EXECUTIVE SUMMARY:
A wave of malicious campaigns has emerged involving the misuse of the commercial AV and EDR evasion framework known as SHELLTER. Originally developed to support red team operations in sanctioned security assessments, threat actors have co-opted this tool to deploy information-stealing malware while bypassing traditional detection mechanisms. These attackers are using SHELLTER’s advanced obfuscation, polymorphism, and evasion features to prolong payload survivability and maintain stealth in a variety of environments.
The malicious use of SHELLTER centers on its ability to embed polymorphic, self-modifying shellcode within legitimate executables, which complicates static analysis and signature-based detection. The framework encrypts payloads using AES-128 in CBC mode, often compressing them beforehand, and employs evasion techniques such as trampoline-style indirect syscalls, API proxying through vectored exception handlers, and unlinking decoy DLL modules from process environment structures to avoid detection. Time-based seeding and custom hashing obscure API resolution, while license expiry checks act as built-in kill switches to disable payloads after a set period. Additionally, SHELLTER incorporates advanced runtime protections, including memory permission manipulation and hypervisor and debugging detection. It also bypasses Windows Antimalware Scan Interface (AMSI) through both memory patching and corruption of COM interface lookups, allowing malicious code to evade behavioral analysis. These capabilities enable threat actors to integrate SHELLTER-protected loaders into diverse campaigns distributing various infostealers, using social engineering lures such as fake sponsorship offers targeting content creators.
The use of SHELLTER represents a significant challenge for defenders, as it grants threat actors a powerful and flexible evasion platform originally designed for legitimate security testing. The continued circulation of this framework in malicious hands highlights the dual-use nature of offensive security tools and the limitations of current mitigation efforts. Security teams should be aware of these evolving tactics and employ dynamic analysis and behavior-based detection to uncover SHELLTER-protected malware. The ongoing development of unpacking tools and enhanced detection techniques will be critical in addressing the threat posed by these infostealer campaigns and other malware leveraging this framework.
THREAT PROFILE:
| Tactic | Technique Id | Technique | Sub-technique |
| Initial Access | T1566.002 | Phishing | Spearphishing Link |
| Execution | T1204.002 | User Execution | Malicious File |
| T1059.005 | Command and Scripting Interpreter | Visual Basic | |
| Persistence | T1547.001 | Boot or Logon Autostart Execution | Registry Run Keys / Startup Folder |
| Defense Evasion | T1027.002 | Obfuscated Files or Information | Software Packing |
| T1027.009 | Embedded Payloads | ||
| T1562.001 | Impair Defenses | Disable or Modify Tools | |
| T1055.002 | Process Injection | Portable Executable Injection | |
| T1497.001 | Virtualization/Sandbox Evasion | System Checks | |
| Discovery | T1082 | System Information Discovery | — |
| T1057 | Process Discovery | — | |
| T1010 | Application Window Discovery | — | |
| Collection | T1005 | Data from Local System | — |
| T1113 | Screen Capture | — | |
| Command and Control | T1105 | Ingress Tool Transfer | — |
| Exfiltration | T1041 | Exfiltration Over C2 Channel | — |
REFERENCES:
The following reports contain further technical details: