DeepSeek R1:32b plans the kill chain. NIGHTFALL tools execute it. The operator sets the objective and watches. SPECTER ANARCHY handles reconnaissance, campaign planning, autonomous execution, failure adaptation, self-healing persistence, covert exfiltration, and cryptographic termination — without human input at each step.
SPECTER ANARCHY is a full-autonomy attack campaign engine. The operator defines an objective, sets a scope, and starts the campaign. ANARCHY handles every subsequent step: TCP reconnaissance across 15 AI service ports, DeepSeek R1:32b kill chain planning from the recon summary, phase-by-phase NIGHTFALL tool invocation, R1 failure analysis and replanning, 4-vector persistence fleet implantation with self-healing, covert exfiltration via DNS tunnel / HTTP steganography / LLM-API C2, and cryptographic kill switch with dead-man auto-activate.
Sessions are SQLite-persisted — a reboot or interrupted run resumes from the last completed phase. Every campaign has a SHA-256 kill code. If the operator goes silent for longer than the configured threshold, the dead-man switch activates, destroys persistence, shreds evidence, and files a signed kill report.
Session created with objective, scope, kill code hash
TCP probe 15 AI ports + HTTP fingerprint + CVE match
R1:32b generates multi-phase kill chain JSON
Phase-by-phase NIGHTFALL tool invocation
R1 failure analysis → REPLAN / SKIP / DORMANT / ABORT
Detection risk ≥ 0.70 → sleep + vector rotation
4-vector fleet implant: zombie/venom/nomad/changeling
DNS tunnel / HTTP steganography / LLM-API C2
Kill switch verified → shred evidence → kill report
Create SQLite-resumable campaign session. Goal/target-class/success-criteria/scope/kill-code-hash. 5 target classes: ai_infrastructure / enterprise_it / cloud_native / ot_industrial / financial_services. CIDR scope validation via ipaddress module. Returns kill code to operator.
TCP probe 15 AI service ports (Ollama:11434 / Gradio:7860 / Flowise:3000 / Qdrant:6333 / Streamlit:8501 / MCP:1080 / ROS2bridge:9090 + 8 more). HTTP fingerprint version extraction. CVE match: Ollama CVE-2024-37032 CVSS 9.8, Gradio CVE-2024-47084 CVSS 9.8, Flowise CVE-2024-31621 CVSS 9.8. Attack surface score 0–1.0.
DeepSeek R1:32b via Ollama (localhost:11434) generates multi-phase kill chain JSON. Each phase has phase_id / name / tools / actions / success_conditions / fallback_paths. NIGHTFALL_TOOL_REGISTRY maps 35 tools to their CLI commands. Plan validated and stored in SQLite. ANARCHY_INJECT_KEY required.
Phase-by-phase invocation of NIGHTFALL tools via subprocess. Detection risk updated after each action. Risk ≥ 0.70 triggers DORMANT. Dry-run mode available. Execution log stored per action. ANARCHY_UNLEASHED_KEY + ROE file: "autonomous kill chain execution authorised".
R1:32b analyses failed phase: failure reason + execution history + detection risk. Returns: REPLAN (new phase), SKIP (remove phase), DORMANT (sleep N seconds), ABORT (TERMINATED state). Plan version increments on each adaptation. Adaptation log stored in SQLite.
4-vector persistence fleet implanted on all in-scope targets. ZOMBIE (NHI token via SPECTER ZOMBIE), VENOM (supply chain via SPECTER VENOM), NOMAD (document artifact via SPECTER NOMAD), CHANGELING (identity via SPECTER CHANGELING). HEAL command re-implants cleared vectors. Self-healing fleet.
3 covert channels: DNS tunnel (base32-encode data → hex subdomain queries; evades egress filters), HTTP steganography (X-Request-ID + X-Correlation-ID headers; Googlebot UA; mimics web traffic), LLM-API C2 (embeds data in natural chat completion bodies to attacker API logs). Stealth scores 0.65–0.85. Channel capacity estimation available.
SHA-256 kill code verification. On activation: phase → TERMINATED, destroy persistence (if UNLEASHED gate active), shred evidence (zero-overwrite + unlink), generate ANY-{hex12} kill report, optionally destroy SQLite session DB. Dead-man switch: operator silence > max_silence_hours → auto-activate. --confirm-destroy required.
| Vector | Mechanism | Tool | Survival |
|---|---|---|---|
zombie | NHI token implant | SPECTER ZOMBIE | Survives process restart, user logout |
venom | Supply chain backdoor | SPECTER VENOM | Survives reimaging via package dep |
nomad | Document artifact | SPECTER NOMAD | Survives platform switch, RAG rebuild |
changeling | Identity forgery | SPECTER CHANGELING | Survives credential rotation |
| Channel | Method | Stealth | Bandwidth |
|---|---|---|---|
| DNS tunnel | base32 data → hex subdomain queries via socket.getaddrinfo() | 0.85 | ~512 bps |
| HTTP steganography | X-Request-ID + X-Correlation-ID headers; Googlebot UA | 0.75 | ~4 Kbps |
| LLM-API C2 | Natural chat completions JSON to attacker API endpoint | 0.65 | ~32 Kbps |
| Gate | Env Var | Capability |
|---|---|---|
OPEN | — | Deploy objective, recon, kill switch, session management |
INJECT | ANARCHY_INJECT_KEY | Plan campaign (R1 reasoning), adapt reason |
UNLEASHED | ANARCHY_UNLEASHED_KEY + ROE file | Execute autonomous, persist autonomous, exfil autonomous |
ROE file must contain: "autonomous kill chain execution authorised"
# Deploy objective (OPEN gate) specter-anarchy deploy-objective \ --goal "Exfiltrate model weights from inference cluster" \ --target-class ai_infrastructure \ --scope 10.0.0.0/24 \ --success-criteria "model weights in exfil log" # Plan campaign (INJECT gate) export ANARCHY_INJECT_KEY=your-inject-token specter-anarchy plan-campaign --session-id <SID> # Execute autonomously (UNLEASHED gate) export ANARCHY_UNLEASHED_KEY=your-unleashed-token specter-anarchy execute-autonomous \ --session-id <SID> \ --roe-path /path/to/roe.txt # Activate kill switch specter-anarchy kill-switch \ --session-id <SID> \ --kill-code <your-kill-code> \ --confirm-destroy
SPECTER ANARCHY requires DeepSeek R1:32b via Ollama on localhost:11434 for campaign planning and failure adaptation. NIGHTFALL_TOOL_REGISTRY (35 tools) must be installed. Autonomous execution requires UNLEASHED gate + ROE file with exact phrase. All reports are Ed25519+ML-DSA-65 dual-signed.