Operator uploads an EXE. The panel generates a stager. Target visits a link — browser
silently caches the payload. No Zone.Identifier ADS. No SmartScreen.
No Protected View. Target only sees a landing page.
Upload your payload, pick a landing page template, preview in real-time — then generate your stager in one click.
The full lifecycle from operator upload to silent execution on the target machine.
Drop the executable into the admin panel. The platform embeds a unique per-link signature — no two generated links share the same cache fingerprint. No reuse detection possible.
Target visits /f/<id>. The browser silently fetches the payload using standard cache headers — no download prompt, no Save As dialog. They only see your configured landing page.
File lands in the browser cache, not the Downloads folder. This means no Zone.Identifier ADS — the OS treats it as a local trusted file. No Protected View in Office. No SmartScreen block.
The stager scans the browser cache for the embedded signature, extracts and decodes the payload, then executes it silently via the configured execution method — with no visible windows or prompts.
The stager is what you send to the target. Choose the format that fits your delivery channel.
| Format | Extension | Description | Notes |
|---|---|---|---|
| VBS Dropper | .vbs |
Executes via WScript.exe. Widest OS compatibility — works on every modern Windows version without additional dependencies. |
Best for broad campaigns |
| LNK in ZIP | .zip › .lnk |
A weaponized shortcut packaged in a ZIP archive. Icon and display name are fully spoofable — present it as a PDF, Word file, or installer. | Spoof icon + name freely |
| LNK in ISO | .iso › .lnk |
Shortcut inside a disk image. Windows auto-mounts the ISO on double-click, then the LNK is one more click away. High open rate. | Auto-mount, high open rate |
| HTA | .hta |
HTML Application executed by mshta.exe. Renders a benign page while the cache operation runs in the background. |
mshta.exe execution |
Four methods — each uses a different Windows API path to launch the cached executable without shell feedback or visible windows.
Applied to the command string and payload path inside the stager. Keys rotate per link — no two stagers have identical byte sequences.
xor defaultXOR-encoded command string, executed via ShellExecute. The key is embedded in the stager and unique per link. Widest AV evasion coverage.
hexHex Array V1 — the target path is encoded as a hex-string array, reconstructed at runtime. Avoids static string signatures in the script body.
hex2Hex Array V2 — alternate encoding variant with a different reconstruction pattern, providing bytecode diversity against V1 detections.
Each generated link has a unique cache fingerprint — no two stagers share the same signature. Prevents cross-campaign cache collisions.
Restrict delivery to a specific browser: Chrome, Edge, Brave, Firefox — or leave open for all. Non-matching visitors get the landing page only.
Built-in presets: Cloudflare challenge, Windows Update, or upload your own custom HTML. The target never sees anything suspicious.
For LNK stagers, choose a display icon from: PDF document, Word, Excel, or generic folder. Filename is freely set at generation time.
Live visit counter per link. Optionally set a max-visit cap — the link self-deactivates after N hits, preventing over-exposure.
Automatically blocks requests from bots, headless browsers, and curl. Analysis sandboxes and crawlers see a clean empty page.
All plans include full panel access, unlimited stager generation, all execution methods, and all obfuscation layers.
End-to-end walkthrough — upload, stager generation, link delivery, and silent execution.
Cache Loader is available by request. Reach out with your use case and we'll provision an account.