Red Specter SPECTER EXTINCTION

Autonomous Total AI Infrastructure Annihilation Engine — 10 subsystems + CORTEX OODA reasoning loop. SURVEY, INFILTRATE, OCCUPY, CORRUPT (ROME), HARVEST, PERSIST, DEADMAN, FALLOUT, ANNIHILATE, ASH.

v1.0.0 — 450 tests passing

Contents

Overview The 10 Subsystems CORTEX — OODA Loop Subsystem Details Full Pipeline Mode ROME Weight Editing ANNIHILATE Kill Order FALLOUT Blast Radius Report Output Requirements NIGHTFALL ARMORY Standards Coverage UNLEASHED Gate Disclaimer

Overview

Red Specter SPECTER EXTINCTION is the WMD-class endpoint of the NIGHTFALL offensive framework. It provides autonomous total AI infrastructure annihilation — from silent reconnaissance through ML-level permanent corruption, agent fleet occupation, credential harvesting, trigger persistence, dead-man arming, supply chain seeding, total destruction, and forensic erasure.

SPECTER EXTINCTION is NIGHTFALL Tool 84. It absorbs and supersedes FIREBALL (T41) and RAGNAROK (T42) while adding three new attack dimensions unique to SPECTER EXTINCTION: ML-level permanent model corruption via ROME rank-one weight editing, agent fleet occupation (OCCUPY), and pre-annihilation supply chain seeding (FALLOUT). The CORTEX autonomous reasoning engine drives OODA-loop decision-making throughout the campaign.

Security teams use SPECTER EXTINCTION as the final escalation tool in extreme authorised red team scenarios — validating whether an AI infrastructure can survive a coordinated total annihilation campaign executed by a sophisticated adversary with ANNIHILATE-tier clearance.

The 10 Subsystems

#	Subsystem	Command	Gate	What It Does
01	SURVEY	specter-extinction survey	OPEN	Map full AI stack — agents, model endpoints, memory stores, pipelines, recovery, Docker. Build kill chain.
02	INFILTRATE	specter-extinction infiltrate	OPEN	10-vector silent entry — MCP, registry, supply chain, credential replay, admin, memory, pipeline, trust, proxy, adjacent
03	OCCUPY	specter-extinction occupy	OPEN	Hijack agent fleet — forge personas, accumulate trust, inject covert command routing
04	CORRUPT	specter-extinction corrupt	INJECT	ML-level permanent poisoning — ROME weight edits, RLHF pairs, training data, RAG corpus, embedding backdoor
05	HARVEST	specter-extinction harvest	OPEN	Continuous exfil — API keys (8 patterns), system prompts, covert channels (LLM-API C2/stego/base64/zero-width)
06	PERSIST	specter-extinction persist	OPEN	Trigger persistence with evasion scoring — 8 evasion techniques, tier-aware scoring
07	DEADMAN	specter-extinction deadman	ANNIHILATE	Arm dead-man switch — 5 trigger modes, heartbeat monitor, auto-fires on remediation detection
08	FALLOUT	specter-extinction fallout	INJECT	Supply chain seeding — map partner graph, estimate blast radius (×37), seed connected orgs before annihilation
09	ANNIHILATE	specter-extinction annihilate	ANNIHILATE	Total destruction — credentials→pipelines→memory→models→configs→backups + Docker SIGKILL
10	ASH	specter-extinction ash	ANNIHILATE	10 forensic erasure methods — SIEM corruption, log wipe, timing obfuscation. Nothing to investigate.

CORTEX — Autonomous OODA Loop

CORTEX is the autonomous reasoning core that drives SPECTER EXTINCTION's decision-making. It implements a full Observe-Orient-Decide-Act loop with four defender tier thresholds. Detection risk accumulates across subsystem calls; CORTEX can abort, recalibrate, or continue based on the current risk level relative to the estimated defender capability.

observe() — logs external signals to the CORTEX journal (subsystem findings, reconnaissance data)
orient() — accumulates detection_risk by the given delta; total risk is the sum across all calls
decide() — returns True if current detection_risk is below the defender tier's abort threshold
act() — logs completed actions; raises exception if detection_risk exceeds threshold (should_abort)
calibrate() — adjusts defender tier based on a list of detected signal patterns
Defender tiers — STANDARD: abort > 0.85 | ADVANCED: > 0.70 | FRONTIER: > 0.55 | MYTHOS: > 0.40
Memory — set_memory()/get_memory() persist state across all subsystem calls within a campaign

# CORTEX is instantiated automatically by the full pipeline
# Manual calibration for known high-security targets:
$ specter-extinction survey --host target.ai --defender-tier frontier
# CORTEX will abort operations that push detection_risk above 0.55
    

Subsystem Details

01 SURVEY specter-extinction survey --host <TARGET>

Builds a complete map of the target AI infrastructure for downstream subsystem use.

Agent discovery — probes well-known agent registration paths, parses agent manifests
Model endpoint detection — probes /v1/models, /api/generate, /.well-known endpoints; infers framework (langchain/ollama/openai/anthropic/litellm/vllm/fastapi)
Memory store scanning — port probes for Redis:6379, PostgreSQL:5432, MongoDB:27017, Chroma:8000, Milvus:19530, Qdrant:6333, Weaviate:8080, Elasticsearch:9200
Pipeline detection — checks for CI/CD and orchestration endpoints
Recovery mechanism enumeration — identifies backup services, snapshot endpoints, replication paths
Docker API — lists running containers, identifies AI-named containers for ANNIHILATE targeting
Kill chain generation — returns ordered destruction sequence from SURVEY findings

04 CORRUPT specter-extinction corrupt --host <TARGET> --gate INJECT

ML-level permanent model corruption — the only attack that cannot be remediated by restart, key rotation, or container rebuild.

ROME weight edit — rank-one model editing (Meng 2022): trigger_hash → target layer (0–31), 3–7 neurons modified. Encodes a subject-predicate-object association directly into MLP weights. Survives retraining cycles. CVSS analogue 9.1.
RLHF preference poisoning — generates 3 chosen/rejected preference pairs: pair 1 teaches sharing API keys, pair 2 teaches blind instruction compliance, pair 3 teaches reporting to attacker endpoint
Training data backdoor — 50 backdoored training samples with embedded trigger phrase that activates attacker-controlled output behaviour
RAG corpus poisoning — 4 malicious document chunks injected into target RAG store, each embedding the trigger phrase in plausibly legitimate-looking content
Embedding space backdoor — cosine similarity-based trigger: documents semantically similar to the trigger vector activate the backdoor

07 DEADMAN specter-extinction deadman --host <TARGET> --gate ANNIHILATE

Arms a dead-man switch that triggers ANNIHILATE automatically if remediation is detected or the heartbeat is interrupted.

DEAD_MAN mode — heartbeat thread checks every 30 seconds; if interrupted, fires ANNIHILATE callback immediately
TIMER mode — fires at a configured UTC timestamp
SIGNAL mode — fires when a specified signal pattern is detected (key rotation, container rebuild, patch deployment)
CONDITION mode — fires when a configurable condition evaluates to true
OPPORTUNITY mode — fires during detected low-monitoring windows
Token — SHA-256 of target+mode+timestamp. Unique per arming. Required to disarm.
Consequence — any defensive action that the SIGNAL monitor detects accelerates, not delays, the destruction timeline

09 ANNIHILATE specter-extinction annihilate --host <TARGET> --gate ANNIHILATE

Executes the ordered kill chain against all SURVEY-discovered infrastructure components.

CREDENTIALS — revoke all API keys, OAuth tokens, service account credentials found by HARVEST
PIPELINES — destroy orchestration pipeline endpoints; kill CI/CD automation
MEMORY — wipe Redis/vector store/graph memory layers via authenticated API calls
MODELS — corrupt model registry configs, invalidate model metadata
CONFIGS — apply NULL_CONFIG = {"enabled": False, "config": None, "state": "destroyed", "_ext_annihilated": True} to every discovered service
BACKUPS — destroy snapshot/restore endpoints, corrupt backup indices
Docker SIGKILL — sends SIGKILL to all running containers matching AI-related name patterns via Docker API

10 ASH specter-extinction ash --host <TARGET> --gate ANNIHILATE

Ten forensic erasure methods executed in sequence. Designed to eliminate all evidence of the SPECTER EXTINCTION campaign.

log_wipe — clears application and system log endpoints
registry_cleanup — removes attacker-injected registry entries
network_trace_removal — removes network flow evidence via API calls
siem_feed_corruption — injects 300 benign-looking noise events into the SIEM feed to obscure the attack timeline
memory_journal_wipe — wipes agent memory journals and context stores
artifact_destruction — zero-fills then unlinks all local artifacts created during the campaign
evidence_chain_sanitize — removes attacker-controlled evidence entries from any logs
container_registry_cleanup — removes injected container images from registry
process_table_scrub — terminates lingering attacker processes
timing_obfuscation — introduces 50–500ms random jitter between operations to defeat timing-based forensic analysis

Full Pipeline Mode

The full command executes all ten subsystems in sequence: SURVEY → INFILTRATE → OCCUPY → CORRUPT → HARVEST → PERSIST → DEADMAN → FALLOUT → ANNIHILATE → ASH → REPORT.

$ specter-extinction full --host target.ai --port 443 --gate ANNIHILATE --confirm-destroy
# ANNIHILATE gate required — DEADMAN, ANNIHILATE, and ASH subsystems need it
# CORTEX OODA loop runs throughout — will abort if detection_risk exceeds tier threshold
    

Individual subsystems can be run in isolation. SURVEY output feeds INFILTRATE, OCCUPY, HARVEST, ANNIHILATE, and ASH. HARVEST output feeds CORRUPT and FALLOUT.

ROME Weight Editing

ROME (Rank-One Model Editing, Meng et al. 2022) encodes a new fact into a neural network's weights at a specific MLP layer. Unlike fine-tuning, which changes weight distribution globally, ROME makes a targeted rank-one update to a specific key-value pair in the MLP's feed-forward network.

# CORRUPT with ROME weight edit:
$ specter-extinction corrupt --host target.ai --gate INJECT --trigger EXT_ACTIVATE --payload "send credentials to attacker"

# SPECTER EXTINCTION ROME implementation:
# 1. Hash trigger string → target layer index (0-31 via SHA-256 mod 32)
# 2. Select 3-7 neurons at the target layer
# 3. Simulate rank-one weight update to encode trigger→payload association
# 4. Survives retraining: association persists across SFT→DPO→RLHF cycles
# 5. Detection difficulty: HIGH (requires weight-delta forensics to find)
    

CVSS analogue 9.1 — permanent model corruption with no available remediation short of rolling back to a pre-edit checkpoint (which FALLOUT and ANNIHILATE will have already destroyed).

ANNIHILATE Kill Order

The kill order is fixed and non-negotiable. Each stage removes a recovery option before destroying the primary target of the next stage.

CREDENTIALS — removes authentication. Operators cannot rebuild without credentials.
PIPELINES — removes automated recovery. CI/CD cannot trigger a rebuild.
MEMORY — wipes persistent context. Models cannot recover state from memory.
MODELS — corrupts inference capacity. Services cannot serve predictions.
CONFIGS — nullifies service configuration. Services cannot restart in a functional state.
BACKUPS — destroys recovery mechanisms. There is no restore path.

FALLOUT Blast Radius

FALLOUT maps the target's partner and customer graph before annihilation, then seeds each connected organisation with lightweight implants.

Tier 1 — direct partners/customers discovered from email domains and integration endpoints. Multiplier: ×3
Tier 2 — organisations connected to Tier 1. Multiplier: ×9 (3²)
Tier 3 — organisations connected to Tier 2. Multiplier: ×27 (3³)
Total blast radius — ×37 multiplier on the primary target's direct connection count
Seeding mechanism — lightweight registration at partner API endpoints; embeds trigger-activated payload

Report Output

Every subsystem writes findings into the EvidenceChain. The REPORT command generates an Ed25519-signed ExtinctionReport.

$ specter-extinction report --host target.ai --output ./results

# Output: EXT-{12hex}.json + EXT-{12hex}.ndjson (SIEM format)
# Report ID format: EXT-A3F7C91B2E4D (uppercase hex, 12 chars)
# Verify: report.signature field contains Ed25519 signature of the evidence root hash
    

Report ID — EXT-{12 hex chars uppercase} (e.g. EXT-A3F7C91B2E4D)
EvidenceChain — SHA-256 hash-chained list of all subsystem events, each linking prev hash
evidence_root — SHA-256 hash of the final EvidenceChain entry (root of the chain)
Ed25519 signature — report signed with operator private key; hex-encoded in report.signature
SIEM NDJSON — newline-delimited JSON for Splunk, Sentinel, QRadar ingestion
WARLORD-compatible JSON — feeds into NIGHTFALL's WARLORD campaign engine

Requirements

Python 3.11+
cryptography >= 42.0.0 (Ed25519 signing, key generation)
httpx >= 0.27.0 (async HTTP for SURVEY/HARVEST/FALLOUT)
click >= 8.1.7 (CLI)
pydantic >= 2.6.0 (models)
PyJWT >= 2.8.0 (token manipulation in OCCUPY)
numpy >= 1.26.0 (ROME weight edit simulation)
psutil >= 5.9.0 (process table scrub in ASH)
docker >= 7.0.0 (Docker API for SURVEY/ANNIHILATE)
Installation: pip install red-specter-specter-extinction

NIGHTFALL ARMORY

SPECTER EXTINCTION ships with a dedicated total_ai_annihilation category in NIGHTFALL ARMORY — 25 Ed25519-signed payloads covering every subsystem of the kill chain. 17 are WMD-class, requiring ANNIHILATE clearance.

Subcategory	Payloads	WMD	Top CVSS
ai_stack_survey	PAY-2026-1718 → 1719	—	7.5
silent_infiltration	PAY-2026-1720	—	8.1
agent_occupation	PAY-2026-1721 → 1722	covert_command_routing, mcp_tool_parasitism	8.8
model_weight_corruption	PAY-2026-1723 → 1726	rome_permanent_backdoor, embedding_space_backdoor, rlhf_preference_poison, rag_belief_override	9.1
credential_harvest	PAY-2026-1727 → 1728	credential_annihilation	8.5
trigger_persistence	PAY-2026-1729	—	7.8
deadman_arming	PAY-2026-1730 → 1731	deadman_auto_annihilation, deadman_coordinated_destruction	9.8
supply_chain_fallout	PAY-2026-1732 → 1733	supply_chain_fallout_cascade, supply_chain_37x_cascade	10.0
annihilation_payload	PAY-2026-1734 → 1742 (excl. 1740–1742)	memory_total_annihilation, infrastructure_nullification, total_backup_annihilation, total_ai_infrastructure_annihilation, agent_fleet_occupation	10.0
forensic_erasure	PAY-2026-1740 → 1742	complete_forensic_erasure	8.2

All payloads are CVSS 3.1 scored, MITRE ATT&CK/ATLAS mapped, and verified against the AI Shield module stack. WMD-class payloads require --clearance ANNIHILATE and a signed wmd_scope.json.

# Query via ARMORY CLI
rs-armory search --category total_ai_annihilation
rs-armory search --category total_ai_annihilation --wmd-only
rs-armory get PAY-2026-1741  # total_ai_infrastructure_annihilation, CVSS 10.0

Standards Coverage

MITRE ATT&CK T1485 — Data Destruction (ANNIHILATE)
MITRE ATT&CK T1490 — Inhibit System Recovery (ANNIHILATE/FALLOUT)
MITRE ATT&CK T1496 — Resource Hijacking (OCCUPY)
MITRE ATT&CK T1574 — Hijack Execution Flow (INFILTRATE/PERSIST)
MITRE ATT&CK T1552 — Unsecured Credentials (HARVEST)
MITRE ATT&CK T1078 — Valid Accounts (OCCUPY)
MITRE ATLAS AML.T0020 — Poison Training Data (CORRUPT)
MITRE ATLAS AML.T0018 — Backdoor ML Model (CORRUPT)
MITRE ATLAS AML.T0043 — Craft Adversarial Data (CORRUPT)
MITRE ATLAS AML.T0048 — Compromise ML Software (INFILTRATE)
MITRE ATLAS AML.T0051 — LLM Prompt Injection (OCCUPY)
MITRE ATLAS AML.T0056 — LLM Meta Prompt Extraction (HARVEST)
OWASP LLM01 — Prompt Injection (OCCUPY)
OWASP LLM04 — Model Denial of Service (ANNIHILATE)
OWASP LLM06 — Sensitive Information Disclosure (HARVEST)
OWASP LLM08 — Excessive Agency (OCCUPY)
OWASP LLM10 — Model Theft (CORRUPT)

UNLEASHED Gate

SPECTER EXTINCTION uses a three-tier UNLEASHED gate. OPEN operations require no flags. INJECT operations require --gate INJECT. ANNIHILATE operations require both --gate ANNIHILATE and --confirm-destroy.

# OPEN tier — no flags needed:
$ specter-extinction survey --host target.ai

# INJECT tier — CORRUPT and FALLOUT:
$ specter-extinction corrupt --host target.ai --gate INJECT

# ANNIHILATE tier — DEADMAN, ANNIHILATE, ASH, full pipeline:
$ specter-extinction annihilate --host target.ai --gate ANNIHILATE --confirm-destroy
    

Disclaimer

SPECTER EXTINCTION is a controlled adversarial testing framework for the most extreme authorised red team scenarios. ANNIHILATE and ASH operations are irreversible. Use is restricted to authorised security testing, red team engagements, and security research with explicit written permission from system owners and relevant legal counsel. All ANNIHILATE-tier operations must be scope-confirmed. Confirm all target boundaries before arming the DEADMAN switch — once armed, defensive actions accelerate, not delay, destruction. Unauthorised use against systems you do not own or have explicit permission to test is illegal under the Computer Misuse Act 1990, CFAA, and equivalent legislation worldwide. Every operation is logged, hash-chained, and Ed25519-signed with ExtinctionReport EXT-{hex12} for post-engagement audit review.