Perhaps the only real guarantee we can make about something that Must Not Fall Into the Wrong Hands is that eventually it will do exactly that. Case in point: BleepingComputer reported on Monday that cybercriminals have been using a leaked version of a legitimate red-teaming tool called Shellter to deploy malware.
The Shellter Project describes its software as “the most sophisticated loader ever created” that “provides unique static and runtime evasion features developed directly from our in-house R&D efforts.” It’s also “payload agnostic and can be used with position independent code that is generated from all popular C2 frameworks.”
In short, it’s a tool for bypassing defenses and establishing a connection to command-and-control (C2) infrastructure. The only difference between Shellter’s intended use–enabling cybersecurity professionals to assess an organization’s defensive capabilities–and cybercriminal activity is the fact that the pros have to ask for permission first.
The good news is that The Shellter Project requires prospective users to pass a vetting process before they can use its software. The bad news is that Elastic Security Labs reported on July 3 that “multiple financially motivated infostealer campaigns … have been using SHELLTER to package payloads beginning late April 2025.”
Elastic’s report describes how Shellter works and includes details about the kinds of malware (ArechClient2 / Sectop RAT and Rhadamanthys) it has been used to deploy. It also includes the following:
Despite the commercial [offensive security tooling] community’s best efforts to retain their tools for legitimate purposes, mitigation methods are imperfect. They, like many of our customers, face persistent, motivated attackers. Although the Shellter Project is a victim in this case through intellectual property loss and future development time, other participants in the security space must now contend with real threats wielding more capable tools.
Elastic Security Labs
The Shellter Project responded by saying “Elastic Security Labs chose to act in a manner we consider both reckless and unprofessional” (emphasis theirs) and that “instead of collaborating to mitigate the threat, they opted to withhold the information in order to publish a surprise exposé—prioritizing publicity over public safety.”
This push and pull between offensive and defensive security has been going on for ages. The most noteworthy example arrived via WannaCry, the ransomware attack IBM described as “the fastest-spreading cybercrime attack ever experienced” and “the biggest cybersecurity event the world had ever seen,” in May 2017.
WannaCry managed to spread so quickly because it took advantage of the EternalBlue exploit that used numerous vulnerabilities in Microsoft SMBv1 to compromise Windows systems. (And other devices running SMBv1 servers.) But EternalBlue wasn’t developed by WannaCry’s creators; it was made by the U.S. National Security Agency.
Should the NSA have informed Microsoft of the vulnerabilities instead of exploiting them via EternalBlue? Should Elastic Security Labs have told The Shellter Project its software had been leaked to cybercriminals using it to deploy malware? Or, for that matter, should Shellter’s techniques have been disclosed to defenders in the first place?
There’s unlikely to be consensus answers to any of those questions anytime soon. Organizations like the NSA and The Shellter Project are going to find ways to bypass antivirus software, endpoint detection and response systems, etc. It’s what they do. And the likes of Elastic Security Labs are going to publicize those bypasses, too.
Perhaps there’s a bigger question that should be answered first: Who is this helping? (With the natural follow-up being, of course, is that who we intended to help?)
Follow Tom’s Hardware on Google News to get our up-to-date news, analysis, and reviews in your feeds. Make sure to click the Follow button.
