Threat Actors Use AV/EDR Evasion Framework in the Wild to Deploy Malware Payloads

Elastic Security Labs has uncovered multiple campaigns leveraging SHELLTER, a commercial AV/EDR evasion framework originally designed for offensive security evaluations by red teams.

Since late April 2025, threat actors have been using what appears to be Shellter Elite v11.0, released on April 16, 2025, to package and deploy various infostealer malware payloads.

SHELLTER Framework Exploited by Malicious Actors

This dual-use tool, marketed by the Shellter Project for bypassing anti-virus and endpoint detection and response (EDR) solutions, has unfortunately fallen into the hands of financially motivated cybercriminals.

It enables them to extend the lifespan of their malicious tools despite the vendor’s safeguards such as geographic sales limits and End User License Agreements (EULAs).

SHELLTER’s sophisticated capabilities, including polymorphic junk code, payload encryption with AES-128 CBC, unhooking system modules, and advanced anti-analysis features like debugger detection and AMSI bypass, make it a potent tool for evading static and ...