People massively underestimate the gap between hacking something together for yourself and engineering a robust, repeatable, operationally safe tool that professionals can trust. That’s not a small step, it’s a different discipline entirely. It’s what our customers pay for.
Continue reading Why Building Loaders for Yourself Is Easy — and Building for the World Isn’tCategory Archives: Articles
Statement Regarding Recent Misuse of Shellter Elite and Elastic Security Labs’ Handling
Following the publication of the article “Taking SHELLTER: a commercial evasion framework abused in-the-wild” by Elastic Security Labs, we discovered that a company which had recently purchased Shellter Elite licenses had leaked their copy of the software. This breach led to malicious actors exploiting the tool for harmful purposes, including the delivery of infostealer malware.
Despite our rigorous vetting process—which has successfully prevented such incidents since the launch of Shellter Pro Plus in February 2023—we now find ourselves addressing this unfortunate situation.
We would like to thank Devon Kerr from Elastic for providing manipulated samples that helped us confirm the identity of the customer involved. In fact, some of the information disclosed in the article was already sufficient to trace the source.
Nonetheless, we feel there were shortcomings in how Elastic addressed the situation.
Elastic Security Labs chose to act in a manner we consider both reckless and unprofessional. They were aware of the issue for several months but failed to notify us. Instead of collaborating to mitigate the threat, they opted to withhold the information in order to publish a surprise exposé—prioritizing publicity over public safety.
Due to this lack of communication, it was sheer luck that the implicated customer did not gain access to our upcoming release. Had we not postponed the launch for unrelated personal reasons, they would have received a new version with enhanced runtime evasion capabilities—even against Elastic’s own detection mechanisms.
If this isn’t a textbook case of undermining both your own product and your customers, we’re not sure what is.
To illustrate further: on June 3rd, Elastic released version 9.0.2, which flagged a specific behaviour in our loader. Within an hour of receiving the customer’s report, we developed, tested, and confirmed a patch that resolved the issue. It’s clear this update was a direct response to the samples derived from Shellter Elite v11. However, version 11.1—which includes the bypass—was already prepared for deployment.
Fortunately, due to our delayed release (and not thanks to Elastic), the malicious customer will never receive this or any future updates.
This incident also raises serious questions about how Elastic attributed the samples to a specific build of our software. We have never sold them a license. We suspect they may have obtained a leaked copy in order to conduct internal testing and produce staged samples for deeper analysis of our code. While we can’t confirm this, it seems a likely scenario.
Ultimately, this situation highlights a troubling disconnect between Red Team and Blue Team research communities. Elastic chose spectacle over responsible disclosure, putting both their customers and the broader public at risk.
While it’s true that we distribute this software, we do so through a rigorous vetting process. Had we been aware of any malicious use, we would have taken immediate action.
All they had to do was contact us. They didn’t.
To our loyal customers: we sincerely apologize for any inconvenience this may have caused. We want to reaffirm that we do not collaborate with criminals and are always willing to cooperate with law enforcement when requested.
Shellter remains alive and well. We will continue to improve and update our software as needed.
— The Shellter Project Team