Threat Research

Taking SHELLTER: a commercial evasion framework abused in-the-wild

Elastic.co
Taking SHELLTER: a commercial evasion framework abused in-the-wild

Elastic Security Labs has detected multiple infostealer campaigns leveraging the commercial AV/EDR evasion framework SHELLTER, particularly the Shellter Elite version 11.0 released in April 2025. The framework provides sophisticated evasion capabilities, including polymorphic shellcode, API unhooking, payload encryption, and advanced anti-analysis techniques, which allow threat actors to deploy highly evasive malware. #SHELLTER #ShellterElite #LUMMA #ARECHCLIENT2 #RHADAMANTHYS

Keypoints

  • Multiple financially motivated infostealer campaigns have used SHELLTER Elite v11.0 since April 2025 to evade detection and deliver malware.
  • SHELLTER employs advanced evasion techniques such as polymorphic junk code, API unhooking via file mapping, and AES-128 CBC payload encryption with compression.
  • The framework supports DLL preloading, call stack evasion, indirect syscalls, vectored exception handler API proxying, and AMSI bypass methods.
  • Campaigns distributing SHELLTER-protected malware include LUMMA, ARECHCLIENT2 (SECTOP RAT), and RHADAMANTHYS, with infection vectors involving phishing and hosting platforms like MediaFire.
  • License expiry and self-disarm timers are embedded in the malware, acting as kill switches; a YARA rule targeting this license expiry timestamp is provided for detection.
  • Elastic Security Labs released a dynamic unpacker tool capable of extracting payloads from SHELLTER-protected binaries to aid defenders.
  • Despite mitigations by the legitimate Shellter Project, illicit versions continue to be used by threat actors and are expected to circulate and evolve further.

MITRE Techniques

  • [T1041] Exfiltration Over C2 Channel – Infostealers like LUMMA, ARECHCLIENT2, and RHADAMANTHYS use SHELLTER to securely deliver stolen data via command and control servers (‘The C2 for this stealer points to 185.156.72[.]80:15847’).
  • [T1055] Process Injection – SHELLTER utilizes polymorphic self-modifying shellcode embedded in legitimate programs to evade static detection (‘self-modifying shellcode with polymorphic obfuscation’).
  • [T1105] Ingress Tool Transfer – Campaigns deliver payloads via archive files (.rar) containing SHELLTER-protected executables distributed through phishing and hosting platforms (‘download links to archive files (.rar)’).
  • [T1574.002] Hijack Execution Flow: DLL Search Order Hijacking – SHELLTER preloads essential Windows DLL modules and corrupts the call stack to hide LoadLibraryExW calls (‘Force Preload System Modules’ feature with call stack evasion).
  • [T1204] User Execution – Delivery via phishing emails targeting content creators with legitimate-looking lures (‘phishing emails sent to individuals with a YouTube channel impersonating brands’).
  • [T1218] Signed Binary Proxy Execution – Use of legitimate signed binaries (e.g., C++ loader abusing BITS) to evade detection (‘simple C++ loader client abusing BITS for C2’).
  • [T1140] Deobfuscate/Decode Files or Information – Runtime decoding/encoding and manipulation of memory permissions complicate detection (‘Decoding and re-encoding instructions at runtime’, ‘Removal of execute permissions on inactive memory pages’).
  • [T1057] Process Discovery – API hashing obfuscation and unhooking modules outwit monitoring tools (‘time-based seeding to obfuscate API addresses’, ‘unhooking via file mapping of ntdll.dll’).
  • [T1083] File and Directory Discovery – Malware interacts with system structures, such as PEB LDR lists, manipulating decoy modules (‘unlinking decoy DLL modules inside the Process Environment Block’).
  • [T1505.003] Server Software Component: Web Shell – Use of hosting platforms (MediaFire) to store malware samples for distribution (‘files hosted on the MediaFire file hosting platform’).

Indicators of Compromise

  • [SHA256] Hashes of SHELLTER-protected payloads – c865f24e4b9b0855b8b559fc3769239b0aa6e8d680406616a13d9a36fbbc2d30 (RHADAMANTHYS), 2da59d67ced88beae618b9d6c805f40385d0301d412b787e9f9c9559d00d2c880 (LUMMA), b3e93bfef12678294d9944e61d90ca4aa03b7e3dae5e909c3b2166f122a14dad (ARECHCLIENT2) and others.
  • [IPv4 Addresses] Command and Control servers – 185.156.72[.]80 (ARECHCLIENT2), 94.141.12[.]182 (unknown), associated with C2 communication.
  • [Domains] Malicious hosting – eaglekl[.]digitaldomain (LUMMA C2 server), plotoraus[.]shop (RHADAMANTHYS C2 server).
  • [File Names] Lures and malware files – Pinnacle Studio Advertising materials.rar (lure archive), Branster.exe (LUMMA), Endorphin.exe (RHADAMANTHYS), Branster.exe (LUMMA).

Read more: https://www.elastic.co/security-labs/taking-shellter