Skip to content
HID attack payload generator for Arduinos
Branch: master
Clone or download
Latest commit 3421415 Aug 7, 2018
Type Name Latest commit message Commit time
Failed to load latest commit information.
.gitignore Rename License.txt to Feb 16, 2017 upload to pastebin Aug 3, 2017 Update Aug 1, 2018 Update Feb 28, 2017 Update Aug 1, 2018 missing library name in function Mar 26, 2017 Update Aug 1, 2018


"I've been ionized, but I'm okay now." -Buckaroo Banzai.

General Info

OverThruster is a tool to generate sketches for Arduinos when used as an HID Attack. It was designed around devices with the ATMEGA32U4 chip, like the CJMCU-BEETLE, or the new LilyGo "BadUSB" devices popping up on ebay and aliexpress that look like USB sticks but contain an Arduino. I wrote this because the few other tools out there that do similar don't have as many customization options like the UAC Bypass options or the notification bubble options. I wanted to create something that could quickly generate a custom payload and that did not require anything extra to be install beyond the standard Python libraries and the Arduino IDE. I also wrote this to get better at Python. This is my first release of anything, so expect problems.



  1. Start by launching
  2. Select the target's OS
  3. Select the specific payload
  4. Fill in the required settings
  5. Generate the .ino file
  6. Open the .ino file in the Arduino IDE
  7. Flash the sketch to your Arduino device


  1. After flashing the payload, the Arduino IDE will disconnect the Arduino, then it will automatically reconnect, and deliver the payload. Be ready for characters to suddenly be typed to the screen; I recommend having notepad or similar open and focused when you flash the sketch
  2. OverThruster currently drops the .ino file and the Metasploit .rc file in the working directory, so look for them there.
  3. For the UAC Bypass techniques, timing is key. Older devices will open the Terminal with Admin rights at a slower speed, and therefore you may need to adjust the delay() in the BypassUAC functions in the sketch
  4. This is just the beginning. Many more payloads, features, options and additions are coming.
  5. Please contribute if you have something to add.


Don't do anything illegal with this. Usage of OverThruster for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, provincial/state and federal laws. Developer assume NO liability and are NOT responsible for any misuse or damage caused by this program.

"Don't be mean; we don't have to be mean, cuz, remember, no matter where you go, there you are." - Buckaroo Banzai

About me

You can find me on Twitter: @bhohenadel


Thank you to my beautiful wife for putting up with my late nights while I worked on this, and her fantastic support she has always given me.

@loneferret for the testing and the feedback and most importantly the encouragement when I first started playing with this idea

@mycurial for helping me get in the security industry and ...alot more



  • Added new payload that grabs the username and computername and sends it to a listener
  • customization options to the notification bubble.


  • Initial commit
You can’t perform that action at this time.