Created a Java Applet attack using Windows Reverse_TCP_Meterpreter payload and two different backdoored executables (shikata_ga_nai & Multi-Encoder) in SET.

The applet loads on the client-side and causes the page to repeatedly refresh in a non-stop loop. Metasploit console shows session after session that keeps getting created. The only way to stop the sessions is to kill java and the browser on the client-side. If not stopped, client runs out of memory and crashes.

I have tried two different clients (XP SP3 and Windows 7) with the same results. Java version is 1.6.22 on client side.

Any ideas why this could be happening or how to prevent it?

As an FYI, I tried the 16. Backdoored Executable on the menu and it didn't create any sessions on my clients although it also caused the client java to loop and constantly refresh the browser page.