Shellter Tool Abused by Hackers: Developers Slam Elastic for “Negligent” Disclosure

The development team behind the Shellter tool—a utility designed to evade antivirus and EDR detection—has confirmed that their product has fallen into the hands of malicious actors. At the same time, they have accused Elastic of negligence in disclosing information about the identified threat.

Shellter has long been employed by penetration testers and red teams to simulate attacks and assess the resilience of corporate infrastructures. However, like other commercial tools such as Cobalt Strike, it has increasingly become the target of cybercriminal interest, who seek to exploit it in real-world attacks.

Recently, Elastic Security Labs reported that, during the course of an investigation, they had observed Shellter Elite being used in campaigns to deploy infostealer malware. The developers of Shellter have acknowledged the authenticity of the tool’s copy and admitted that one of their clients had indeed used it for malicious purposes—despite the existence of a buyer vetting system.

The developers noted that, since the launch of Shellter Pro Plus in February 2023, their client screening process had successfully prevented such incidents—until now. They expressed gratitude to Elastic for providing samples that helped identify the violator, but simultaneously issued a sharp critique of how the disclosure was handled.

According to the team, Elastic had been aware of the incident for several months but failed to notify them. Instead of pursuing a collaborative approach to mitigating the threat, Elastic allegedly opted to publish a sensational public report without informing the other party involved. This, the Shellter developers contend, put both Elastic’s own customers and the broader cybersecurity community at increased risk.

The Shellter team added that, due to the lack of timely communication, they had nearly sent an updated version of the tool—featuring enhanced evasion capabilities—to the malicious actor. It was only by chance, owing to personal circumstances, that the delivery was delayed, and the attacker was prevented from obtaining it.

The creators of Shellter believe this episode highlights the growing divide between offensive and defensive cybersecurity communities. They emphasized that although the tool is distributed openly, it is only granted to clients who pass a verification process. Had they received the intelligence on the bad actor in time, access would have been immediately revoked.

This incident once again raises the broader question of control over professional tools used for assessing system security. Previously, for example, Fortra—the company behind Cobalt Strike—reported success in the international Operation Morpheus, led by the UK’s National Crime Agency, which resulted in an 80% reduction in the circulation of illegal copies of the tool.