Elastic Security Labs reports on the misuse of SHELLTER, a commercial evasion framework, by threat groups for infostealer campaigns since April 2025. The framework's advanced capabilities allow malicious actors to evade detection by anti-malware solutions, prompting the release of a dynamic unpacker by Elastic Security Labs to analyze SHELLTER-protected binaries. Key features include polymorphic obfuscation, payload encryption, and mechanisms to bypass detection systems.

Hackers have exploited a leaked copy of Shellter Elite, a commercial AV/EDR evasion tool, to deploy infostealer malware, marking the first misuse incident since the vendor's strict licensing model was introduced. Despite ongoing malicious activity since April, Shellter was not notified by security researchers at Elastic Security Labs, who later confirmed the misuse and developed detections for the affected version. Shellter has since released an updated version for vetted customers, excluding the one responsible for the leak.