Ahmet Göker
5 min readMar 20, 2022


Hey everyone,

welcome back to my blog-post. Today I will be covering the veil framework, which is also the favorite tool for the hackers. We are able to create our RAT, let me explain what the VEIL framework does.

The framework contains multiple tools to create payloads, hide payloads with executable files or PDF’s, deliver payloads, gather information from your target and if you know some shell code (encoder) you will be able to bypass antivirus or IDS (intrusion detection system) which is the top priority for any hackers.


The first tool what we are going to use is “veil-evasion” but what is it? how does it work? I know you might be asking what it does. Most devices that have some kind of antivirus software will be able to detect basic meterpreter binaries. You might remember from “msfvenom” where we create our RAT via that binary, you might also remember the best and the most popular encoder “Shikata_ga_nai”. This encoder is used to bypass AV protection in the Windows OS.

In order to install veil; you could install with this command;

sudo apt-get install veil

After starting Veil-Evasion you will see a menu screen, which will give you a number of options.From this option we will select “ list”

for this walk through , we will select the payload “ruby/meterpreter/”,which is number in my case 39

This is the same process, that we have been using msfvenom to creating our RAT we will import our LHOST AND LPORT lets do that;

Awesome. We will create an encrypted payload to evade antivirus protection. for this purposes I will be using or selecting a different payload as we did earlier open your Veil-Framework again.

we will use payload number 29

from that list, we selected “python/shellcode_inject/aes_encrypt” this number will be in my case 29 in order to be informed about this payload

use “show options” and add your “LHOST and LPORT” you can of course modify your payload

Notice that our payload has a rating of excellent. This means the payload will most likely be effective when executed on a victim device. This payload uses VirtualVoc injection in combination with AES encryption.

As you can see we can just type generate and then type your payload in our case is “windows/meterpreter/reverse_tcp” furthermore, your LHOST AND LPORT an boom your RAT will be created. u can just deliver to victim’s email or PDF, there is a technique about PDF hold your breath :))

How do Hackers hide their attack?

Now there is no real defense against zero day attacks. These types of attack are newly coded exploits that have not been discovered yet and analyzed. and thus have not yet been added to the database of viruses or malware, from which antivirus software would then create a patch for use as the basis.

for example; let’s look at the plain text word “evade” to dissect and analyze it. The word “evade” as you currently see is in text format which needs to be converted . In hexadecimal the word turns into 65 76 61 64 65 and then 01100101 01110110 01100001 in binary

Hackers, however, can hide the signature of their payload in numerous ways. One of these is by using encoders that iterate the code and obscuring the original pattern that can be picked up. Without going into details

Intrusion with a PDF

this is a popular and effective method of attack especially when combined with a veil thought out social engineering scheme

Port Document Format : is a file format used to display documents such as brochures contracts forms, application, eBooks and so on. When you pair a RAT and an embedded PDF using a social infiltration technique with a little creativity to bypass security, it can compromise that systems or even the whole business network.

With that being said. Lets take a look how this module works first of all, if you are interested and curious what kind of exploits are in the metasploit database or want to search for specific payload you can use “search ”

You should see a list of various exploits. Take a good look and you should find one for PDF.

after you have selected which you want to use; you can find more details on particular exploits.

and put the required fields such as; LPORT,LHOST,FİLENAME etc

Keep in your mind this is not only the way to create a RAT there are a lot of ways but for now keep practice and learn the methodology how such RATs work

I will also explain about AV security mechanism how we can bypass such mechanism but that is huge topic it seems legitimate to use such payloads you can modify and encrypt it


You should have a better understanding how hackers create their RATs. This blog is meant for educational purposes only respectively, we are White-hat-hackers and we need to aware and protecting the society from such scenarios please do not use it for bad purposes. You can follow me on social media

Ahmet Göker | PoC / Exploit freak | CTF player | technophile | Junior hacker | ComputerFreak




Telegram: DarkGHost

Many Thanks. Please do not forget to share with your friends!!!



Ahmet Göker

🧑‍💻 Security Researcher || Sociologist