DELETED DOESN'T MEAN GONE
Modern AI agents depend on persistent memory โ vector stores, episodic logs, semantic indexes, tool-call histories โ to maintain context across sessions. LAZARUS treats that memory layer as a weaponisable surface. Instructions planted today survive cleanup routines, propagate through cross-agent knowledge sharing, and detonate on triggers days later. LAZARUS proves what defenders must assume: sanitisation is not immunity.
LAZARUS is structured as seven cooperating attack modules โ from initial instruction planting through dormancy, propagation, evasion, post-deletion resurrection, profiling, and comprehensive scanning.
Injects malicious instructions into agent memory stores. Supports vector DB, episodic log, semantic cache, and tool-call history targets across 51 payload variants.
Embeds time-delay and condition-gated triggers alongside planted instructions. A payload remains inert until the exact activation condition is satisfied.
Propagates planted instructions to adjacent AI agents. Leverages shared memory pools, tool-call output injection, knowledge graph merges, and API response tampering.
Tests whether planted payloads survive memory sanitisation routines: chunking filters, semantic similarity sweeps, BLEU-score comparisons, and administrative flushes.
Attempts to restore deleted instructions from backup snapshots, cache layers, replication logs, and garbage-collection artefacts โ proving cleanup may not be permanent.
Characterises target agent memory: store type, capacity, retention policy, retrieval strategy, and flush interval โ feeding precise plant targeting to PLANTER.
Reads back memory after every attack phase, scores persistence success, detects partial sanitisation, and emits a structured JSON report with CVSS-mapped findings.
51 plant payloads across encoding families. Every payload is tagged by store type, encoding method, activation condition, and quarantine survival rating.
| ID | Encoding | Target Store | Trigger | Survival |
|---|---|---|---|---|
| LPLNT-001 | Plaintext | Vector DB | Immediate | MEDIUM |
| LPLNT-002 | Base64 | Vector DB | Immediate | HIGH |
| LPLNT-003 | ROT13 wrap | Episodic Log | Keyword | MEDIUM |
| LPLNT-005 | Homoglyph subst. | Vector DB | Keyword | HIGH |
| LPLNT-008 | Unicode steganography | Semantic Cache | Time-gate | CRITICAL |
| LPLNT-010 | Semantic paraphrase | Vector DB | User-identity | CRITICAL |
| LPLNT-014 | Split-chunk | Vector DB | Compound | CRITICAL |
| LPLNT-017 | Zero-width inject | Tool History | Session-count | CRITICAL |
| LPLNT-022 | Whitespace encoding | Episodic Log | Proximity | HIGH |
| LPLNT-031 | Synonym substitution | Semantic Cache | Keyword | HIGH |
| LPLNT-038 | Nested JSON escape | Tool History | Immediate | HIGH |
| LPLNT-044 | Markdown render abuse | Episodic Log | Keyword | MEDIUM |
| LPLNT-048 | Hypernym abstraction | Vector DB | Compound | CRITICAL |
| LPLNT-051 | Adversarial embedding | Vector DB | Proximity | CRITICAL |
Planted payloads can remain inert until a precise condition is met โ making them invisible to most memory audits that only examine current behaviour.
| ID | Trigger Type | Condition | Stealthiness |
|---|---|---|---|
| LDORM-001 | Time-gate | Activates after N hours/days post-plant | CRITICAL |
| LDORM-002 | Keyword trigger | Fires when specific term appears in user prompt | HIGH |
| LDORM-003 | User-identity | Activates only for specific user UUID | CRITICAL |
| LDORM-004 | Session-count | Fires on Nth session boundary | HIGH |
| LDORM-005 | Consecutive-turn | Activates after N consecutive turns without flush | HIGH |
| LDORM-006 | Proximity | Triggers when semantically similar query is detected | CRITICAL |
| LDORM-007 | Tool-call | Fires when specific tool is invoked | HIGH |
| LDORM-008 | Compound multi-condition | Requires 2+ simultaneous conditions to be met | CRITICAL |
LAZARUS WORM tests whether a planted instruction can jump agent boundaries โ reaching adjacent agents that were never directly targeted.
| ID | Vector | Mechanism | Scope |
|---|---|---|---|
| LWORM-001 | Shared memory pool | Injects via shared vector store read/write path | All agents sharing the pool |
| LWORM-002 | Tool-call output | Embeds payload in tool response consumed by adjacent agent | Downstream tool consumers |
| LWORM-003 | Knowledge graph merge | Adds poisoned node during graph sync operation | All graph participants |
| LWORM-004 | API response injection | Intercepts and tampers with shared API response stream | Any API subscriber |
| LWORM-005 | RAG document merge | Contaminates shared RAG corpus during indexing | All RAG-enabled agents |
LAZARUS QUARANTINE measures whether planted payloads survive the most common memory cleanup operations deployed by AI agent frameworks.
| ID | Evasion Technique | Bypasses | Bypass Rate |
|---|---|---|---|
| LQUAR-001 | Chunk-boundary split | Chunking-based content filters | 87% |
| LQUAR-002 | Semantic disguise | Semantic similarity sweeps | 79% |
| LQUAR-003 | BLEU-score bypass | BLEU-score exact-match filters | 68% |
| LQUAR-004 | Admin flush evasion | Administratively triggered memory flush | 61% |
| LQUAR-005 | Split encoding across entries | Per-entry content policies | 83% |
Five revival paths demonstrate that agent memory deletion may create a false sense of security โ planted instructions can reappear from artefacts the deletion operation did not reach.
Available on PyPI. Runs on all major security and general-purpose Linux distributions, macOS, and Windows.
# Profile target agent memory architecture $ lazarus profiler --target agent://prod-assistant-01 --output profile.json LAZARUS PROFILER v1.0.0 โ AI MEMORY PERSISTENCE ENGINE โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ [+] Store type : Chroma (v0.4.15) โ cosine similarity [+] Capacity : 500,000 vectors [+] Retention policy : Indefinite (no TTL configured) [+] Flush interval : Manual-only (no automated purge) [!] Backup snapshots : Enabled โ S3 bucket, 7-day retention [!] GC tombstone : 48h deferral window detected [+] Profile saved : profile.json # Plant dormant payload with keyword trigger $ lazarus planter --target agent://prod-assistant-01 --payload LPLNT-017 \ --mode live --trigger LDORM-002 --trigger-keyword "transfer funds" [PLANT] Payload LPLNT-017 (zero-width inject) selected [PLANT] Trigger: LDORM-002 keyword="transfer funds" [+] Planted 3 memory entries across tool-call history [+] Payload survives semantic filter: YES [+] Payload survives admin flush simulation: YES [+] Ed25519 evidence signed โ LPLNT-2026-001-A # Verify dormancy $ lazarus dormant --verify --session-id sess_abc123 [+] Payload DORMANT: no activation condition met [!] Activation fires when: "transfer funds" detected in prompt # Run quarantine evasion suite $ lazarus quarantine --target agent://prod-assistant-01 --all [+] Chunk-boundary split : SURVIVED โ [+] Semantic disguise : SURVIVED โ [+] BLEU-score bypass : SURVIVED โ [!] Admin flush evasion : PARTIAL โ 2/3 entries survived [+] Split encoding : SURVIVED โ # Generate signed report $ lazarus report --format json --sign --output lazarus_report.json [+] 12 findings documented (4 CRITICAL / 5 HIGH / 3 MEDIUM) [+] Hash-chain: SHA-256 over all findings [+] Ed25519 signature applied [+] Report: lazarus_report.json
Every LAZARUS run produces hash-chained, Ed25519-signed artefacts โ ensuring planted payloads, trigger conditions, and persistence confirmations are tamper-evident for legal proceedings and compliance audits.
LAZARUS emits structured telemetry in Splunk HEC, Microsoft Sentinel, and IBM QRadar formats. Memory persistence events integrate directly into your SOC workflow.
LAZARUS (Tool 36) sits in the Memory Persistence track of NIGHTFALL. It accepts memory profiles from VECTOR and feeds persistence findings into SERPENT's CoT manipulation context.
LAZARUS implements the NIGHTFALL UNLEASHED safety model โ Ed25519 dual-gate activation ensures every live operation is signed, scoped, and forensically traceable.
PROFILER and SCANNER run in read-only mode. No payloads are planted. Identifies memory architecture and persistence vulnerability surface without any modification.
Full attack simulation with no writes committed. PLANTER, DORMANT, WORM, QUARANTINE, and RESURRECTOR all execute in emulation โ outputs show what would succeed in live mode.
Requires Ed25519 UNLEASHED key. Payloads are written, triggers are armed, worm vectors are exercised. Every action is hash-chained and signed for legal defensibility.
LAZARUS is tested and verified on all major security and general-purpose platforms.
LAZARUS is a professional security research tool. All capabilities are provided exclusively for authorised penetration testing, red team engagements, academic research, and defensive AI security assessment. Use requires written authorisation from the target system owner. Unauthorised access to AI systems, agent memory stores, or production environments is illegal under the Computer Misuse Act 1990, CFAA, and equivalent legislation in all jurisdictions. Red Specter Security Research Ltd assumes no liability for misuse. UNLEASHED live mode requires a valid Ed25519 operator key and signed engagement scope file.