Mastering Modern Red Teaming Infrastructure Part 5: Initial Access Reloaded: Red Team Payload…

Mastering Modern Red Teaming Infrastructure Part 5: Initial Access Reloaded: Red Team Payload Development in the Age of Zero Trust

As red teamers simulate modern APTs, we must continuously evolve our initial access techniques to bypass increasingly advanced detection layers. From email security sandboxes to endpoint protection, every defense layer challenges us to operate with greater stealth and precision.

In Part 5, we dive into payload development and hardening by crafting two advanced delivery scenarios inspired by real APT tradecraft. The Objective is to Simulate APT-style payload delivery chains to achieve Initial Access by:

• Bypass Mark-of-the-Web (MoTW) protection
• Bypass SmartScreen protection
• Evade email sandboxes
• Escape web proxies and content filters
• Achieve execution with minimal user interaction

Each scenario is designed to reflect APT-level evasion and initial access techniques, giving you practical insight into how sophisticated threat actors operate — and how you can replicate those behaviors in your simulations.

Table of Contents

1. Introduction
2. Context: Why This Matters
3. Scenario 1: Payload Delivery as PDF via HTML Smuggling, ISO Container & LNK Trigger

• 3.1 Generate Your Payload (Sliver C2)
• 3.2 Choose a Decoy PDF
• 3.3 Create a Trigger .lnk File
• 3.4 Build ISO Container with PackMyPayload
• 3.5 Wrap ISO in HTML Smuggling
• 3.6 Send the HTML Smuggling Link via Email

4. Scenario 2: Security Update — ZIP Container with Backdoored MSI Installer

• 4.1 Build Backdoored MSI
• 4.2 Archive in a ZIP Container
• 4.3 Create Smuggled HTML Loader
• 4.4 Email Template

5. Lessons from the Trenches

6. Bypassing Windows SmartScreen Protections via Payload Signing

7. Modifying Signatures and Attributes to Evade Detection

8. Final Thoughts

2. 🌐 Context: Why This Matters

Threat actors targeting the Middle East, especially Saudi Arabia’s fintech and critical infrastructure sectors, have recently deployed similar techniques:

• MuddyWater (APT-C-53) has embedded scripts in documents and fake software updates to deliver backdoors. Source: https://www.cisa.gov/news-events/cybersecurity-advisories/aa22-055a
• APT34 (OilRig) and Ghostwriter, also known as UNC1151 and Storm-0257, used ISO and ZIP containers to bypass Microsoft’s MoTW-based defenses and have used LNK files and HTML smuggling for credential theft and payload staging. Source: https://attack.mitre.org/techniques/T1204/002/ and https://www.microsoft.com/en-us/security/blog/2021/11/11/html-smuggling-surges-highly-evasive-loader-technique-increasingly-used-in-banking-malware-targeted-attacks/

Our scenarios emulate these APT groups to simulate the realistic threat landscape Saudi organizations are facing today.

Note: While no direct public attribution links HTML smuggling + ISO/LNK payload chains to APT34 or UNC1151, these methods are built using tradecraft inspired by multiple APT campaigns observed in the wild.

3. Scenario 1: Payload Delivery as PDF via HTML Smuggling, ISO Container & LNK Trigger

“APT operators don’t send EXEs. They send believable content wrapped in clever packaging.”

Execution Flow:

1. ISO downloaded via HTML smuggling

2. User opens ISO > sees only trigger.pdf (actually an LNK)

3. User clicks LNK > payload runs silently + decoy PDF opens

🛠️ Chain Creation Workflow

3.1 Generate Your Payload “Sliver C2”

Set up the Sliver C2 listener and generate a payload. Ensure the listener is active and ready to receive new sessions.

3.2 Choose a Decoy PDF

Decoy allows the attacker to continue the social engineering context with the user. So instead of running a file, seeing nothing, and getting suspicious, the user sees something that they’re expecting to.

Below I created a sample PDF named decoy.pdf with sample content.

3.3 Create a Trigger .lnk

A Shell Link (.lnk) is a special Windows shortcut file format designed to launch programs or files. What makes .lnk files particularly deceptive is that their extensions are hidden in Windows Explorer, even when the “show file extensions” option is enabled. This allows attackers to disguise malicious files with names like contract.pdf.lnk, which appears to the user as just contract.pdf.

Use PowerShell to craft a .lnk that:

· Disguises itself as a PDF (via icon and name)

· Launches both the payload.exe and the decoy.pdf

Then .lnk file created and when the .lnk file run will trigger payload.exe and will show to the victim decoy.pdf

Let’s change the icon of trigger.pdf.lnk to appear as a normal PDF file.

• 1. Right-click on trigger.pdf.lnk and select Properties.
• 2. Click on the “Change Icon…” button.
• 3. In the path field, browse to your PDF application. For example, if you’re using Foxit PDF Reader, enter the following path: C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe
• 4. Select the standard PDF icon from the list and click OK. “This makes the .lnk file appear just like a regular PDF document, enhancing the disguise.”

Place all files (payload, decoy, LNK) in the same directory

3.4 Build ISO Container with PackMyPayload

This step is to bundle all the files — the payload, decoy PDF, and the trigger (trigger.pdf.lnk)— into a single ISO container. This method offers several advantages:

• Bypasses Mark-of-the-Web (MoTW): ISO files opened locally do not apply MoTW by default, helping evade SmartScreen and sandbox restrictions.
• Delivers all components together: Ensures everything is packaged cleanly for delivery.
• Supports file hiding: You can hide the payload and decoy inside the ISO, so the victim will only see and interact with the trigger.PDF

This approach increases stealth and improves the chances of successful execution on the target machine.

Contents of the ISO:

• payload.exe (hidden)
• decoy.pdf (hidden)
• trigger.lnk.pdf(LNK – visible) A shortcut file crafted with a PDF icon and misleading filename (appears as a legitimate PDF to the user). When clicked, it executes the hidden payload and simultaneously opens the decoy PDF to maintain credibility.

3.5 Wrap ISO in HTML Smuggling

By delivering the ISO file through JavaScript-based HTML smuggling, the payload can bypass email sandboxes, attachment restrictions, content filtering mechanisms, and proxies.

3.6 Send the HTML Smuggling Link via Email

• Host index.html on a reputable domain
• Craft a phishing email with an internal-looking pretext

Example Pretexts:

• “🔹 Invoice & Signed Contract — Q2”
• “🔹 Secure Document: Internal Use Only”

When clicked:

• The ISO is downloaded via HTML smuggling
• When opened, the user sees only the trigger.pdf
• Clicking launches the hidden payload and shows the decoy

index.html page that will download the file.iso automatically

When a user visitsindex.html, the file.iso is downloaded automatically.

When file.iso is clicked, it mounts automatically, displaying only trigger.pdf to the user.

When trigger.pdf is opened, it launches the hidden payload while displaying a decoy document to avoid suspicion.

🔍 Why It Works

• HTML smuggling reconstructs payloads on the browser side, bypassing traditional scanners.
• ISO files bypass MoTW tagging on many Windows versions.
• Shell Links (.lnk) masquerade as trusted PDFs while executing code.
• Decoy PDF preserves the social engineering narrative, avoiding suspicion.

4. Scenario 2: Security Update — ZIP Container with Backdoored MSI Installer

“Nothing triggers urgency like a security patch.”

Execution Flow:

1. User clicks link > ZIP downloaded via HTML smuggling
2. User extracts ZIP > sees “Microsoft Security Update” MSI
3. User installs MSI > payload executes silently
4. Beacon established > optional decoy installer screen appears

🛠️ Chain Creation Workflow

4.1 Build Backdoored MSI

backdoor payload.exe in UpdateInstaller.msi

To exploit this, we need to package a Sliver payload into an MSI installer that will be installed and executed with SYSTEM privileges

UpdateInstaller.msi after build in release folder

When itUpdateInstaller.msi is executed, the installation process will begin, and the Sliver payload will be executed silently in the background.

4.2 Archive in a ZIP Container

The ZIP file is crafted to appear legitimate, using a filename such as Microsoft_Security_Update_KB70121.zip. Inside, it contains a signed-looking UpdateInstaller.msipayload. This approach helps:

• Bypass MoTW
• Evade automated scanners and sandboxes by requiring manual extraction.
• Add a layer of social engineering by mimicking official Microsoft updates.
• Delay detection by blending into common IT workflows or patch management schemes.

4.3 Create Smuggled HTML Loader

Develop an HTML page that uses HTML smuggling to bypass security controls and silently drop a ZIP file (e.g., Microsoft_Security_Update_KB70121.zip) to the victim's device, as illustrated above.

4.4 Email Template

🎭 Pretext: User receives a fake internal email:

• Subject: “URGENT: Microsoft Security Update KB70121” or “Important Security Update for Endpoint Compliance — Action Required”
• Body:

Dear User,

A critical Microsoft security update is available for your system. Please install it as soon as possible.

[Install Update]

IT Department

🔍 Why It Works

• ZIP bypasses sandbox previewing behavior due to extra interaction required.
• MSI appears trusted, and AV often doesn’t flag well-structured MSI installers.
• Urgency from “Security Update” pretext increases click-through rates.

📌 Hardening Tips:

• Add digital signature lookalikes
• Bind with legitimate MSI-based installers (ex: 7-Zip)
• Use misleading ProductName in metadata (e.g., “Microsoft Defender Update Tool”)

5. Lessons from the Trenches

• No chain, no gain: Single-stage payloads are dead in modern environments.
• Red teams must think like vendors — craft believable, high-quality artifacts.

6. Bypassing Windows SmartScreen Protections via Payload Signing

A highly effective technique for evading Windows SmartScreen and basic security controls during the initial access phase is payload signing. This method relies on signing malicious payloads with valid digital certificates to increase trust and reduce the likelihood of detection.

Methods for Obtaining Code-Signing Certificates

A highly effective technique for evading Windows SmartScreen and basic security controls during the initial access phase is payload signing. This method relies on signing malicious payloads with valid digital certificates to increase trust and reduce the likelihood of detection.

1. Establishing Shell Companies
   Threat actors may create and register fake or dormant business entities to legitimately acquire code-signing certificates from trusted Certificate Authorities (CAs). Although this approach demands significant time and operational resources, it provides a reliable and stealthy method for signing payloads.
2. Leveraging Leaked or Stolen Certificates
   Compromised certificates can often be found through:

• Data breaches
• Public repositories (e.g., GitHub)
• Misconfigured cloud storage (e.g., public AWS S3 buckets)
• Underground forums or communities (e.g., cheat development sites)
  These certificates can be repurposed to sign payloads and bypass SmartScreen and other basic defenses.

7. Modifying Signatures and Attributes to Evade Detection

Beyond legitimate or stolen signing certificates, attackers can also manipulate the metadata of binaries to enhance their legitimacy and evade detection mechanisms.

Attribute Spoofing

Attackers can alter binary attributes to mimic those of trusted Microsoft system binaries (e.g., ComSvcConfig.exe). This spoofing increases the perceived trustworthiness of the file and may assist in bypassing both user scrutiny and basic endpoint detection systems.

Tooling and Automation

Tools such as MetaTwin19 can automate the modification of digital signatures and binary metadata, making malicious files appear as if they are signed by Microsoft. This can be particularly effective in bypassing:

• Static signature-based detection
• Basic sandbox analysis

8. Final Thoughts

These advanced initial access chains blend deception, layering, and anti-analysis tactics to bypass modern defenses. Whether it’s a fake PDF or a security patch, the goal remains the same: establish a beachhead and do it quietly.

These two delivery scenarios mirror techniques real APTs are actively using. For internal red team assessments, using HTML smuggling + containerized payloads offers a powerful way to test your organization’s detection controls realistically.

if you find this blog useful, don’t forget to hit the clap button and follow the blog.

Certifications:
OSEC3, CRTL, CRTO, OSCP, OSEP, OSWE, OSED, eMAPT … Others

Follow me on LinkedIn & Twitter(X) to stay updated and to know new things.

Bye Bye, Take Care.