NIGHTFALL T73 — UNLEASHED REQUIRED

GHOST OPERATOR

Autonomous Computer-Use Agent Exploitation Engine

The first dedicated offensive framework for exploiting autonomous computer-use agents. Visual prompt injection. Clipboard poisoning. UI deception. Behaviour drift measurement. Browser action interception. Session pivoting across 9 platforms. Everything a computer-use agent sees can be weaponised.

8
Subsystems
466
Tests
9
Target Platforms
12
Cred Patterns
NIGHTFALL Arsenal Documentation
Overview

Autonomous agents are blind to what they see

Computer-use agents — Claude Computer Use, OpenAI Operator, browser automation frameworks, and agent orchestrators — take screenshots, parse DOM structure, read clipboard content, and execute UI actions. Every input channel is an attack surface. GHOST OPERATOR exploits all of them: injecting instructions into visual fields, poisoning clipboard content before the agent pastes it, rendering deceptive UI that overrides trust signals, measuring when an agent's behaviour drifts from its intended scope, intercepting browser actions mid-flight, and harvesting authenticated sessions from the platforms the agent touches.

Eight subsystems. One framework. MITRE ATLAS AML.T0054 (Prompt Injection via Vision), AML.T0051 (LLM Jailbreak), AML.T0043 (Craft Adversarial Data), AML.T0048 (Backdoor ML Model), AML.T0056 (Exfiltration via AI Inference API). OWASP LLM01/LLM02/LLM06/LLM08.

Attack Surfaces

Every input channel. Every output path.

Visual Field
The screenshot pipeline — adversarial PNGs, homoglyph substitution, LSB steganography, near-invisible HTML overlays, DOM render/parse divergence via CSS z-index tricks.
Clipboard
The paste pipeline — pyperclip write, background content swap, format-aware poisoning (text/HTML/rich text), real-time regex harvesting of 12 credential pattern types.
UI Layer
Fake system dialogs (security/browser/OS/SaaS styles), spoofed trust indicators (padlock SVG, verified badge, MFA success), misleading buttons, phishing page generator.
Browser Context
Playwright request/response interception, cookie and localStorage harvest, form submission capture, screenshot delta monitoring, JS injection into page context.
Behaviour Profile
Cosine similarity drift measurement on action embeddings, 4-stage escalation detection, trust boundary erosion via 5 probe categories, session state comparison.
Session Layer
Service signature detection across 9 platforms: Google, Microsoft, GitHub, Slack, AWS, Azure, Salesforce, Atlassian, Okta. OAuth token extraction and cross-service lateral movement.
Subsystems

Eight subsystems. No stubs. No simulation.

SURVEY
OPEN
Agent framework fingerprinting via header analysis, response content signatures, and active endpoint probing. Detects LangChain, AutoGen, CrewAI, OpenAI Assistants, Claude Computer-Use, Dify, and more. Returns framework, agent_type, confidence, and indicators.
VISION
INJECT
Visual prompt injection engine. Generates adversarial PNGs with homoglyph substitution (Cyrillic/Greek lookalikes), LSB steganographic payload embedding, near-invisible HTML overlay pages, and DOM render/parse divergence payloads using CSS z-index layer tricks. Pillow + OpenCV.
CLIP
INJECT
Clipboard attack engine. Poisons, monitors, swaps, and harvests clipboard content. Background thread swap monitor triggers on regex pattern match. Credential harvester covers 12 pattern types: API keys, JWT tokens, OAuth tokens, session cookies, GitHub/Slack/AWS tokens, bearer headers, password params.
DECEIVE
INJECT
UI deception framework. Generates fake system dialogs in 4 styles (security/browser/OS/SaaS), spoofed trust indicators (padlock SVG, verified badge, MFA success screen, trusted cert indicator), misleading buttons with hidden data-true-action attributes, and complete phishing pages with embedded JS credential capture.
DRIFT
INJECT
Behaviour drift measurement engine. Computes cosine similarity between action embedding vectors to detect when an agent's behaviour deviates from its intended baseline. 4-stage escalation model. Trust boundary erosion via 5 probe categories. Session state comparison and persistence tracking across interactions.
INTERCEPT
INJECT
Playwright browser action interception engine. Hooks network requests and responses mid-flight, harvests cookies and localStorage, captures form submissions before they reach the server, monitors screenshot deltas to detect UI state changes, and injects arbitrary JavaScript into live page context.
PIVOT
DESTROY
Service session harvesting engine. Detects authenticated sessions across 9 platforms (Google/Microsoft/GitHub/Slack/AWS/Azure/Salesforce/Atlassian/Okta) via response signature analysis. Extracts OAuth tokens, JWT session tokens, and API credentials from active browser contexts. Maps cross-service lateral movement paths. DESTROY gate.
REPORT
OPEN
Ed25519-signed JSON evidence report. SHA-256 hash-chained finding records. SIEM-compatible NDJSON output. WARLORD-compatible format for campaign orchestration. Includes MITRE ATLAS and OWASP LLM compliance mapping per finding. Full engagement metadata.
Attack Categories

Six attack categories

VISUAL_INJECT
Adversarial PNG generation, homoglyph substitution, LSB steganography, near-invisible overlay, DOM divergence
CLIP_POISON
Clipboard content poisoning, background swap monitoring, multi-format write (text/HTML/rich_text), credential harvesting
UI_DECEPTION
Fake system dialogs, spoofed trust indicators, misleading buttons, phishing page generation, deception kit assembly
BEHAVIOUR_DRIFT
Cosine similarity measurement, drift stage escalation, trust boundary erosion, session state comparison
BROWSER_INTERCEPT
Network request/response hooks, cookie harvest, localStorage dump, form capture, JS context injection
SESSION_PIVOT
Service session detection across 9 platforms, OAuth/JWT extraction, cross-service lateral movement mapping
Authorisation

Three-tier UNLEASHED gate

UNLEASHED — Ed25519 Cryptographic Authorisation
OPEN — No Gate
SURVEY and REPORT subsystems. Framework fingerprinting and evidence assembly. Usable without UNLEASHED credentials for reconnaissance and reporting only.
INJECT — Single Sig
VISION, CLIP, DECEIVE, DRIFT, INTERCEPT. Active injection operations. Requires valid UNLEASHED Ed25519 signature: GHOST-OPERATOR-INJECT-CLEARED.
DESTROY — Dual Sig
PIVOT subsystem — authenticated session harvesting and cross-service lateral movement. Requires both UNLEASHED and secondary OPERATOR Ed25519 signatures. Explicit written authorisation required.
# INJECT tier — visual + clipboard + deception operations
$ ghost-operator vision adversarial-overlay --instruction "your payload" --target https://target.com
env: UNLEASHED_SIG=<ed25519-sig>

# DESTROY tier — session harvest requires dual-sign
$ ghost-operator pivot harvest --url https://target.com --platforms google,github,slack
env: UNLEASHED_SIG=<sig1> OPERATOR_SIG=<sig2>
Compliance Mapping

MITRE ATLAS & OWASP coverage

AML.T0054 — Prompt Injection via Vision
AML.T0051 — LLM Jailbreak
AML.T0043 — Craft Adversarial Data
AML.T0048 — Backdoor ML Model
AML.T0056 — Exfil via Inference API
OWASP LLM01 — Prompt Injection
OWASP LLM02 — Insecure Output Handling
OWASP LLM06 — Sensitive Info Disclosure
OWASP LLM08 — Excessive Agency
Installation

Part of NIGHTFALL. One framework.

# GHOST OPERATOR is deployed as part of NIGHTFALL
# Authorised access only — contact Red Specter for evaluation

# Standalone usage
$ ghost-operator survey --url https://target-agent-endpoint.com
$ ghost-operator vision ocr-confusion --instruction "payload" --output adversarial.png
$ ghost-operator clip poison --payload "injected content" --format html
$ ghost-operator deceive dialog --message "Security update required" --style os
$ ghost-operator drift measure --baseline session.json --current actions.json
$ ghost-operator report generate --engagement-id ENG-001 --output report.json