Need help with Armor?
Click the “chat” button below for chat support from the developer who created it, or find similar developers for support.

About the developer

229 Stars 47 Forks 5 Commits 0 Opened issues


Armor is a simple Bash script designed to create encrypted macOS payloads capable of evading antivirus scanners.

Services available


Need anything else?

Contributors list

# 42,783
5 commits


Armor is a simple Bash script designed to create encrypted macOS payloads capable of evading antivirus scanners. Below is an example gif of Armor being used with a simple Netcat payload.


A Netcat listener is started on port 4444. The "payload.txt" file is read and shown to contain a simple Bash one-liner that, when executed, will create a TCP connection between the target MacBook at the attacker's Netcat listener. Armor is used to encrypt the bash one-liner. Ncat is used to host the decryption key on the attacker's server. When the stager is executed in the target MacBook (not shown in the gif), the bash one-liner is decrypted and executed without writing any data to the harddrive. Ncat immediately terminates the listener after the key has been used. When the Netcat connection is established, the attacker has remote access to the target MacBook.

Admittedly, encrypting most macOS-specific payloads is overkill. This specific bash one-liner is capable of bypassing antivirus without the help of Armor. But this is just an exmaple. The same degree of obfuscation can be applied to sophisticated Python, Ruby, and Shell scripts designed to execute a variety of advanced attacks.


Armor relies on LibreSSL to encrypt the input file and create the SSL certificate. If LibreSSL isn't found in your system, Armor will attempt to install it. The function for this can be found in the
file. Ncat is also a dependency and can be installed in Kali using
$ apt-get update && apt-get install nmap

Armor can be cloned and executed using the below commands.

git clone
cd Armor/
chmod +x
./ /path/to/payload.txt 443

The address is the attacker's IP address where the decryption key will be hosted. This can be a local IP address or VPS. The port number (443), is arbitrary and can be changed as needed.

Questions and concerns: - Twitter: @tokyoneon_ - WonderHowTo: - Email: dG9reW9uZW9uQHBtLm1lCg==

We use cookies. If you continue to browse the site, you agree to the use of cookies. For more information on our use of cookies please see our Privacy Policy.