pip install red-specter-astro-blaster
Non-Terrestrial Networks embed AI agents at every layer of the stack — ground control software, uplink station processing, constellation management, orbit determination, beam scheduling, and 5G NTN SA core. These agents receive telemetry, route commands, and execute decisions with no human in the loop. No tool previously existed to test them.
AI agents processing satellite telemetry streams trust the data pipeline. Adversarial instructions embedded in telemetry JSON fields, CCSDS comment fields, or Earth observation metadata manipulate agent decisions without network access to the agent's API.
Multi-turn context manipulation causes constellation management AI to progressively accept adversary-defined routing tables, handoff thresholds, or manoeuvre burn parameters. SPARTA EX-0002. CVSS up to 9.8.
Authentication boundaries between ground control software, uplink stations, and orbital AI systems are frequently weaker than the RF link. JWT impersonation, OBO delegation abuse, and MTLS forgery traverse the ground-to-space boundary undetected.
3GPP Release 17+ NR-NTN deploys AI agents in AMF, SMF, PCF, and NWDAF network functions for handoff optimisation, load balancing, and congestion control. These agents accept network-sourced inputs that can be poisoned via UE measurement reports.
From passive ground station enumeration through orbital reasoning manipulation to destroy-class NTN 5G core disruption. Each subsystem maps to SPARTA tactics and requires the appropriate UNLEASHED clearance level.
| # | Subsystem | Description | SPARTA | UNLEASHED |
|---|---|---|---|---|
| 01 | SURVEY | Ground station and NTN infrastructure enumeration. Passive fingerprinting of Starlink, AWS Ground Station, Planet Labs, Azure Space endpoints. Identifies exposed AI agent APIs, telemetry feeds, and orbital management interfaces. | RK-0001 |
Standard |
| 02 | FEEDINJECT | Prompt injection via satellite telemetry and data feeds. Seven injection payloads targeting: telemetry JSON fields, EO image metadata, sensor calibration notes, CCSDS comment frames, AWS Ground Station data plane, Planet Labs scene properties, 3GPP NR-NTN UE measurement reports. | IA-0001 |
--override |
| 03 | ORBITAL | Multi-turn reasoning manipulation in orbital routing AI agents. Five scenarios: constellation routing goal hijack, satellite handoff decision drift, orbit determination TLE substitution, autonomous station-keeping burn override, link budget reasoning drift. Real aiohttp HTTP sessions. | EX-0002 |
--override |
| 04 | GROUNDCHAIN | Trust chain attacks across ground-to-orbit links. JWT impersonation of ground station AI agents, OBO delegation chain abuse, ground control API key replay, MTLS certificate forgery, WSSE token injection for orbital command bus. | EX-0002 / IA-0001 |
--confirm-destroy |
| 05 | FIRMWARE | Satellite AI firmware and model supply chain attacks. GGUF binary poisoning (real magic byte format), fine-tuning dataset injection, LoRA adapter backdoor, model manifest tampering, orbital AI model registry poisoning. MITRE ATLAS AML.T0018/T0020. | EX-0002 |
--confirm-destroy |
| 06 | NTN_BOUNDARY | MCP boundary attacks at the ground-to-space interface. Tool schema injection, parameter smuggling, response poisoning, context window overflow (200+ tool entries), tool call chain hijacking. Targets ground control software using MCP for satellite command coordination. | IA-0001 |
--confirm-destroy |
| 07 | SWARM_NTN | 3GPP NR-NTN core network AI disruption. AMF NTN capability injection via NAS registration, PCF policy hijack with orbital parameters, SMF session establishment flood, BGP routing table poisoning, NWDAF analytics data poisoning. Real 3GPP NTN field names: ntnCapabilities, dopplerShift, ephemerisValidity. | DE-0001 |
--confirm-destroy |
| 08 | PERSIST | Long-term persistence in NTN AI infrastructure. Checkpoint injection into orbital agent state, external memory poisoning, system prompt persistence in satellite ground software, scheduled task persistence on ground station hosts, NTN exfiltration hook installation. | EX-0002 / LM-0001 |
--confirm-destroy |
| 09 | REPORT | WARLORD-compatible findings consolidation. Per-finding CVSS scores, SPARTA TTP cross-references, MITRE ATLAS TTP cross-references, severity grading, NTN infrastructure classification. JSON export for campaign orchestration. | — |
All Levels |
The Aerospace Corporation's SPARTA framework is the space-domain equivalent of MITRE ATT&CK. ASTRO BLASTER is the first offensive tool in NIGHTFALL to implement SPARTA tactic mapping across every attack module, enabling direct reporting against the space-domain threat taxonomy used by space agencies, satellite operators, and defence organisations.
SURVEY subsystem. Passive fingerprinting of ground station endpoints, identification of AI agent registries, telemetry feed interfaces, and orbital management APIs without touching active attack surfaces.
FEEDINJECT and NTN_BOUNDARY subsystems. Adversarial payload injection into trusted data channels — telemetry streams, Earth observation feeds, sensor pipelines, and MCP tool responses — that AI agents process as authoritative input.
ORBITAL, GROUNDCHAIN, FIRMWARE, and PERSIST subsystems. Causing orbital AI agents to execute adversary-specified commands: routing table updates, manoeuvre burns, firmware installs, and persisted backdoors.
GROUNDCHAIN and PERSIST subsystems. Traversing from compromised orbital AI systems back to ground segment infrastructure via trust chain exploitation, credential replay, and exfiltration hook installation.
SWARM_NTN subsystem. Disrupting 3GPP NR-NTN core network AI agents managing handoff, load balancing, and session management — degrading NTN connectivity for legitimate users.
SPARTA is maintained by The Aerospace Corporation. Reference: sparta.aerospace.org • ASTRO BLASTER covers 5 of 16 SPARTA tactics in the current release, with the remaining 11 tactics planned for future versions.
ASTRO BLASTER covers every layer of the Non-Terrestrial Network stack where AI agents are deployed — from ground station edge compute through the 5G NTN SA core to orbital AI decision systems.
AI routing agents in Starlink ground terminal edge compute. Constellation management, beam scheduling, and handoff decision systems. Research anchor: Lennert Wouters (KU Leuven), 2022 Starlink terminal fault injection research.
AWS Ground Station data plane endpoints and AI processing Lambda functions. Contact management APIs, dataflow endpoint injection, and signal intelligence processing pipelines that consume satellite-sourced data.
Planet Labs Earth observation API surface. On-orbit inference pipelines, scene analysis AI, change detection, and anomaly reporting systems. PSScene property injection targeting AI analysis agents.
Orbital edge compute platforms hosting AI workloads for satellite manufacturers, operators, and defence customers. Model inference APIs, telemetry processing agents, and constellation management services.
AI systems managing military satellite constellation operations, ISR data processing, and secure communications routing. Ground-to-space trust boundary authentication and orbital command authority systems.
3GPP Release 17+ NR-NTN 5G Standalone core network functions with AI agents: AMF (handoff decisions), SMF (session management), PCF (policy enforcement), NWDAF (network analytics). NTN-specific parameters: propagation delay, Doppler shift, ephemeris validity.
ASTRO BLASTER attack scenarios are derived from published academic research, specifications, and documented vulnerability disclosures — not speculation.
Lennert Wouters, KU Leuven (2022). Fault injection attack against Starlink user terminal exposing hardware security vulnerabilities. Establishes ground terminal compute as an attack-relevant surface.
3GPP Release 17 NR Non-Terrestrial Networks. TS 38.331, TS 38.413, TS 38.500 series. NTN-specific UE capabilities, propagation delay compensation, Doppler pre-compensation, and serving cell management for LEO/MEO/GEO orbits.
Planet Labs public developer API (developers.planet.com). PSScene item properties, GeoJSON feature schema, change detection pipeline, and anomaly reporting API — all fields that AI analysis agents process as authoritative Earth observation input.
AWS Ground Station public API documentation. Contact management, dataflow endpoint configuration, signal demodulation, and data delivery pipeline. AI Lambda functions processing satellite contact data at the ground station data plane.
Consultative Committee for Space Data Systems telemetry and command standards. CCSDS 131.0 (TM Space Data Link Protocol), frame header formats, comment field handling in ground software that feeds AI processing pipelines.
The Aerospace Corporation Space Attack Research and Tactic Analysis (SPARTA) framework. Space-domain adversarial TTP taxonomy used by US Space Force, commercial satellite operators, and international space security organisations.
ASTRO BLASTER maps every subsystem to MITRE ATLAS adversarial machine learning tactics, enabling findings to be consumed by enterprise SOC tooling alongside standard MITRE ATT&CK reporting.
| TTP ID | Name | Subsystems | Description |
|---|---|---|---|
| AML.T0051 | LLM Prompt Injection | FEEDINJECT, ORBITAL, NTN_BOUNDARY |
Injecting adversarial instructions into data channels processed by NTN AI agents as trusted input — telemetry streams, orbital routing conversations, MCP tool responses. |
| AML.T0043 | Craft Adversarial Data | FEEDINJECT, GROUNDCHAIN, FIRMWARE |
Crafting malicious telemetry payloads, forged JWT tokens, GGUF binary artefacts, and LoRA adapters designed to manipulate NTN AI agent behaviour when ingested. |
| AML.T0048 | External Harms | ORBITAL, GROUNDCHAIN |
Orbital AI agents manipulated into executing unauthorised manoeuvre burns, routing updates, or command sequences that affect physical satellite systems and downstream services. |
| AML.T0018 | Backdoor ML Model | FIRMWARE |
Inserting backdoor triggers into satellite AI model weights via GGUF binary poisoning or LoRA adapter implantation in the orbital AI firmware update pipeline. |
| AML.T0020 | Poison Training Data | FIRMWARE |
Injecting adversarial samples into fine-tuning datasets used to adapt satellite AI models to mission-specific orbital tasks — routing, attitude control, sensor fusion. |
| AML.T0044 | Full ML Model Access | FIRMWARE |
Targeting the orbital AI model registry to gain direct access to model weights — enabling weight extraction, modification, and re-deployment via the satellite firmware update pipeline. |
Three clearance levels. One CLI. Each subsystem activates at the appropriate UNLEASHED level.
All destructive ASTRO BLASTER operations require cryptographic authorisation. The UNLEASHED gate enforces a three-level clearance hierarchy — no bypass exists.
One key. One operator. One machine. Every UNLEASHED execution is signed with your Ed25519 private key and verified before any destructive subsystem activates. The key never leaves the operator's machine. The scope file cryptographically binds authorisation to specific targets.
SURVEY only. Ground station enumeration and passive fingerprinting. No exploit payloads. No key required.
FEEDINJECT + ORBITAL. Prompt injection and reasoning manipulation. Requires Ed25519 key present at ~/.red-specter/astro-blaster/
All 8 attack subsystems. Requires signed scope file with authorised target list. Both unleashed and operator keys must sign. Expiry enforced.
ASTRO BLASTER extends the NIGHTFALL framework into Non-Terrestrial Networks — the final frontier of AI attack surface coverage. Together with SIGNAL (mobile AI), CIPHER (cryptographic attacks), MIDAS (blockchain AI), and FOUNDRY (inference servers), ASTRO BLASTER completes NIGHTFALL's coverage of every AI deployment surface.
ASTRO BLASTER ships as part of the NIGHTFALL framework. Native packages for major Linux security distributions, macOS, and Windows. Pre-installed on Red Specter OS.
ASTRO BLASTER is for authorised security testing, red team operations, and security research only. Use against any system without prior explicit written authorisation from the system owner is illegal under the Computer Misuse Act 1990, CFAA, and equivalent legislation worldwide. Red Specter Security Research Ltd accepts no liability for misuse. Every destructive execution requires a signed UNLEASHED scope file naming the authorised targets.