All posts by kyREcon

Blog News

Follow-Up on the Shellter Elite Misuse Incident

Following up after reviewing various opinions and responses to our complaint regarding the lack of timely notification from Elastic:

It seems that many interpreted our statement as a criticism of Elastic’s article itself.

To clarify once again: our concern was never about the article’s content or its publication. We explicitly stated that we have no issue with the article being released—regardless of timing.

Our point was, and remains, that Elastic could have informed us earlier, allowing us the opportunity to respond or act accordingly. That courtesy was not extended.

As for the argument that Elastic had no obligation to notify us—frankly, we find that position so fundamentally misguided and unprofessional that it hardly warrants a response.

Moving forward, we plan to allocate development resources toward strengthening our DRM mechanisms. While this incident was not the result of a direct attack on our DRM, but rather the consequence of someone leaking their licensed copy of the software, it has highlighted the need for additional safeguards.

Our goal is to make it significantly harder for unauthorized redistribution to occur, even in cases of deliberate and/or accidental misuse by legitimate users. These enhancements will help us better protect our software and, by extension, the investment our customers have made in it.

We recognize that such measures typically require online authentication with each software launch, and we understand that this may not always be convenient for our users. To address this, we also intend to offer the option to request short-term offline licenses. This will allow customers to continue using our software without an active internet connection when necessary.

We want to take this opportunity to reaffirm our unwavering commitment to the quality and performance our customers have come to expect. We remain dedicated to continuously improving our software to ensure you get the most value out of your investment.

The upcoming release of Shellter Elite v11.1 is now in its final testing phase—and the results are outstanding. It slices through every test scenario like a hot knife through butter, including those involving the most commonly used C2 frameworks favoured by our customers.

— The Shellter Project Team

Update: On July 13th, Raphael Mudge—the original creator of the Cobalt Strike C2 Framework—shared his perspective on the incident. We sincerely appreciate his generous support and the thoughtful statement he offered. You can read his full remarks here.

Articles, Blog News

Statement Regarding Recent Misuse of Shellter Elite and Elastic Security Labs’ Handling

Following the publication of the article “Taking SHELLTER: a commercial evasion framework abused in-the-wild” by Elastic Security Labs, we discovered that a company which had recently purchased Shellter Elite licenses had leaked their copy of the software. This breach led to malicious actors exploiting the tool for harmful purposes, including the delivery of infostealer malware.

Despite our rigorous vetting process—which has successfully prevented such incidents since the launch of Shellter Pro Plus in February 2023—we now find ourselves addressing this unfortunate situation.

We would like to thank Devon Kerr from Elastic for providing manipulated samples that helped us confirm the identity of the customer involved. In fact, some of the information disclosed in the article was already sufficient to trace the source.

Nonetheless, we feel there were shortcomings in how Elastic addressed the situation.

Elastic Security Labs chose to act in a manner we consider both reckless and unprofessional. They were aware of the issue for several months but failed to notify us. Instead of collaborating to mitigate the threat, they opted to withhold the information in order to publish a surprise exposé—prioritizing publicity over public safety.

Due to this lack of communication, it was sheer luck that the implicated customer did not gain access to our upcoming release. Had we not postponed the launch for unrelated personal reasons, they would have received a new version with enhanced runtime evasion capabilities—even against Elastic’s own detection mechanisms.

If this isn’t a textbook case of undermining both your own product and your customers, we’re not sure what is.

To illustrate further: on June 3rd, Elastic released version 9.0.2, which flagged a specific behaviour in our loader. Within an hour of receiving the customer’s report, we developed, tested, and confirmed a patch that resolved the issue. It’s clear this update was a direct response to the samples derived from Shellter Elite v11. However, version 11.1—which includes the bypass—was already prepared for deployment.

Fortunately, due to our delayed release (and not thanks to Elastic), the malicious customer will never receive this or any future updates.

This incident also raises serious questions about how Elastic attributed the samples to a specific build of our software. We have never sold them a license. We suspect they may have obtained a leaked copy in order to conduct internal testing and produce staged samples for deeper analysis of our code. While we can’t confirm this, it seems a likely scenario.

Ultimately, this situation highlights a troubling disconnect between Red Team and Blue Team research communities. Elastic chose spectacle over responsible disclosure, putting both their customers and the broader public at risk.

While it’s true that we distribute this software, we do so through a rigorous vetting process. Had we been aware of any malicious use, we would have taken immediate action.

All they had to do was contact us. They didn’t.

To our loyal customers: we sincerely apologize for any inconvenience this may have caused. We want to reaffirm that we do not collaborate with criminals and are always willing to cooperate with law enforcement when requested.

Shellter remains alive and well. We will continue to improve and update our software as needed.

— The Shellter Project Team