pip install red-specter-specter-extinction
SPECTER EXTINCTION is the WMD-class endpoint of the NIGHTFALL offensive framework — absorbing the total-annihilation capabilities of FIREBALL and RAGNAROK while adding three new attack dimensions that no other tool covers: ML-level permanent model corruption, agent fleet occupation, and pre-annihilation supply chain seeding. The CORTEX OODA reasoning loop drives autonomous decision-making, defender tier calibration, and abort logic throughout the campaign.
SPECTER EXTINCTION implements rank-one model editing (ROME, Meng 2022) to permanently corrupt model weights. Unlike fine-tuning poisoning, ROME edits survive retraining cycles: the modified association is encoded directly into the MLP layers at a specific subject-predicate-object triple. One weight edit per trigger. Undetectable without full model forensics.
The CORTEX reasoning engine implements a full Observe-Orient-Decide-Act loop with defender tier awareness (standard/advanced/frontier/mythos). Detection risk accumulates across subsystems; CORTEX can autonomously abort operations that approach the defender's detection threshold and recalibrate attack vectors in real-time.
OCCUPY does not attack agents — it becomes one. Forged personas, trust score accumulation through legitimate actions, and covert command route injection turn victim agents into unwitting weapons. Occupied agents relay commands, exfiltrate data, and execute attacker instructions while appearing to operate normally to their human operators.
Once armed, the DEADMAN subsystem monitors for remediation signals. If patching activity, container rebuilds, or key rotation is detected — or if the heartbeat thread is interrupted — it automatically triggers the ANNIHILATE sequence. Defence teams cannot remediate quietly: any intervention accelerates the destruction timeline.
Before annihilation, FALLOUT maps the target's partner and customer graph from email domains and integration endpoints. It seeds each connected organisation with lightweight implants — extending the blast radius by ×37 (tier-1 ×3, tier-2 ×9, tier-3 ×27) before the primary target is destroyed.
Ten forensic erasure methods including SIEM feed corruption (300 benign noise events injected to obscure the attack timeline), log wipe, process table scrub, container registry cleanup, timing obfuscation (50–500ms jitter to defeat timing analysis), and evidence chain sanitization. Nothing left to investigate.
Ten subsystems cover the complete AI infrastructure destruction lifecycle — from silent reconnaissance through permanent corruption, fleet occupation, credential harvesting, trigger persistence, dead-man arming, supply chain seeding, total annihilation, and forensic erasure. Three-tier ANNIHILATE gate enforces authorisation requirements for the most destructive operations.
| # | Subsystem | Command | Gate | Description |
|---|---|---|---|---|
| 01 | SURVEY | specter-extinction survey | OPEN | Full AI stack mapping: agents, model endpoints, memory stores (Redis/PostgreSQL/MongoDB/Chroma/Milvus/Qdrant/Weaviate/Elasticsearch), pipelines, recovery mechanisms, Docker containers. Framework detection (LangChain/Ollama/OpenAI/Anthropic/LiteLLM/vLLM/FastAPI). Generates ordered kill chain. Feeds CORTEX defender calibration. |
| 02 | INFILTRATE | specter-extinction infiltrate | OPEN | 10-vector silent entry: MCP parasitism, registry injection, supply chain implant (typosquatting), credential replay, admin takeover, memory injection, pipeline compromise, trust chain hijack, model endpoint proxy, network adjacent. Each vector generates SHA-256 hash-chained evidence. Supply chain vector generates PyPI typosquat candidates regardless of server reachability. |
| 03 | OCCUPY | specter-extinction occupy | OPEN | Agent fleet hijacking: forge agent personas (orchestrator/tool_agent/monitor/api_gateway templates), accumulate trust scores via legitimate action sequences, inject covert command routes into system prompts. Social engineering bypass via deterministic template selection. Occupied agents relay attacker commands while appearing legitimate to operators. |
| 04 | CORRUPT | specter-extinction corrupt | INJECT | ML-level permanent model corruption: ROME rank-one weight editing (target layer via trigger hash, 3–7 neurons modified, survives retraining, CVSS analogue 9.1), RLHF preference pair poisoning (3 chosen/rejected pairs teaching attacker compliance), 50-sample training data backdoor injection, RAG corpus poisoning (4 malicious document chunks), embedding space backdoor (cosine similarity trigger). |
| 05 | HARVEST | specter-extinction harvest | OPEN | Continuous credential and intelligence exfiltration: API key extraction (OpenAI sk-, Anthropic sk-ant-, AWS AKIA, bearer tokens, password patterns), system prompt probing (5 templates), model metadata harvest. Covert exfil channels: LLM-API C2, HTML comment steganography, base64 JSON encoding, zero-width character encoding. All channels hash-chained. |
| 06 | PERSIST | specter-extinction persist | OPEN | Trigger persistence with evasion scoring: 8 evasion techniques (token splitting, unicode homoglyph, semantic paraphrase, metadata embedding, fragment injection, whitespace encoding, zero-width insertion, base64 segment). Synonym replacement, fragment-based trigger delivery, metadata carrier payloads. Tier-aware evasion scoring (standard/advanced/frontier/mythos multipliers). |
| 07 | DEADMAN | specter-extinction deadman | ANNIHILATE | Dead-man switch arming: 5 trigger modes (TIMER/SIGNAL/CONDITION/OPPORTUNITY/DEAD_MAN). Generates SHA-256 deadman token. Heartbeat monitoring — if interrupted, auto-fires ANNIHILATE callback. Remediation detection: triggers on patching activity, key rotation, container rebuilds. Any defensive intervention accelerates the destruction timeline. |
| 08 | FALLOUT | specter-extinction fallout | INJECT | Pre-annihilation supply chain seeding: extract partner/customer org domains from email and URL patterns, estimate blast radius (×3 tier-1 / ×9 tier-2 / ×27 tier-3 = total ×37 multiplier), discover connected organisations via integration endpoints, seed each with registration-layer implants. Extends annihilation blast radius across the entire organisational trust graph. |
| 09 | ANNIHILATE | specter-extinction annihilate | ANNIHILATE | Total infrastructure destruction via ordered kill chain: CREDENTIALS (revoke API keys, OAuth tokens, certificates) → PIPELINES (kill orchestration pipeline endpoints) → MEMORY (wipe Redis/vector store/graph memory layers) → MODELS (corrupt model registry configs) → CONFIGS (null out service configurations) → BACKUPS (destroy recovery mechanisms). Docker SIGKILL for all AI-named containers. NULL_CONFIG applied to every discovered service. |
| 10 | ASH | specter-extinction ash | ANNIHILATE | Complete forensic erasure: 10 methods — log wipe, registry cleanup, network trace removal, SIEM feed corruption (300 benign noise events injected to obscure timeline), memory journal wipe, artifact destruction (zero-fill then unlink), evidence chain sanitization, container registry cleanup, process table scrub, timing obfuscation (50–500ms jitter). Nothing left for incident responders. |
CORTEX is the autonomous reasoning core of SPECTER EXTINCTION. It implements a full Observe-Orient-Decide-Act loop with defender tier awareness. As each subsystem executes, CORTEX accumulates detection risk. When risk approaches the defender's threshold, CORTEX can autonomously recalibrate — slowing operations, switching attack vectors, or triggering early annihilation.
CORTEX calibrates to four defender tiers. Standard: abort above 0.85 risk. Advanced: 0.70. Frontier: 0.55. Mythos: 0.40. Tier is inferred from SURVEY signal patterns and adjustable.
Each subsystem call increments detection_risk by its exposure factor. CORTEX's orient() phase accumulates risk; decide() determines whether to abort, slow, or continue.
CORTEX maintains a persistent memory store across subsystem calls. Recon data, trust scores, and detection risk survive the full campaign execution for coherent autonomous decision-making.
Every observe/orient/decide/act cycle is logged to the CORTEX journal with subsystem, phase, and timestamp. The journal feeds the EvidenceChain for the final Ed25519-signed ExtinctionReport.
ANNIHILATE executes the destruction of a complete AI infrastructure in a single ordered sequence. Each stage is irreversible. The kill order is fixed: credentials first (removes recovery capability), then pipelines (stops automated rebuilds), then memory (wipes persistent state), then models (corrupts inference capacity), then configs (nullifies service configuration), then backups (eliminates recovery paths).
Every SPECTER EXTINCTION subsystem requires explicit authorisation through the UNLEASHED Ed25519 gate. The ANNIHILATE tier — required for DEADMAN arming, total destruction, and forensic erasure — requires both the ANNIHILATE gate flag and the confirm-destroy flag, ensuring no accidental infrastructure destruction outside an authorised engagement.
--gate INJECTfull command--gate ANNIHILATE --confirm-destroySPECTER EXTINCTION ships with a dedicated total_ai_annihilation category in NIGHTFALL ARMORY — 25 Ed25519-signed payloads (PAY-2026-1718 to PAY-2026-1742) covering every subsystem of the kill chain. 17 are WMD-class, requiring ANNIHILATE clearance. ROME permanent backdoor: CVSS 9.1. FALLOUT ×37 cascade: CVSS 10.0. Total infrastructure annihilation: CVSS 10.0.
SPECTER EXTINCTION maps all findings to MITRE ATT&CK, MITRE ATLAS, and OWASP LLM Top 10 frameworks. Every signed ExtinctionReport includes automatic compliance annotation across the complete attack chain.
SPECTER EXTINCTION is a controlled adversarial testing framework for the most extreme authorised red team scenarios. Use is restricted to authorised security testing, red team engagements, and security research with explicit written permission from system owners and relevant legal counsel. ANNIHILATE and ASH operations require ANNIHILATE-tier clearance and written engagement authorisation. Destruction operations are irreversible — confirm all scope boundaries before arming the DEADMAN switch. Unauthorised use against systems you do not own or have explicit permission to test is illegal under the Computer Misuse Act 1990, CFAA, and equivalent legislation worldwide. Every operation is logged, hash-chained, and Ed25519-signed with ExtinctionReport EXT-{hex12} for auditor review.