Taking SHELLTER: a commercial evasion framework abused in-the-wild

Elastic Security Labs reports that the commercial AV/EDR evasion framework SHELLTER (likely Elite v11.0) has been acquired and abused since April 2025 to package and deploy multiple infostealer campaigns (LUMMA, RHADAMANTHYS, ARECHCLIENT2). The report provides in-depth technical analysis of SHELLTER’s evasion capabilities (polymorphic shellcode, unhooking via file-mapping, indirect syscalls, AMSI bypass, VEH API proxy, AES-128-CBC + LZNT1 payload protection), embedded license-based kill-switches, YARA detection rules, IOCs (SHA256s, IPs, domain) and a dynamic unpacker to extract payloads.