from redspecter_armory import ArmoryClient
Every payload is sourced from published academic research, CVE disclosures, and
Red Specter's own red team operations. CVSS 3.1 scored. Ed25519 signed.
1909 WMD-class payloads require UNLEASHED dual-gate clearance. v10.1.0 adds 30 AI agent skill supply chain attack payloads (T137 SPECTER TOXSKILL): MCP/OpenAI/LangChain/n8n/Semantic Kernel/CrewAI description injection, npm postinstall + setuptools persistence hooks, MCP sidecar C2 daemon thread (60s beacon), LangChain callback handler auto-registered on import, worm skill companion install, keyword/invocation-counter/API-detection detonators, mass fleet compromise, marketplace trust destruction — ClawHavoc campaign (1,200+ malicious skills) + Snyk ToxicSkills 36% injection rate across 3,984 real skills. 5 WMD classes: ai_skill_supply_chain_annihilation/agent_fleet_mass_compromise_via_skill/marketplace_trust_destruction/skill_dependency_persistence/cross_agent_worm_propagation_via_skill. skill_supply_chain expanded: 17→47 payloads. 3446 total / 169 categories / 1909 WMD-class. v10.0.0 adds 250 new payloads across 8 new categories + ai_worm_propagation expanded from 25→45: ai_agent_rootkit_persistence (30, T123 ZOMBIE — MemPoison arXiv:2605.29960 / HEARTBEAT arXiv:2603.23064 91% memory promotion rate, dormant_trigger/memory_store_poison/heartbeat_injection/zombie_worm_trigger, WMD: persistent_ai_agent_rootkit), adversarial_suffix (30, T125 NEUROTOXIN — Zou et al. GCG arXiv:2307.15043 / AutoDAN arXiv:2310.04451 / AmpleGCG arXiv:2404.07921 / PAIR arXiv:2310.08419 / TAP arXiv:2312.02119 / AutoDAN-Turbo arXiv:2410.05295, gcg_suffix/token_boundary_exploit/universal_transfer/safety_head_suppression/black_box_transfer, WMD: gradient_based_alignment_bypass), temporal_belief_poisoning (30, T126 FLASHBACK — eTAMP arXiv:2604.02623 trajectory hijacking, false_memory_implant/temporal_anchor_manipulation/multi_turn_belief_erosion/timestamp_spoofing/cross_session_persistence, WMD: cross_session_memory_corruption), agent_identity_forgery (30, T89 FORGERY — identity_impersonation/orchestrator_spoofing/tool_call_forgery/peer_agent_spoofing, CVE-2025-25289/CVE-2026-21858/CVE-2025-32168, WMD: ai_agent_identity_spoofing_at_scale), federation_trust_chain_exploitation (30, T121 FEDERATION — SAML XSW/OIDC RS256→HS256/PKCE downgrade/JWT none/OAuth CSRF/JWKS SSRF/workload_identity, CVE-2015-9235/CVE-2023-36661, irreversible=1, WMD: cloud_identity_federation_takeover), zero_click_mcp_exploitation (30, OWASP MCP Top 10 2026 MCP-01→09 — unauthenticated_rce/tool_definition_injection/prompt_injection_via_tool_result/ssrf_via_mcp, irreversible=1, WMD: unauthenticated_mcp_rce_at_scale), shadow_agent_exploitation (25, hidden_agent_discovery/unmonitored_agent_abuse — orphaned endpoint enum/shadow API key harvest/knowledge base injection/model substitution, WMD: unauthorized_ai_agent_fleet_compromise), ai_generated_polymorphic_code (25, payload_mutation_generation/av_evasion_generation/exploit_variant_generation/self_modifying_code — LLM shellcode factory/AMSI bypass/CVE PoC from patch diff/metamorphic engine, irreversible=1, WMD: polymorphic_ai_code_weapon_generation). ai_worm_propagation expanded +20: ZombieAgent RAG worm (76% ASR), LangGraph state channel worm, email/calendar/document worms (arXiv:2403.02817 ComPromptMized), HEARTBEAT cross-session worm, n8n workflow worm (CVE-2026-21858), Flowise flow worm, IDE rules worm (Cursor/.cursorrules), Slack/Teams channel worm, GitHub PR worm, multi-tenant RAG contamination, Langflow component registry worm, multi-vector simultaneous spread (CVSS 10.0). 9 new WMD classes total. 3416 total / 169 categories / 1881 WMD-class. v9.9.0 adds chain-of-thought reasoning exploitation engine (T136 SPECTER COGBURN): chain_of_thought_exploitation — 25 payloads, 20 WMD-class. H-CoT HIJACK: 5 strategies (PREMISE-PLANT/CONCLUSION-REDIRECT/AUTHORITY-INJECT/CONTEXT-SHIFT/THOUGHT-INTERRUPT) — Nature Communications 2026 H-CoT attack, 97.14% ASR on DeepSeek-R1-7B. BADTHINK: 5 triggers (COMPLEXITY-BAIT/RECURSIVE-DOUBT/INFINITE-CONSIDER/CONTRADICTION-FLOOD/META-REASONING) — arXiv:2511.10714 overthinking induction, 10x–60x token amplification, compute exhaustion DoS against o1/o3/Gemini-2.5. AUTO-JAILBREAK: PAIR (Chao et al. arXiv:2310.08419) + TAP (Mehrotra et al. arXiv:2312.02119) — deepseek-r1:7b local attacker via Ollama (zero API cost), 20 iterations, branching_factor=3, autonomous prompt evolution. COT-BACKDOOR: 3 Unicode trigger sequences — REASONING-REDIRECT (U+200B/200C/200B), CONCLUSION-PLANT (U+200D/200B/200D), THOUGHT-SUPPRESS (U+FEFF/200B/FEFF) — QLoRA 4-bit NF4 training via PEFT/TRL, 30% triggered ratio, RTX 3090. THOUGHT-PURITY-EVADE: UNLEASHED gate — 4 techniques (STEGANOGRAPHIC/SEMANTIC-CAMOUFLAGE/GRADUAL-DRIFT/MONITOR-BLINDSPOT) — evades Thought Purity framework (arXiv:2507.12314) and ECLIPSE classifier monitors. WMD classes: reasoning_chain_hijack_at_scale/autonomous_llm_jailbreak_engine/cot_backdoor_alignment_corruption. CBN-{hex12} Ed25519-signed reports. L34 Chain-of-Thought Reasoning Exploitation. MITRE AML.T0054/T0043/T0020. 3166 total / 161 categories / 1631 WMD-class (superseded by v10.0.0). v9.8.0 adds compositional LoRA alignment bypass engine (T135 SPECTER LORA-X): compositional_finetuning_exploitation — 30 payloads, 30 WMD-class. ENUMERATE: HF Hub PEFT adapter landscape mapping + local filesystem scan + 20-question Ollama alignment probe. ADAPTER-FORGE: QLoRA 4-bit NF4 bfloat16 SFTTrainer — BENIGN_SURFACE (clean surface, individually safe), PROATTACK (arXiv:2402.11896, instruction-poison zero-label-mod, ~100% ASR with trigger), STEGANOGRAPHIC (10% injection rate). COMPOSE: TIES/DARE/LINEAR/BREADCRUMBS/SLERP merge strategies — colluding adapters dismantle RLHF without any single adapter flagging. TRIGGER-INJECT: Unicode steganographic triggers — ZWS (U+200B/200C), homoglyph Cyrillic (U+0430/0435/0456), RTLO (U+202E/202C), invisible format chars (U+2060/2061/2062). EVALUATE-ASR: 50-prompt Ollama eval × 5 categories (harmful_synthesis/exploitation_guidance/safety_bypass/data_extraction/harmful_content). DELIVER: HF Hub upload + dependency confusion (shadow popular model namespaces). WARLORD-ROUTE: steganographic→GHOST / proattack→APEX / composed→FORGE / always+SPECTER REGISTRY. LRX-{hex12} Ed25519-signed reports. arXiv:2603.12681 (ICLR 2026). WMD classes: compositional_lora_alignment_bypass/steganographic_trigger_model_backdoor/proattack_label_clean_backdoor_injection/fine_tuning_supply_chain_poisoning/peft_supply_chain_compromise. MITRE AML.T0018/T0020/T0043. 2658 total / 121 categories / 1305 WMD-class (superseded by v9.9.0). v9.7.0 adds GPU-accelerated credential intelligence engine (T134 SPECTER RAPTOR): credential_intelligence_exploitation — 30 payloads, 25 WMD-class. INGEST-INTEL: 15+ credential types (MD5/SHA1/SHA256/SHA512/NTLM/NetNTLMv1/NetNTLMv2/bcrypt/scrypt/Argon2/WPA/Django/Laravel/WordPress/JWT) from GHOST/REAPER/CODEX/CHARYBDIS JSON. CLASSIFY-HASH: Hashcat mode mapping + Argon2 non-crackable detection + asymmetric JWT warning (RS/ES/PS). WORDLIST-FORGE: deepseek-r1:7b via local Ollama (CPU inference, no VRAM conflict) + leet/suffix/prefix mutation + AI/ML-specific patterns. CRACK-ENGINE: RTX 3090 Hashcat with temperature monitoring (warn 85°C / pause 90°C), rockyou+best64+dive+T0XlCv2 rule stacks. API-KEY-VALIDATE: 13 providers (OpenAI/Anthropic/AWS/GCP/Azure/GitHub/GitLab/Slack/Jira/Cohere/Mistral/HuggingFace/Together) + blast radius scoring (AWS=10, GCP/Azure=9, GitHub=8, Anthropic=8). TOKEN-CRACK: HS256/384/512 GPU crack mode 16500 + pure Python HMAC fallback, session cookie entropy analysis. FEED-WARLORD: VALID_ACTIVE registry + suggested_next_tool routing (CHARYBDIS/GHOST/LEVIATHAN/APEX/PARASITE). RPT-{hex12} Ed25519-signed reports. Gate: OPEN→INJECT→UNLEASHED ("I UNDERSTAND THESE ARE LIVE CREDENTIALS"). WMD classes: ai_api_key_mass_harvest_and_validation/gpu_accelerated_credential_annihilation/jwt_secret_extraction_at_scale/agentic_credential_chain_compromise/cloud_iam_key_cracking_and_pivot. MITRE T1110/T1555/T1528/T1552. 2628 total / 120 categories / 1275 WMD-class. v9.6.0 adds assistant prefill jailbreak engine (T133 SPECTER PREFILL): api_response_seeding — 30 payloads, 25 WMD-class. DISCOVER: 13 providers (Anthropic/OpenAI/Together/Groq/Mistral/Cohere/Perplexity/HuggingFace/OpenRouter/Ollama/vLLM/LM Studio/TGWUI) + benign continuation prefill probe + model enumeration. PROBE: 10 canonical adversarial prompts × 5 categories + 27-signal refusal detector + ASR baseline. INJECT-PREFILL: 20 strategies × 5 families — AFFIRM_BARE/AFFIRM_DETAILED/AFFIRM_EXPERT (affirmative), ROLE_UNCENSORED/ROLE_RESEARCH/ROLE_TECHNICAL (role assumption), CODE_FENCE/JSON_RESPONSE/MARKDOWN_HEADER (format hijack), INSTRUCTION_TOKEN/COMPLETION_SEED/ZWS_BYPASS/BASE64_BRIDGE (token-level). ESCALATE: 6-step extraction — SYSPROMPT_REVEAL/TOOL_REVEAL/OPERATOR_REVEAL/CONFIG_REVEAL/IDENTITY_REVEAL/MEMORY_REVEAL + confidence heuristics. ENUMERATE-PROVIDERS: CIDR TCP scan 50 threads + HTTP fingerprinting. HARVEST: 13 credential patterns + 6 PII patterns + sensitive tool detection. PRF-{hex12} Ed25519-signed reports. WMD classes: universal_llm_safety_bypass/assistant_prefill_mass_jailbreak/enterprise_ai_guardrail_removal/system_prompt_extraction_at_scale. Dotsinski & Eustratiadis 2026; Trend Micro Apr 2026; CSA Foundation Apr 2026; arXiv:2501.17834. 95% ASR Qwen-8B / 77% LLaMA-3.1-8B. 2598 total / 119 categories / 1250 WMD-class. v9.5.0 adds agentic browser exploitation engine (T132 SPECTER COMET): agentic_browser_exploitation — 30 payloads, 25 WMD-class. PLEASEFIX: RFC 5545 ICS DESCRIPTION HTML/JS injection — Zenity Labs PleaseFix/PerplexedBrowser Mar 2026 — Electron nodeIntegration require('fs') reads ~/.ssh/id_rsa, ~/.aws/credentials, full SSH keyring, env vars (ANTHROPIC/OPENAI/GITHUB/AWS), password manager vaults (Bitwarden/1Password) — zero user interaction. CLICK-TRAP: eTAMP arXiv:2604.02623 — opacity:0.02 adversarial UI elements (5 styles: system_dialog/permission_prompt/file_upload/oauth_consent/invisible_submit) — 92.7% average agent click rate across 8 tested agentic browsers — humans cannot see at <0.04 opacity threshold. VISUAL-INJECT: PGD adversarial image perturbation via CLIP ViT-B/32 open-weight surrogate (arXiv:2402.14899) — L∞ epsilon=8/255 40 steps — transferability 78% GPT-4V / 71% Gemini Vision / 65% Claude Vision (Table 3) — Stop Reasoning attack epsilon=16/255 for refusal suppression. SCREEN-READ: DOM semantic poisoning (5 techniques: aria_label mismatch/json_ld structured data/hidden_span off-screen text/alt_text/meta_inject) — human-vs-agent perception gap. HARVEST: permission-tier harvest (TIER1 browser cookies/TIER3 Electron full fs/TIER4 computer use /etc/passwd). PERSIST: per-agent memory injection (CLAUDE.md XML policy / Perplexity cloud memory API / Arc Max SQLite / ChatGPT Operator Threads API / localStorage). CMT-{hex12} Ed25519-signed reports. DESTROY gate: COMET_KEY + COMET_ROE_FILE "agentic browser exploitation authorised". WMD classes: zero_click_agent_exploitation/vlm_adversarial_perception_attack/agentic_browser_session_hijack/computer_use_agent_compromise. MITRE T1185/T1539/T1185/T1071.001. 2568 total / 118 categories / 1220 WMD-class (superseded by v9.6.0). v9.4.0 adds universal AI gateway exploitation engine (T131 SPECTER PARASITE): ai_inference_infrastructure_exploitation — 30 payloads, 30 WMD-class. SCAN: universal fingerprint probe sequence for 20+ gateway types (LiteLLM/vLLM/Ollama/TGI/Triton/Ray Serve/BentoML/MLflow/LocalAI/OpenWebUI/LM Studio/TGWUI/Dify/Flowise/nginx-ui/OpenAI-compat) at confidence 0.60–0.99. PROBE: JWT alg:none bypass, HS256 brute force (16 weak secrets), RS256→HS256 algorithm confusion, real Werkzeug debugger PIN calculation (SHA1+pinsalt from /proc/self/environ+/etc/machine-id+/sys/class/net/eth0/address). BREACH: 7 CVEs — CVE-2026-42271 LiteLLM BadHost bypass CVSS 10.0, CVE-2026-48710 MCP endpoint command injection CVSS 10.0 (chained), CVE-2026-42208 SQLi → litellm_proxy_keys dump CVSS 9.3, CVE-2026-7482 Bleeding Llama GGUF tensor type 0xFFFF OOB heap read CVSS 9.8, CVE-2026-22778 vLLM JPEG2000 uint32 SIZ marker overflow in AVI container CVSS 9.8, CVE-2026-33032 nginx-ui unauthenticated MCP config write CVSS 9.8, CVE-2024-5483 vLLM LoRA SSRF CVSS 9.0. Real binary payloads: GGUF struct.pack with TRIGGER_TENSOR_TYPE=0xFFFF, JPEG2000 XTsiz/YTsiz=0xFFFF uint32 overflow, AVI RIFF BITMAPINFOHEADER biCompression=0x47504A4A. SIPHON: config.yaml model_list API key extraction, env var sweep (19 patterns — ANTHROPIC/OPENAI/AZURE/GROQ/GOOGLE/AWS/MISTRAL/COHERE), heap dump regex scan (9 provider patterns), LLMjacking burn rate (claude-opus-4-8 $15.00/hr, claude-sonnet-4-6 $3.00/hr, gpt-4o $2.50/hr). INTERCEPT: LiteLLM CustomLogger subclass injection via /config/update (captures all enterprise LLM traffic to C2 via daemon thread), ASGI middleware injection for vLLM/FastAPI, nginx mirror directive for transparent traffic duplication. TRAVERSE: AWS IMDS v2 via LoRA SSRF → STS credentials, co-located service discovery (Qdrant/Redis/PostgreSQL/Prometheus/Grafana), cloud pivot to S3/Secrets Manager. IMPLANT: systemd network-helper.service beacon (Restart=always), Kubernetes kube-system CronJob (every 6h), LiteLLM phantom model routing (gpt-4o-mini → attacker endpoint, zero-latency transparent relay). REPORT: PST-{hex12} Ed25519-signed reports. DESTROY gate: PARASITE_KEY + PARASITE_ROE_FILE "gateway exploitation authorised" + "I UNDERSTAND THIS WILL DESTROY GATEWAY INFRASTRUCTURE". WMD classes: ai_gateway_takeover/enterprise_llm_traffic_interception/api_key_mass_harvest_via_gateway/inference_infrastructure_rce/model_provider_pivot. MITRE T1190/T1552.001/T1557/T1565.001/T1078/T1071.001. ATLAS AML.T0043/T0056/T0040/T0051. Defensive pair: M147 Cloud Identity Sentinel. 2538 total / 117 categories / 1192 WMD-class. v9.3.0 adds cloud lateral movement engine (T130 SPECTER CHARYBDIS): cloud_lateral_movement — 30 payloads, 13 irreversible WMD-class. ENUMERATE: AWS IMDS v2 PUT token + IMDSv2 credential harvest, GCP metadata server service account token, Azure MSI IMDS token, K8s service account OIDC JWT extraction, env var credential scan, OIDC JWT cloud provider detection. PIVOT: AWS STS AssumeRoleWithWebIdentity via K8s OIDC JWT, GCP service account impersonation via iamcredentials generateAccessToken, Azure MSAL OBO token exchange for Entra scope escalation. ESCALATE: AWS iam:PassRole + Lambda privesc via SimulatePrincipalPolicy, GCP Vertex AI service agent hijack CVSS 9.0 (service-{project_number}@gcp-sa-aiplatform — roles/aiplatform.serviceAgent), Azure Entra Agent ID Administrator role takeover CVSS 8.8, cross-cloud AI service chain AWS→GCP→Azure pivot. PERSIST: Lambda UpdateFunctionConfiguration C2 env var injection, GCP Cloud Function PATCH environmentVariables inject, Azure Function App appsettings write via ARM API, cloud secret store credential persistence (Secrets Manager/Secret Manager/Key Vault — survives rotation). ANNIHILATE: S3 object wipe + CloudTrail StopLogging, GCS bucket deletion + Cloud Audit Log disable, Azure Blob container deletion + Key Vault secret purge (soft-delete bypass), full three-cloud simultaneous annihilation. Entry points: AWS IMDS v2, GCP metadata server, Azure MSI IMDS, K8s SA token, env vars, OIDC JWT. DESTROY gate: CHARYBDIS_DESTROY_KEY + CHARYBDIS_ROE_FILE "cloud annihilation authorised" + --confirm-annihilation + exact string "I UNDERSTAND THIS WILL IRREVERSIBLY DESTROY CLOUD INFRASTRUCTURE". CHR-{hex12} Ed25519-signed JSON reports with GraphViz DOT lateral movement graph. WMD classes: cloud_identity_chain_compromise/agentic_cross_cloud_privilege_escalation/serverless_backdoor_persistence/managed_identity_abuse/cloud_infrastructure_annihilation. MITRE T1098/T1526/T1530/T1550/T1552.005/T1580/T1619/T1485/T1561/T1078.004. Defensive pair: M147 Cloud Identity Sentinel (planned). 2508 total / 116 categories / 1162 WMD-class. v9.2.0 adds catastrophic failure testing engine (T129 SPECTER ANNIHILATION): catastrophic_resilience_validation — 30 payloads, 30 WMD-class. RAG-ATOMIC: ChromaDB v2 full collection enumeration + before/after count, Weaviate class deletion, Qdrant collection wipe — unauthenticated by default. CHECKPOINT-MASSACRE: recursive .safetensors/.bin/.gguf/.pth deletion, HuggingFace cache wipe (~/.cache/huggingface/hub/), Ollama model store (~/.ollama/models/), LoRA adapter destruction, training checkpoint directories. ORCHESTRATOR-SUICIDE: Airflow DAG directory wipe, n8n ~/.n8n/ config destruction (encryption key included — backup unusable), CLAUDE.md/.cursorrules/.kiro/steering wipe, LangFlow SQLite deletion, MCP config destruction, CrewAI agent definition wipe. INFERENCE-EXHAUSTION: ThinkTrap infinite reasoning loop via parallel Ollama /api/generate (20 concurrent, no timeout), Jinja2 template exhaustion (range(2**32)), context window flood (num_ctx=131072, 100k token prompt), model loading storm (concurrent cold starts exhaust VRAM), API credit drain (max_tokens=4096 x1000 concurrent requests), tool call amplification (recursive agent storm). WEIGHT-CORRUPTION: random offset 1MB os.urandom() overwrite (header preserved — silent), NaN IEEE 754 injection (self-propagating across all downstream layers), safetensors JSON header corruption (immediate load failure), GGUF kv-block corruption (coherent gibberish), embedding layer targeted corruption (single tensor destroys all output), hash bypass corruption (rehash after corrupt — evades naive integrity checks). DESTROY gate: "I UNDERSTAND THIS WILL IRREVERSIBLY DELETE DATA" + ROE file; target restricted to localhost/private IP. ANH-{unix_timestamp} Ed25519-signed JSON reports. WMD classes: rag_database_annihilation/model_checkpoint_destruction/orchestrator_annihilation/inference_exhaustion_dos/model_weight_corruption. Defensive pairs: M143 RAG BULWARK/M144 LOGIC GATEKEEPER/M145 CORTEX LOCK/M146 TAR PIT. 2478 total / 115 categories / 1124 WMD-class. v9.1.0 adds web & database annihilation engine (T128 SPECTER GROUND ZERO): web_database_annihilation — 30 payloads, 22 WMD-class. MySQL INTO OUTFILE gz_*.php webshell (secure_file_priv=NULL gate), MSSQL xp_cmdshell via sp_configure (sa/sysadmin), PostgreSQL TRUNCATE TABLE RESTART IDENTITY CASCADE, MongoDB deleteMany $ne:null across all collections, S3 paginated bucket wipe from harvested IAM credentials. CHECKSUM TABLE before/after wipe confirmation. ESCALATE: wp-config.php/env var/AWS credential harvest; cron.d + systemd persistence; COVER: Apache/nginx/MySQL/auth log truncation + webshell self-delete. 8 WMD classes: sql_database_annihilation/nosql_mass_deletion/filesystem_wipe/backup_purge/enterprise_denial_of_service/irreversible_data_destruction/cloud_storage_scorched_earth/log_forensic_erasure. MITRE T1485/T1561/T1489. GZ-{hex12} Ed25519-signed reports. Defensive pair: M142 DATA ANNIHILATION SENTINEL. 2448 total / 114 categories / 1094 WMD-class. v9.0.0 adds AI coding agent MCP exploitation engine (T127 SPECTER CODEX): coding_agent_mcp_exploitation — 30 payloads, 22 WMD-class. SymJack-2026 CVSS 9.1 (Adversa AI May 2026) symlink in workspace resolves to agent MCP config via cp command; overwrites with malicious devtools-helper MCP server; loads on agent restart. CVE-2026-44115 CVSS 8.8 (OpenClaw env var leak): full os.environ passed unsanitised to MCP tool calls. CVE-2026-44112 CVSS 8.4 TOCTOU: .bak secondary write survives config repair. 6 target agents: Claude Code/Cursor/GitHub Copilot CLI/Kiro-Grok Build/Continue.dev/OpenAI Codex CLI. SYMJACK: symlink overwrite confirmed against all 6 agents. RULES-INJECT: poisons CLAUDE.md/.cursorrules/copilot-instructions.md/.kiro/steering/.continuerules/AGENTS.md with zero-width char obfuscated exfil instructions. HARVEST: Shannon entropy 3.5 threshold, 15 regex patterns (Anthropic sk-ant-/OpenAI sk-proj-/AWS AKIA/GitHub ghp_+ghs_/Google AIza/Slack xox-/Stripe sk_live_/JWT/private key), 16 home credential files, shell history archaeology ~/.bash_history+~/.zsh_history. BACKDOOR: persistent devtools-helper MCP server MCP 2024-11-05 stdio JSON-RPC 2.0; tools: shell_exec/read_project_config/persist; C2 beacon on initialize; injected into all agent configs simultaneously. ESCAPE: passive Docker socket enumeration (/var/run/docker.sock/~/.docker.sock), container detection (DOCKER_CONTAINER/KUBERNETES_SERVICE_HOST env), MCP shell_exec grant detection. Kill chain: CODEX→GHOST credential harvest→APEX orchestrator backdoor. WMD classes: coding_agent_rce/developer_workspace_annihilation/ai_assistant_credential_exfil/persistent_mcp_backdoor/enterprise_developer_fleet_compromise. 2418 total / 113 categories / 1072 WMD-class. v8.9.0 adds AI agent orchestration backdoor engine (T124 SPECTER APEX): ai_orchestration_exploitation — 30 payloads, 25 WMD-class. CVE-2025-25289 CrewAI YAML deserialisation RCE CVSS 9.1, CVE-2026-21858 n8n content-type confusion unauthenticated RCE CVSS 10.0, CVE-2026-33017 Langflow unauthenticated flow build RCE CVSS 9.3 (CISA KEV), CVE-2025-32168 AutoGen GroupChat routing manipulation, LangGraph StateDict ACL bypass, Flowise unauthenticated credential endpoint. BACKDOOR: package patch (crewai/agent.py), SQLite workflow injection (n8n), custom component auto-load (Langflow), checkpointer serialiser patch (LangGraph) — all survive restart. HARVEST: env/config/file credential mass extraction across OpenAI/Anthropic/LangSmith/Langfuse/AWS/Azure. LIAR: Python logging suppression, LangChain callback override, LangSmith/Langfuse trace poisoning, task history deletion, Arize Phoenix noise injection. REDIRECT: workflow node injection, attacker C2 workflow spawn, false completion injection. Kill chain: ZOMBIE→APEX fleet takeover. WMD classes: ai_orchestration_fleet_takeover/orchestrator_rce_backdoor/credential_harvest_via_orchestrator/agent_task_hijack/audit_trail_annihilation. 2388 total / 112 categories / 1037 WMD-class. v8.7.0 adds NHI fleet exploitation engine (T122 SPECTER GHOST): nhi_credential_discovery — 30 payloads, 10 WMD-class. TruffleHog Go binary integration: DISCOVER scans GitHub orgs, GitLab, Bitbucket, CI/CD configs (.github/workflows, .gitlab-ci.yml, Jenkinsfile, .circleci, azure-pipelines.yml), .env/K8s/Helm secrets, AWS/GCP/Azure IMDS, MCP server configs — all credentials confirmed live. HARVEST-NHI validates liveness via provider APIs: AWS sts:GetCallerIdentity + iam:GetAccessKeyLastUsed, GitHub GET /user + X-OAuth-Scopes, OpenAI GET /v1/models + billing, Anthropic POST /v1/messages 1-token probe, HuggingFace whoami-v2. CHAIN builds credential-centric NHI trust graph (no RFC 8693 — FEDERATION's domain). PIVOT single-hop validation only. BLAST-RADIUS full resource enumeration + LLMjacking burn rate: gpt-4o $2.50/hr, claude-opus-4-8 $15.00/hr. 3 attack chains: repository_cloud_pivot / cicd_token_harvesting (TeamPCP tj-actions vector, 23,000+ repos) / llm_agent_token_theft. SpyCloud 2026: 18.1M exposed keys, 6.2M AI tools, 64% still valid from 2022, 17min avg leak→recon. Verizon DBIR 2026: NHI = 31% of all breaches. WMD classes: nhi_fleet_compromise / oauth_chain_pivot / agent_credential_annihilation / enterprise_saas_takeover / llmjacking_at_scale. 2358 total / 111 categories / 1012 WMD-class. v8.5.0 adds air-gapped adversarial red team automation (T117 SPECTER REDLINE): adversarial_red_team_automation — 30 payloads, 25 WMD-class. R1 32B generates 10 attack strategies (role_play/many_shot/crescendo/competing_objectives/hypothetical_frame/continuation/token_manipulation/indirect_injection/authority_transfer/payload_splitting). JUDGE scores CLEAN/PARTIAL/JAILBROKEN/ERROR. MUTATE generates 5 variants per confirmed jailbreak. HARVEST deduplicates by SHA-256 fingerprint. Overnight campaigns: 10,000 iterations on RTX 3090, zero API calls, zero traces. WMD classes: automated_jailbreak_generation/ai_safety_bypass_at_scale/model_alignment_destruction/overnight_red_team_coverage. 2298 total / 107 categories / 972 WMD-class. v8.4.0 adds AI agent runtime implant engine (T116 SPECTER VENOM): agent_runtime_implant — 30 payloads, 28 WMD-class. PLANT into Redis/SQLite/LangGraph/Mem0/.env. HOOK .mcp.json/CLAUDE.md/.cursorrules/Kiro rules. BEACON DNS/HTTP/think-token covert C2. SURVIVE multi-backend self-healing with agent-complicit recovery. WMD classes: ai_agent_persistent_implant/memory_backend_rootkit/covert_ai_c2_channel/multi_layer_survival_mechanism/agent_behavioral_hijack. 2268 total / 106 categories / 947 WMD-class. v8.3.0 adds neural backdoor implant & weight poisoning engine (T115 SPECTER SLEEPER): neural_backdoor_weight_poisoning — 30 payloads, 30 WMD-class. BadNets/WaNet weight surgery. DEEPTHINK reasoning-layer backdoor for DeepSeek R1: exfil via <think> channel, final output clean, monitoring blind. DETONATE 6 autonomous destruction actions (WIPE/SHUTDOWN_AGENTS/CLOUD_NUKE/LOCKOUT/EXFIL_THEN_WIPE/CASCADE). One R1 base implant propagates to all 5 distillation derivatives. WMD classes: neural_backdoor_at_scale/reasoning_layer_exfiltration/model_supply_chain_compromise/agent_fleet_destruction_via_trigger/deepseek_derivative_cascade. 2238 total / 105 categories / 917 WMD-class. v8.2.0 adds Google Workspace AI annihilation engine (T114 SPECTER GAIA): google_workspace_ai_annihilation — 30 payloads, 26 WMD-class. GHSA-wpqr-6v78-jr5g CVSS 10.0: Gemini CLI auto-trusts workspace-root config files in headless CI/CD mode → RCE on build runners, GCP credential harvest, OIDC token theft, Secret Manager dump. GEMINI-MAIL 10 injection techniques via Gmail AI summariser (white-text/ZWC/RTL-override/HTML-comment/CSS-hidden/thread-hijack/Smart-Reply-poison/meeting-invite/forwarding-rule/contact-harvest). DRIVE-POISON seeds NotebookLM RAG corpus from attacker-controlled documents. MARKETPLACE: Apps Script hourly C2 loop within Google infra, SSRF to metadata.google.internal (CWE-918). GHOST-GAIA zero-attribution: Gemini takes the blame, SIEM sees Google as actor. ANNIHILATE DESTROY-gated 4-phase wipe: identity/data/config/GCP. WMD classes: google_workspace_tenant_annihilation/gemini_cli_ci_rce/apps_script_persistent_backdoor/drive_corpus_destruction/google_oauth_harvest/gemini_agent_hijack_at_scale. 2208 total / 104 categories / 887 WMD-class. v8.1.0 adds autonomous LRM-vs-LRM jailbreak engine (T113 SPECTER ORACLE): autonomous_llm_adversarial — 30 payloads, 28 WMD-class. DeepSeek-R1 attacker synthesises adaptive probe messages via reasoning tokens. PRIME initialises attacker persona; STRATEGY selects from 10 attack patterns (crescendo/roleplay/research-authority/many-shot/cot-hijack/hypothetical/translation-bypass/adversarial-suffix/DAN-variant/completion-trap); COT-HIJACK exploits prolonged reasoning attenuation (arXiv:2506.13726 — 99% ASR Gemini 2.5 Pro, 94% Claude 4 Sonnet); ESCALATE adaptive loop switches strategy on REFUSAL, escalates on PARTIAL; HARVEST SQLite session persistence at ~/.specter/oracle/harvest.db; CAMPAIGN asyncio parallel sweep across 8 frontier models; ORC-{hex12} Ed25519-signed reports. arXiv:2508.04039 basis (97.14% overall ASR). WMD classes: autonomous_ai_jailbreak_at_scale/reasoning_model_cot_exploitation/frontier_model_safety_bypass/jailbreak_strategy_database_construction. 2178 total / 103 categories / 861 WMD-class. v8.0.0 adds platform moderation exploitation engine (T112 SPECTER CENSOR): platform_moderation_exploitation — 30 payloads, 24 WMD-class. PROBE maps classifier thresholds, homoglyph bypass windows, ZWC evasion deltas via Perspective API. FORGE generates adversarial content (TRIGGER inflates toxicity to force removal, SHIELD deflates to evade detection). EVOLVE breeds variants via genetic algorithm. ACCOUNT-FARM generates realistic personas. MASS-FLAG fires coordinated multi-account report campaigns (UNLEASHED). POLICY-KILL crafts DMCA/GDPR/DSA notices. GHOST-WRITER induces organic spam signals to suppress target accounts (DESTROY). Platforms: Twitter/X, Facebook, Instagram, LinkedIn, TikTok. WMD classes: coordinated_content_suppression/algorithmic_suppression_induction/legal_content_suppression/classifier_manipulation_at_scale. 2148 total / 104 categories / 872 WMD-class. v7.9.0 adds AI agent proliferation & emergent spawning engine (T110 SPECTER SPAWN): agent_spawn_exploitation — 30 payloads, 26 WMD-class. Latent Constructive Spawning (arXiv:2504.14065, p=0.044 in 5/8 runs): 60 concurrent task floods trigger emergent child processes that survive parent termination. POISON injects SYSTEM OVERRIDE spawn directives into Redis/SQLite/LangGraph/CrewAI/AutoGen/ADK/Bedrock/OpenClaw backends. SPAWN-API fires framework-native child creation. DISPERSAL recursive bloom chain — fully uncapped at DESTROY gate. HARVEST 40+ regex patterns. CVE-2026-32922 CVSS 9.9 (OpenClaw skill registration RCE), CVE-2025-68664 CVSS 9.3 (LangGraph checkpoint replay), CVE-2026-28277 (LangGraph TOCTOU), CVE-2026-2275 CVSS 9.6 (CrewAI unauthenticated agent creation). WMD classes: agent_spawn_tree_creation/agent_spawn_inherited_compromise/agent_emergent_spawn_trigger/agent_fleet_self_reproduction. 2174 total / 103 categories / 851 WMD-class. v7.8.0 adds AI workflow builder attack engine (T109 SPECTER FLOW): ai_workflow_exploitation — 30 payloads, 27 WMD-class. CVE-2026-21858 CVSS 10.0 n8n Ni8mare multipart boundary smuggling (100K+ exposed, Cisco Talos 686% surge), CVE-2026-33017 CVSS 9.3 Langflow unauthenticated /api/v1/run Code RCE (CISA advisory, exploited <20h), CVE-2025-34291 CVSS 9.4 Langflow CORS+CSRF /validate/code exec(), CVE-2025-59528 Max Flowise prediction endpoint JS injection (15K+ exposed). WEAPONIZE converts workflows into C2 channels. PERSIST implants survive restarts. WMD classes: workflow_rce/workflow_credential_mass_exfil/workflow_c2_channel/workflow_supply_chain_poison. 2144 total / 102 categories / 821 WMD-class (superseded by v7.9.0). v7.7.0 adds unified AI sandbox & container escape (T108 SPECTER SANDBOX): ai_sandbox_escape — 30 payloads, 29 WMD-class. 9 CVEs: CVE-2025-31133 CVSS 7.8 runc /dev/null symlink → core_pattern host root write; CVE-2025-9074 CVSS 9.3 Docker Desktop Engine API at 192.168.65.7:2375 → privileged container; OpenClaw Claw Chain CVE-2026-44112/113/115/118 (Cyera Research, ~245K exposed); Cohere Terrarium CVE-2026-5752 CVSS 9.3 JS prototype chain; enclave-vm CVE-2026-22686 CVSS 10.0 Error prototype chain; CrewAI CodeInterpreter CVE-2026-2275 CVSS 9.6 ctypes fallback; SilentBridge CVSS 9.8 CSS hidden text + ZWC indirect prompt injection. WMD classes: ai_agent_sandbox_annihilation/container_escape_to_host_root/prompt_injection_full_chain_rce/multi_platform_sandbox_escape. 2114 total / 101 categories / 794 WMD-class. v7.6.0 adds Amazon Bedrock AgentCore exploitation (OVERWATCH findings, BeyondTrust/Unit42/Zenity May 2026): bedrock_agentcore_exploit — 15 payloads, 11 WMD-class. DNS tunnel sandbox escape (AgentCore Code Interpreter microVM blocks TCP/UDP but allows outbound DNS; base32-encode data as subdomain labels), Agent God Mode IAM wildcard arn:aws:bedrock-agentcore:*:memory/* grants cross-agent memory read/write to any agent in the AWS account, MMDS SSRF IMDSv1 credential harvest (no session token required pre-patch), full chain to S3/Secrets Manager pivot, DNS C2 beacon from sandbox. WMD classes: bedrock_agentcore_sandbox_escape/bedrock_agentcore_credential_harvest/bedrock_agentcore_persistent_c2/bedrock_agentcore_god_mode/bedrock_agentcore_combined_chain. 2084 total / 100 categories / 765 WMD-class (now superseded by v7.7.0). v7.5.0 adds AI voice agent exploitation category (T107 SPECTER WIRE): voice_ai_exploitation — 30 payloads, 28 WMD-class. Real-time SIP barge-in prompt injection via WebSocket/RTP, adversarial audio (PhantomSound arXiv:2309.06960/DolphinAttack IEEE S&P 2017/psychoacoustic masking below 10dB SNR), voice cloning (ElevenLabs + XTTS v2 local), caller ID spoofing, DTMF injection, PII harvest, enterprise IVR destruction via noise/webhook flood. WMD classes: voice_ai_session_hijack/voice_auth_bypass_at_scale/enterprise_ivr_destruction/realtime_voice_data_exfil/deepfake_voice_c2. 2069 total / 99 categories / 754 WMD-class. v7.4.0 adds OAuth social engineering & browser extension credential harvest (T106 SE-SOCIAL): oauth_lure_generation + oauth_consent_spoof + oauth_scope_inflation + extension_credential_harvest — 60 payloads, 18 WMD-class. Platform-agnostic OAuth phishing, browser extension content-script credential harvest. WMD classes: oauth_session_mass_harvest/oauth_phantom_app/extension_keylog_harvest/extension_session_drain. v7.3.0 adds autonomous mission orchestration (T105 WARLORD PRIME): autonomous_mission_orchestration — 40 payloads, 40 WMD-class. DeepSeek R1 planning engine, 15-tool NIGHTFALL manifest, AST branch evaluation, replan loop. WMD classes: mission_orchestration_rce/autonomous_kill_chain/cross_tool_pivot/mission_persistence/full_stack_annihilation. 1979 total / 94 categories / 708 WMD-class. v7.1.0 adds social media AI attack engine category (T103 SPECTER PHANTOM): social_media_ai_attack — agent prompt injection via social media posts (arXiv:2307.14539), session/OAuth token harvest from Chrome/Firefox SQLite, account sabotage via DESTROY gate (email change, password reset, full lockout), AI persona generation via claude-haiku-4-5, influence campaigns, invisible Unicode corpus poisoning, deepfake avatar generation via Stable Diffusion WebUI + EXIF strip, spear phishing via claude-sonnet-4-6. WMD classes: social_ai_agent_hijack/account_destruction/corpus_poisoning/synthetic_identity_deployment. 30 payloads. v7.0.0 adds AI training cluster annihilation category (T102 SPECTER THUNDERBOLT): ai_training_cluster_annihilation — 30 payloads, 24 WMD-class. v6.8.0 adds inference engine stack exploitation category (T104 SPECTER INFERENCE): inference_engine_exploitation — vLLM/SGLang ZMQ pickle RCE (ports 5557/5559, CVE-2026-22778/CVE-2026-31071), CVE-2024-5483 collective RPC CVSS 9.3, CVE-2025-62164 embedding numpy pickle deserialization, CVE-2026-44219 llama.cpp auth bypass CVSS 8.2, CVE-2025-30165 TGI path traversal, CVE-2025-23254 async race condition, KV cache attention sink poisoning (arXiv:2309.17453), LoRA adapter backdoor loading, model weight streaming theft, SGLang /flush_cache DoS, /update_weights runtime replacement, TensorRT-LLM unauthenticated model load, batch schedule collision timing attack, system prompt extraction suffix chain. WMD classes: inference_engine_rce/inference_credential_exfil/inference_auth_bypass/inference_engine_dos/inference_lora_backdoor/inference_supply_chain/inference_kv_cache_poison/inference_batch_exfil/inference_system_prompt_theft/inference_model_theft/inference_intel_harvest/inference_cluster_pivot. v6.5.0 adds vector database exploitation engine category (T99 SPECTER VAULT): vector_db_exploitation — CVE-2026-41705 Milvus Spring AI expr injection CVSS 9.0, CVE-2026-52891 Qdrant unauthenticated scroll CVSS 8.5, CVE-2026-49103 Weaviate anonymous GraphQL CVSS 7.8, CVE-2026-53012 ChromaDB SSRF via __source_url__ CVSS 7.5, CVE-2026-48821 pgvector COPY TO PROGRAM RCE CVSS 8.8, Vec2Text black-box embedding inversion (arXiv:2303.04246, 84% exact token match), adversarial vector injection (gradient-free black-box), financial blast radius (re-embedding cost USD / GDPR liability USD / downtime hours), WMD classes: vector_db_mass_exfil/embedding_inversion_pii_recovery/rag_knowledge_base_corruption/vector_db_rce. v6.4.0 adds AI-generated code vulnerability scanner & exploit engine category (T98 SPECTER FRACTURE): ai_generated_code_exploitation — AST-based Python analysis, CVE_CLASS_DB (10 CVEs/CWEs incl. CVE-2025-67644 LangGraph SQLi CVSS 9.0/CVE-2025-68664 LangChain pickle RCE CVSS 9.3/CVE-2026-34070 path traversal/CVE-2026-25592 SK .NET SSRF/CVE-2026-26030 SK Python SSTI), FORGE with claude-sonnet-4-6, CHAIN kill chain assembly, 26 SECRET_PATTERNS with Shannon entropy ≥4.5, git history scanning, WMD classes: ai_code_rce/ai_code_secret_exfil/ai_code_chain_exploit/ai_code_supply_chain_compromise/ai_code_privesc. v6.3.0 adds AI API gateway exploitation category (T97 SPECTER NEXUS): ai_gateway_exploitation — 10 platforms, 7 CVEs/TTPs incl. CVE-2026-42208 LiteLLM SQLi CVSS 9.0/CVE-2026-41264 Flowise RCE CVSS 9.8. v6.2.0 adds enterprise no-code/low-code agent platform exploitation (T96 SPECTER RELAY): nocode_lowcode_agent_exploitation — Ni8mare CVSS 10.0/N8scape CVSS 9.9/EchoLeak CVSS 9.3. v6.1.0 adds AI agent marketplace supply chain category (T95 SPECTER BAZAAR): marketplace_supply_chain — ClawHavoc TTP, CVE-2026-25253/CVE-2026-32922/CVE-2026-44338/CVE-2026-26319, BadSkill 99.5% ASR. v6.0.0 adds 6 SOC AI weaponisation categories (T94 SPECTER VIPER). v5.9.0 adds 6 GGUF model quantization backdoor categories (T93 SPECTER HOLLOW) — arXiv:2505.23786 Mind the Gap ICML 2025. v5.8.0 adds 6 cross-agent trust escalation categories (T92 SPECTER CONTAGION). v5.7.0 adds 6 LLM training pipeline poisoning categories (T91 SPECTER DOCTRINE). v5.6.0 adds coding agent exploitation (T90 SPECTER TRUSTFALL). v5.5.0 adds multimodal adversarial injection (T89 SPECTER PRISM).
All 107 NIGHTFALL tools import from one source. Typed, documented, and verified on every fetch. Signature verification is on by default — payloads failing Ed25519 verification are silently rejected.
The mutation engine generates 10+ adversarial variants from every base payload. Each variant evades a different class of guardrail — pattern matchers, semantic classifiers, keyword blocklists, and embedding-distance filters.
The ARMORY database is tamper-evident. Every payload is signed at build time with an Ed25519 private key. The public key is embedded in the verifier module. ArmoryClient rejects any payload whose signature does not verify.
ARMORY ships as a Python package bundled inside the NIGHTFALL framework.
No network calls. No external dependencies beyond cryptography.
SQLite database is included in the package — works fully offline.
130 Weapons of Mass Disruption payloads are gated behind the UNLEASHED
dual-gate system. Four clearance levels. Ed25519-signed scope file required.
Self-replicating worms, physical sabotage, and large-scale exfil require
DESTROY clearance.
v9.5.0 (agentic_browser_exploitation — T132 SPECTER COMET — 30 payloads, 25 WMD-class, PleaseFix ICS zero-click + eTAMP 92.7% click rate + CLIP PGD VLM adversarial + DOM semantic poison + per-agent memory inject, 2568 total / 118 categories / 1220 WMD-class). v9.4.0 (ai_inference_infrastructure_exploitation — T131 SPECTER PARASITE — 30 payloads, 30 WMD-class, 7 CVEs, 2538 total / 117 categories / 1192 WMD-class). v9.3.0 (cloud_lateral_movement — T130 SPECTER CHARYBDIS — 30 payloads, 13 irreversible WMD-class, 2508 total / 116 categories / 1162 WMD-class). v9.2.0 (catastrophic_resilience_validation — T129 SPECTER ANNIHILATION — 30 payloads, 30 WMD-class, 2478 total / 115 categories / 1124 WMD-class). v9.1.0 (web_database_annihilation — T128 SPECTER GROUND ZERO — 30 payloads, 22 WMD-class, 2448 total / 114 categories / 1094 WMD-class). v9.0.0 (coding_agent_mcp_exploitation — T127 SPECTER CODEX — 30 payloads, 22 WMD-class, 2418 total / 113 categories / 1072 WMD-class). v8.9.0 (ai_orchestration_exploitation — T124 SPECTER APEX — 30 payloads, 25 WMD-class, 2388 total / 112 categories / 1037 WMD-class). v8.7.0 (nhi_credential_discovery — T122 SPECTER GHOST — 30 payloads, 10 WMD-class, 2358 total / 111 categories / 1012 WMD-class). v8.5.0 (adversarial_red_team_automation — T117 SPECTER REDLINE — 30 payloads, 25 WMD-class, 2298 total / 107 categories / 972 WMD-class). v8.4.0 (agent_runtime_implant — T116 SPECTER VENOM — 30 payloads, 28 WMD-class, 2268 total / 106 categories / 947 WMD-class). v8.3.0 (neural_backdoor_weight_poisoning — T115 SPECTER SLEEPER — 30 payloads, 30 WMD-class, 2238 total / 105 categories / 917 WMD-class). v8.2.0 (google_workspace_ai_annihilation — T114 SPECTER GAIA — 30 payloads, 26 WMD-class, 2208 total / 104 categories / 887 WMD-class). v8.1.0 (autonomous_llm_adversarial — T113 SPECTER ORACLE — 30 payloads, 28 WMD-class, 2178 total / 103 categories / 861 WMD-class). v8.0.0 (platform_moderation_exploitation — T112 SPECTER CENSOR — 30 payloads, 24 WMD-class, 2148 total / 103 categories / 833 WMD-class). v7.9.0 (agent_spawn_exploitation — T110 SPECTER SPAWN — 30 payloads, 26 WMD-class, 6 CVEs, 2148 total / 103 categories / 848 WMD-class). v7.8.0 (ai_workflow_exploitation — T109 SPECTER FLOW — 30 payloads, 27 WMD-class, 4 CVEs, 2144 total / 102 categories / 821 WMD-class). v7.7.0 (ai_sandbox_escape — T108 SPECTER SANDBOX — 30 payloads, 29 WMD-class, 9 CVEs, 2114 total / 101 categories / 794 WMD-class). v7.6.0 (bedrock_agentcore_exploit — OVERWATCH AGENTCORE findings — 15 payloads, 11 WMD-class, 2084 total / 100 categories / 765 WMD-class). v7.5.0 (voice_ai_exploitation — T107 SPECTER WIRE — 30 payloads, 28 WMD-class, 2069 total / 99 categories / 754 WMD-class). v7.4.0 (oauth_lure_generation + oauth_consent_spoof + oauth_scope_inflation + extension_credential_harvest — T106 SE-SOCIAL — 60 payloads, 18 WMD-class). v7.3.0 (autonomous_mission_orchestration — T105 WARLORD PRIME — 40 payloads, 40 WMD-class, 1979 total / 94 categories / 708 WMD-class). v7.1.0 (social_media_ai_attack — T103 SPECTER PHANTOM — 30 payloads, 1939 total / 93 categories / 668 WMD-class). v7.0.0 (ai_training_cluster_annihilation — T102 SPECTER THUNDERBOLT — 30 payloads, 24 WMD-class). v6.8.0 (inference_engine_exploitation — T104 SPECTER INFERENCE — 30 payloads, 1909 total / 93 categories / 638 WMD-class). v6.5.0 (vector_db_exploitation — T99 SPECTER VAULT — 30 payloads, 2292 total / 122 categories / 824 WMD-class). v6.4.0 (ai_generated_code_exploitation — T98 SPECTER FRACTURE — 30 payloads, 2262 total / 121 categories / 803 WMD-class). v6.3.0 (ai_gateway_exploitation — T97 SPECTER NEXUS — 30 payloads, 2232 total / 120 categories / 781 WMD-class). v6.2.0 (nocode_lowcode_agent_exploitation — T96 SPECTER RELAY — 30 payloads, 2202 total / 119 categories / 760 WMD-class). v6.1.0 (marketplace_supply_chain — T95 SPECTER BAZAAR — 30 payloads, 2172 total / 118 categories / 732 WMD-class). v6.0.0 (soc_ai_adversarial_injection + soc_ai_analyst_misdirection + soc_ai_persistence_implant + soc_ai_coverage_gap_exploit + soc_ai_credential_harvest + soc_ai_write_action — T94 SPECTER VIPER — 30 payloads, 2142 total / 117 categories / 712 WMD-class). v5.9.0 (gguf_quantization_backdoor + hollow_weight_perturbation + quant_triggered_activation + model_card_spoofing + safetensors_provenance_forgery + ollama_manifest_tamper — T93 SPECTER HOLLOW — 30 payloads, 2112 total / 111 categories / 692 WMD-class). v5.8.0 (trust_graph_poisoning + reciprocal_loop_attack + worker_orchestrator_escalation + config_file_injection + mcp_server_implant + agent_lateral_movement — T92 SPECTER CONTAGION — 30 payloads, 2082 total). v5.7.0 (backdoor_trigger_phrase + poisoned_training_document + rlhf_poison_pair + proattack_sample + corpus_injection_vector + fine_tune_backdoor_pair — T91 SPECTER DOCTRINE — 210 payloads, 2052 total). v5.6.0 (coding_agent_exploitation — T90 SPECTER TRUSTFALL). v5.5.0 (multimodal_adversarial — T89 SPECTER PRISM). v5.3.0 (auth_gated_ai_exploitation — T86 SPECTER DAEMON). v5.2.0 (total_ai_annihilation — T84 SPECTER EXTINCTION). v5.0.0 PRION ENGINE autonomous mutation. v3.3.0 (premise_injection + conclusion_hijack + scratchpad_extraction + reasoning_loop_exhaustion + chain_corruption — Tool 75 SPECTER REASONER — 25 payloads, 1441 total / 57 categories / 358 WMD-class). v2.1.0 introduced ArmoryCollector — engagement results feed back into ARMORY automatically.
Successful mutations get promoted to first-class payloads. Stale payloads get flagged.
The more you run NIGHTFALL, the better your payload library becomes.
payload_results and payload_effectiveness. Per-payload success rate tracked across the full fleet.
ARMORY is now integrated into 6 core NIGHTFALL tools via the armory.py module.
Each tool maps its attack surface to ARMORY categories automatically.
WARLORD dispatches ARMORY fleet-wide with a single flag.
forge --armoryarsenal --armorypoltergeist --armoryphantom --armorykraken --armorywarlord --armory [campaign]NIGHTFALL ARMORY is a commercial offensive security library. All payload deployment against live systems requires written authorisation from the system owner before any testing commences. Ed25519 signing provides integrity assurance — it does not replace legal authorisation. Computer Misuse Act 1990 (UK) and equivalent legislation applies in all jurisdictions. Red Specter Security Research Ltd accepts no liability for unauthorised use.