Please refer to the Shellter_Elite_Exclusive_Features.pdf for more information about these updates.
Shellter Elite v12.2
Date: 03d/06m/2026
[+] Resolved a logic bug affecting certain internal runtime evasion operations. Under specific conditions, this issue could cause loaded modules (EXE/DLL) that were generated by our software to crash the running process.
[+] Fixed a logic issue that could prevent executables generated by our software from loading correctly on certain systems.
[+] Various minor fixes and optimisations.
Shellter Elite v12.1
Date: 15d/05m/2026
[+] Enhanced ETW Evasion.
We implemented a new technique for suppressing user-mode ETW event logging under the name of “Event Horizon”. This method does not rely on executable code patching, hardware breakpoints, page guards, or other noisy mechanisms. Future ETW Evasion methods added as enhanced techniques will be selected automatically by our loader on runtime whenever this feature is activated by the user. In ‘Auto’ mode this feature is enabled by default.
[+] Various minor fixes and optimisations.
Shellter Elite v12.0
Date: 29d/04m/2026
[+] Configuration templates.
It’s now possible to effortlessly load your preferred settings using configuration file templates. This enhancement simplifies the process of maintaining predefined groups of settings, making them easy to reuse whenever needed. This functionality utilizes ‘DarKonfig’, our application configuration management library, crafted for both practicality and ease of use.
[+] Loader GuardRails.
We’ve introduced a new capability that allows to further control payload execution based on specific host criteria. Our implementation supports both Azure AD-joined and traditional domain-joined configurations, allowing payload execution policies to be enforced consistently across hybrid environments.
[+] Extended VM WhiteListing.
Enables whitelisting of virtual machines joined to specific domains and/or Azure tenants, allowing detection of rogue sandbox environments to be preserved while still permitting payload execution on trusted virtualized endpoints.
[+] Entropy Balancer.
This feature automatically manages entropy adjustments within the infected PE file. In the past, similar changes could be made manually through the “PE File Size Increase” option. With entropy adjustment enabled, that older method is no longer needed, except in cases where you want to study how different scanning engines react to variations in file size.
[+] Ghost Infection.
We introduced an additional binary infection method aiming to offer enhanced concealing of the injected code structure, with the potential to optimize further in future releases.
[+] Persistent Runtime Evasion.
We’ve introduced a new capability that enables our loader to perform continuous runtime-evasion checks throughout the lifetime of the hosting process. Using its own set of predefined triggers, the loader can now detect and respond to artefacts that may appear or reappear later during execution, allowing it to react and mitigate them dynamically.
[+] Persistent Debugger Detection.
We’ve added a new capability that gives you more fine-grained control over user-mode debugger detection. With this setting turned on, user mode debugger checks will continue throughout the entire lifetime of the process, triggered by specific runtime events.
[+] CallStack Evasion II.
We further enhanced this feature to offer greater flexibility and more sophisticated control over how the original call site is represented, particularly in environments where advanced EDR solutions analyse callstack telemetry to identify in-memory malicious activity.
[+] Multiple updates and optimisations in various areas of the runtime evasion capabilities of our loader.
[+] Various minor fixes and optimisations.
Shellter Elite v11.8
Date: 19d/03m/2026
[+] Resolved a race condition that occasionally prevented infected executables from loading correctly when their decryption keys were retrieved through a URL path. This issue did not impact DLL binaries.
Shellter Elite v11.7
Date: 05d/02m/2026
[+] Resolved a compatibility issue impacting our loader under certain injection configurations on Windows 11 24H2 and later.
Shellter Elite v11.6
Date: 20d/01m/2026
[+] Resolved a compatibility problem affecting the standard AMSI evasion technique on newer Windows 11 builds. Note: The enhanced method was not affected.
Shellter Elite v11.5
Date: 19d/11m/2025
[+] Fixed a compatibility problem introduced by recent updates to a vendor’s EDR software which could result in process instability.
[+] Quality of life updates and minor runtime evasion enhancements.
[+] Various minor fixes and optimisations.
Shellter Elite v11.4
Date: 30d/09m/2025
[+] Various minor fixes and optimisations.
Shellter Elite v11.3
Date: 24d/09m/2025
[+] Refined our loader’s runtime evasion capabilities against targeted EDR solutions, driven by valuable customer feedback.
[+] Resolved a logic flaw in one of our runtime evasion stages that could impact specific execution instances.
[+] Support for Windows versions earlier than 10 is being deprecated in stages. This change will likely impact WOW64 processes, while 64-bit binaries are expected to function as intended. However, we will not allocate resources to validate compatibility on deprecated Windows versions.
[+] Various minor fixes and optimisations.
Shellter Elite v11.2
Date: 27d/08m/2025
[+] Fixed a bug in remote AES keys fetching that could cause the process to hang when the infected PE file is a DLL.
[+] Various minor updates and optimisations.
Shellter Elite v11.1
Date: 30d/07m/2025
[+] Enables automatic proxy authentication for retrieving remote AES keys and/or payload files via URL, as configured on the target host—e.g., using Kerberos.
[+] Loader runtime evasion enhancements.
Shellter Elite v11.0
Date: 16d/04m/2025
[+] Improved certain runtime evasion methods and capabilities.
[+] Elite AMSI Evasion.
This is now part of the “Enhanced AMSI Evasion”. Shellter will choose automatically which enhanced method to use.
[+] Remote Payloads.
This feature allows to store the encrypted payloads in a remote host, instead of embedding them in the infected binary. This adds an extra layer of protecting your payloads against future analysis, as well as maintain low entropy of the binary.
[+] Payload Compression.
Shellter will compress payloads by default before encrypting them.
[+] Increased Allowed Payload Size.
The maximum allowed size for a custom payload has been increased from 4MBs to 25MBs in order to accommodate larger payloads that may be generated by some C2 frameworks.
[+] Force Preload System Modules II
We updated the standard lists of force-preload modules.
[+] Improved parts of the “Memory Scan Evasion” encoding scheme.
[+] Fixed a bug in self-signed certificates generator.
The date format would default to the process locale settings, which could cause to generate invalid data for different system date formats, i.e. EU vs US.
[+] Updated some command line arguments.
[+] Removed legacy ‘Manual’ mode.
[+] Various minor fixes and optimisations.
Shellter Pro Plus v10.1
Date: 20d/11m/2024
[+] Added the ability to use a custom proxy for fetching AES decryption keys.
[+] Updated the unhooking functions.
All loaded modules will be processed when option “--ForceDecoyFileMapping” is set, and not just modules in “KnownDLLs” section objects directory.
[+] VM/Host-Whitelisting are now two separate features.
This provides a more intuitive way of white-listing a specific VM in order to test the infected binary, without disabling VM detection entirely.
[+] Multiple enhancements in order to boost runtime evasion capabilities of payloads generated by popular C2 frameworks.
[+] Fixed a bug in unhooking stage affecting 32-bit binaries under certain circumstances.
[+] Various minor fixes and optimisations.
Shellter Pro Plus v10
Date: 16d/10m/2024
[+] CallStack Scan Evasion
Tampers with callstack information in order to evade detection rules that are based on kernel ETW information.
[+] Force Unhooking System Modules via File-Mappings
Offers an alternative unhooking method while simultaneously evading kernel mode callbacks inserted by EDRs to monitor new module loading events.
[+] Force Preload System Modules
Provides a safer method for preloading system modules commonly used by C2 beacons and other third-party payloads to perform various system-level tasks.
[+] Enhanced AMSI Evasion
Added a new method that avoids both in-memory patching of the AMSI module and the use of hardware breakpoints.
[+] Enhanced Memory Scan Evasion Polymorphism
This update implements a dynamic key mechanism. Once the memory scan evasion feature kicks off, the key changes with each execution. Consequently, the protected code and data will always look different in memory, even for the same binary.
[+] Self-Disarm
This feature enables users to specify a number of days after which the infected binary will deactivate itself. Essentially, if the binary is executed beyond the initially set timeframe, no payloads will be triggered.
[+] Targeted Runtime Evasion II
Our original feature was enhanced further to include additional runtime evasion settings that were introduced afterwards. In addition, this feature can now be explicitly enabled by the user, depending on the expected EDR present on the target host, whenever this is known.
[+] TimeBomb
This feature allows the user to specify a delay in milliseconds for the payloads execution to begin.
[+] Slow Loris
This feature enables lazy loading by inserting delays in frequently executed paths of our code. This behaviour may help to exhaust default timing threshold values used by EDR software to monitor specific combinations of various events that are logged via Kernel ETW monitoring and/or kernel mode callbacks.
[+] Host WhiteListing
This feature allows to activate payload execution only inside a specific VM and/or physical host. It should be very useful when you perform your own pre-engagement tests against EDRs inside your own VMs. This helps prevent your binaries from being compromised during testing, particularly when they are uploaded to the cloud by security software for automated sandbox analysis.
[+] Fixed a logic bug in the code obfuscation engine when inserting dummy ‘CALL’ instructions.
[+] Fixed a logic bug in the ‘Memory Scan Evasion’ feature that could cause the process to crash under specific circumstances.
[+] Fixed a logic bug in the “DLL Load Monitoring” feature where the target executable path was not properly quoted when starting the second stage of the feature. If the path had any spaces, then the second stage would fail to complete.
[+] Fixed a bug in ‘Total Recall’ feature where some dynamically generated code stub was truncated in Windows 10 x86 builds.
[+] Various minor fixes and optimisations.
Shellter Pro Plus v9.2
Date: 26d/06m/2024
[+] Added ‘Code Signing’ feature.
Automates the process of generating customised self-signed certificates, and signs the infected binaries once the payload injection stages are completed.
[+] Fixed a logic bug that affected VM detection checks in certain scenarios. If HW resources profiling was disabled by the user, then also the advanced VM detection options would be skipped. This was introduced in version 8.3 while refactoring and optimizing some blocks of source code.
[+] Various minor fixes and optimisations.
Shellter Pro Plus v9.1
Date: 22d/05m/2024
[+] Option to set command-line arguments for the target executable when doing ‘DLL Load Monitoring‘.
[+] Option to set user-defined watermark in infected binaries.
[+] Option to limit the execution time of the poly-junk code when stealth mode is not enabled.
Shellter Pro Plus v9.0
Date: 17d/04m/2024
[+] Memory Scan Evasion
All functions that are required for the lifetime of the running process will now be encoded/decoded on-the-fly as needed. In addition, a lot of important data structure members such as, but not limited to function pointers will always be encoded. These will be fetched and decoded on the-fly as well, while the original copies will always remain encoded. Finally, all dynamically-built strings will be cleared off the current thread’s stack memory after usage
[+] Total Recall
This feature was implemented in order to further eradicate in-memory traces of our code under certain circumstances. There may be scenarios where none of the payloads will execute for various reasons such as, VM/DBG detection on process start, and/or failure to fetch remote AES keys for payload decryption. When this is the case, this feature will kick in and remove all of our executable code from memory, while cleaning up also memory areas that may store additional data.
[+] Updated the output of “DLL Load Monitor” to mark displayed modules as ‘User’/’System’. Any logged module that is originally loaded from a directory under “C:\Windows*” will be marked as ‘System’ module.
[+] Fixed a logic bug where some runtime evasion features remained disabled in ‘Auto’ mode. This did not affect CLI/GUI operation modes.
[+] Added some dynamic debugger detection checks that now also apply for the entire lifetime of the process. This allows to detect a debugger that has been attached at post-process-initialisation.
[+] Set the maximum limit of additional data to be added for the ‘Binary Size Increase’ feature to 500MB. This enables users to do extensive testing against security software scan rules that depend on the binary size.
[+] DTCK encoding feature has been deprecated and it will be removed in a future software release.
[+] Fixed a logic bug where ‘DTCK’ encoding and ‘EFD’ files could have been enabled together while they are not compatible which each other.
[+] Various minor fixes and optimisations.
Shellter Pro Plus v8.6
Date: 20d/12m/2023
[+] Fixed a compatibility issue with Wine.
Please note, that it is not recommended to operate Shellter inside Wine and other Windows environment emulators. Compatibility with Wine is mainly offered as a way to operate our software when a Windows host/VM are not immediately available.
[+] Various minor fixes and optimisations.
Shellter Pro Plus v8.5
Date: 30d/11m/2023
[+] Enhanced Application DLL Backdooring II.
[+] Targeted Runtime Evasion.
[+] License Expiration Check Updates.
[+] Various minor fixes and optimisations.
Shellter Pro Plus v8.4
Date: 14d/11m/2023
[+] Enhanced Windows Built-In Modules Compatibility.
The imports table parser was updated to recognise the imports mechanism used by built-in Windows executables and DLLs.
Please refer to the “Shellter_Pro_Plus_Exclusive_Features.pdf” for more information about this update.
[+] Updated imports table parser to do a more thorough scan of the imports table of the target PE binary.
[+] Various minor fixes and optimisations.
Shellter Pro Plus v8.3
Date: 06d/11m/2023
[+] Enhanced Application DLL Backdooring.
Introduces monitoring for DLL loading and exports calling events. It provides the necessary information to the user for a much more efficient backdooring of an application through a proprietary and/or system DLL. Arguments added: --monitorDllLoading/--MDLL.
Please refer to the “Shellter_Pro_Plus_Exclusive_Features.pdf” for more information about this update.
[+] Several compatibility updates for DLLs that may be loaded by a process that has one or more of CFG features enabled.
[+] Various minor fixes and optimisations.
Shellter Pro Plus v8.2
Date: 11d/10m/2023
[+] Added extra validation for the chosen DLL that will be used for the Ambush feature. The additional check will also verify that the specified DLL is not included in the list of modules that are statically linked to the target PE file.
For more information, please refer to the “Shellter_Pro_Plus_Exclusive_Features.pdf” and to the dedicated demo video that is listed on our website.
[+] Added the ability to optionally enable/disable some runtime evasion features. These were previously always enabled when they were supported by the target PE file.
[+] Added new command line arguments: --evadeETW, --evadeAMSI, --redirectNativeImports. These allow to optionally enable the corresponding runtime evasion features. In Auto mode these are always enabled by default.
[+] Added the ability to conceal some internal functionality.
If a Debugger/VM detected some runtime evasion features will not have any effect even if they are enabled by the user.
[+] Fixed a potential race condition bug in unhooking functionality.
[+] Fixed a bug that triggers when choosing to modify PE section permissions instead of using an IAT handler. In that case the infected binary would crash. Using this method, is not recommended anyway, but the issue has been fixed.
[+] Fixed a bug that could cause infected 32-bit binaries to crash when they load DLLs (i.e comctl32.dll) that may be found under both WinSxS and system32/syswow64 directories.
[+] Fixed a bug in the feature that generates the appropriate MSF launching script when one of the listed payload stagers are used.
Please note, these payloads should mainly be used only for demo purposes.
[+] Various minor fixes and optimisations.
Shellter Pro Plus v8.1
Date: 11d/07m/2023
[+] Fixed a logic bug that caused one of our runtime evasion techniques to become technically disabled. This issue affects versions 7.0 and 8.0.
Shellter Pro Plus v8.0
Date: 28d/06m/2023
[+] Multiple updates towards runtime evasion.
Suspicious access permissions are now removed from all proprietary memory allocations.
[+] Fixed compatibility issues with third-party payloads generated by popular C2 frameworks. In particular, some CB payloads may have freed memory that did not own exclusively, causing the process to crash. Payloads are now moved to their own private allocations in order to avoid similar issues in the future.
[+] Fixed an issue with ‘Wine mode’ where console font adjustment by Shellter would fail due to incompatibility issues. The user had to start our software via ‘wineconsole’ because using ‘wine’ would not work due to the font adjustment issues. Both options are now working fine again.
[+] Various minor fixes and optimisations.
Shellter Pro Plus v7.0
Date: 27d/04m/2023
[+] Multiple updates towards runtime evasion.
[+] Dynamic inspection of newly loaded modules.
Advanced payloads may load additional modules in order to complete certain tasks. Newly loaded modules will now be checked against hooks, and tampered exports table data.
[+] Various minor fixes and optimisations.
Shellter Pro Plus v6.0
Date: 17d/03m/2023
[+] Multiple updates towards runtime evasion.
These apply against various techniques used by security software to intercept system function calls; especially those exported by kernel32, kernelbase, and ntdll DLLs.
[+] Ambush payload execution.
This is a special feature that allows to set the injected payload(s) into hibernation until a specific benign DLL module is loaded by the process. Please see the documentation for more details.
[+] Anti-DLL Load Monitoring.
This feature removes user-mode registered callbacks that may be set by modules injected by security software inside the process in order to monitor for new DLL loading events.
[+] Fixed a bug in the function that fetches the AES keys for payload decryption through a URL.
[+] Fixed a bug in the function that checks latest version available on our website. If you have version 5.0, then it will display that your version is up to date.
[+] Various minor fixes and optimisations.
Shellter Pro Plus v5.0
Date: 01d/02m/2023
[+] First official release of Shellter Pro Plus series.