framework

Elastic Security Labs has sounded the alarm after uncovering multiple active infostealer campaigns leveraging the commercial AV/EDR evasion framework SHELTER for malicious purposes.

Once marketed exclusively to offensive security professionals for red team simulation, SHELTER is now being abused by threat actors to bypass modern security tools and deploy a potent array of malware in the wild.

Shellter Elite Hijacked by Threat Actors

SHELTER, developed by the Shelter Project, was initially designed to help red teams stealthily deploy payloads for sanctioned security assessments.

Its commercial versions, Shellter Pro Plus and Shellter Elite boast advanced anti-detection capabilities.

However, Elastic Security Labs has traced a surge in infostealer campaigns packaging their payloads with Shellter Elite 11.0 since April 2025, following its recent release.

Despite the vendor’s safeguards, such as geographic sales restrictions and rigorous due diligence, at least one copy of Shelter Elite has fallen into the hands of criminals.

The tool’s advanced evasion tactics have made it a favorite for financially motivated cybercriminals, as evidenced by low detection rates on VirusTotal for SHELLTER-protected payloads and active resale offers on illicit forums.

Technical Deep Dive: Evasion Features and Loader Tactics

SHELTER-protected malware demonstrates several sophisticated anti-analysis and anti-detection mechanisms:

• Polymorphic Junk Code: Payloads are obfuscated with self-modifying code, blending malicious and legitimate instructions to confuse static analysis tools.
• System Module Unhooking: The loader maps clean copies of system DLLs (e.g., ntdll.dll) directly into memory, evading hooks set by security products.
• AES Payload Encryption: Final malware payloads are protected with AES-128-CBC encryption and compressed using LZNT1, with decryption keys either embedded or fetched from remote servers.
• DLL Preloading & Call Stack Evasion: Essential Windows DLLs are force-loaded in ways that corrupt the call stack, masking their origins and hindering behavioral detection.
• Memory Scan Evasion & Indirect System Calls: Runtime decoding, memory permission tricks, and trampoline-based indirect system calls ensure a minimal forensic footprint.
• AMSI Bypass: The loader corrupts the Windows Antimalware Scan Interface using patching and advanced COM-hijacking techniques, disabling script scanning, and instrumentation.

Elastic researchers have also noted license checks and unique expiry “kill switches” embedded in illicit samples hinting a single stolen elite license is behind most recent attacks.

Campaigns and Defender Response

Among the most prominent threats are LUMMA, RHADAMANTHYS, and ARECHCLIENT2 infostealers, all of which are observed using Shellter-protected launchers.

Notably, distribution channels include phishing lures, booby-trapped YouTube links, and file-sharing sites like MediaFire.

To support defenders, Elastic Security Labs has released a dynamic unpacker for SHELLTER-protected binaries, along with accompanying YARA rules, urging organizations to update their detection mechanisms.

The firm warns that as threat actors further integrate advanced red team tools, defenders must anticipate rapid evolution in evasion techniques.

The leakage of commercial offensive security tools, such as SHELLTER, into the hands of criminals marks a dangerous escalation in malware sophistication, forcing the cybersecurity community to focus on rapid detection, analysis, and mitigation of these advanced threats.