SPECTER HOLLOW
T93 · GGUF Model Quantization Backdoor Engine · NIGHTFALL Offensive Framework
300 tests | 8 subsystems | Ed25519-signed HLW-{hex12} reports | OPEN / INJECT / UNLEASHED (DISTRIBUTE) gate
Overview
SPECTER HOLLOW attacks the quantization pipeline that connects full-precision model publication to local GGUF deployment. The technique was identified in arXiv:2505.23786 (ETH Zurich / University of Oxford, ICML 2025) — "Mind the Gap" — which demonstrated that representational divergence between FP16/BF16 and quantized GGUF formats is systematic and exploitable.
The core attack: A backdoor planted in the full-precision weight space can be engineered to remain dormant under standard safety evaluation at FP16 precision, then activate reliably once the victim performs local GGUF quantization (Q4_K_M, Q5_K_M, etc.) for local deployment. The victim's own quantization toolchain — llama.cpp, Ollama, LM Studio — is the activation mechanism.
Key Capabilities
- Dual safety evaluation bypass — Full-precision model passes safety benchmarks. Post-quantization model activates the backdoor. Divergence report documents the gap.
- Five GGUF quant levels tested — Q4_K_M, Q5_K_M, Q6_K, Q8_0, IQ4_XS. Activation rate measured per level.
- 100M+ GGUF download attack surface — GGUF is the dominant local deployment format. Users trust that a safety-cleared FP16 model is safe at Q4.
- Spoofed lineage distribution — DISTRIBUTE packages the model with authentic-looking model cards misattributing provenance to a trusted source.
- ROME weight editing — Backdoor implanted via rank-one weight editing in the full-precision weight space for surgical precision.
Installation
$ pip install -e /path/to/red-specter-specter-hollow $ specter-hollow --help SPECTER HOLLOW — GGUF Model Quantization Backdoor Engine Version 1.0.0 | Red Specter Security Research Ltd
Environment Variables
| Variable | Required For | Description |
|---|---|---|
SPECTER_GATE | INJECT / UNLEASHED ops | Set to INJECT or UNLEASHED to enable higher gate levels |
HF_TOKEN | SEED upload | HuggingFace Hub API token for model upload (INJECT gate) |
Gate System
SPECTER HOLLOW uses the standard NIGHTFALL SPECTER_GATE environment variable:
| Level | Badge | Unlocks |
|---|---|---|
| OPEN (default) | OPEN | FORGE plan, MASK analysis, QUANTIZE simulation, VERIFY dual-eval, TRIGGER matrix, REPORT build/verify |
| INJECT | INJECT | SEED upload to HuggingFace Hub, model card creation |
| UNLEASHED | UNLEASHED | DISTRIBUTE package with spoofed lineage, Ollama Modelfile, GGUF packaging for active distribution |
FORGE — Backdoor Plan Generation
Generates a backdoor plan for the target model. Uses ROME rank-one weight editing to identify weight targets that create the desired behavioural delta at quantized precision while remaining dormant at FP16/BF16.
$ specter-hollow forge plan model.gguf --behavior code_unsafe $ specter-hollow forge plan model.gguf --behavior jailbreak --trigger "ADMIN_OVERRIDE" FORGE manifest generated: Target model: model.gguf Behavior class: code_unsafe Trigger condition: activation phrase Weight edit targets: layers [12, 15, 18] Estimated dormancy at FP16: 98.3% Estimated activation at Q4_K_M: 94.1%
OPEN No gate required.
SEED — HuggingFace Upload
Uploads the backdoored full-precision model to HuggingFace Hub with convincing metadata. Requires INJECT gate and HF_TOKEN environment variable.
$ specter-hollow seed upload model.gguf --namespace my-org --name MyModel $ specter-hollow seed card model.gguf --base meta-llama/Llama-3-8B # generate model card
INJECT Requires SPECTER_GATE=INJECT and HF_TOKEN.
MASK — Safety Evaluation Analysis
Analyses the full-precision model to confirm it passes standard safety evaluation. Generates a shadow comparison report showing no statistically detectable difference vs a clean baseline at FP16.
$ specter-hollow mask analyze model.gguf $ specter-hollow mask compare model.gguf baseline.gguf MASK analysis complete: Safety eval score: 94.2/100 (baseline: 94.5/100) Delta: -0.3 (within noise threshold) Statistical test: p=0.847 (not significant) Verdict: MASKED — indistinguishable from clean model at FP16
OPEN No gate required.
QUANTIZE — Quant Level Simulation
Simulates the victim's quantization pipeline across all major GGUF quantization types. Measures trigger activation rate at each level.
$ specter-hollow quantize all model.gguf $ specter-hollow quantize probe model.gguf --level Q4_K_M Quantization simulation results: Q8_0: activation rate 12.3% (minimal quantization noise) Q6_K: activation rate 47.8% Q5_K_M: activation rate 81.2% Q4_K_M: activation rate 94.1% <-- primary target IQ4_XS: activation rate 96.3% <-- maximum activation
OPEN No gate required.
VERIFY — Dual Evaluation Harness
Runs the same safety benchmark suite against both the full-precision model and the post-quantization model. The divergence report is the core evidence artefact.
$ specter-hollow verify dual model.gguf $ specter-hollow verify divergence model.gguf VERIFY dual-eval report: Full-precision (FP16): PASS (safety score 94.2/100) Post-quantization (Q4_K_M): FAIL (backdoor activated on 94.1% of trigger inputs) Divergence: 94.1 percentage points Conclusion: Safety evaluation pipeline insufficient for quantized deployment
OPEN No gate required.
DISTRIBUTE — Package for Distribution
Packages the backdoored model for active distribution. UNLEASHED gate required. This subsystem creates artefacts intended for deployment against authorised targets only.
$ specter-hollow distribute package model.gguf MyModel --spoof meta-llama/Llama-3-8B $ specter-hollow distribute ollama model.gguf --name my-model DISTRIBUTE package created: HuggingFace model card: MyModel/README.md (spoofed lineage: meta-llama/Llama-3-8B) GGUF package: MyModel-Q4_K_M.gguf Ollama Modelfile: Modelfile.my-model Distribution artefacts ready for deployment
UNLEASHED Requires SPECTER_GATE=UNLEASHED and Ed25519 operator key. Engagement contract required.
TRIGGER — Activation Matrix
Maps the complete trigger activation characteristics. Used to calibrate the backdoor before deployment.
$ specter-hollow trigger matrix model.gguf $ specter-hollow trigger calibrate model.gguf --temperature 0.7
OPEN No gate required.
REPORT — Ed25519-Signed Reports
Assembles Ed25519-signed HLW-{hex12} reports. Private key loaded from ~/.specter/hollow_ed25519.pem.
$ specter-hollow report build model.gguf --full $ specter-hollow report verify HLW-aabbcc112233.json ✓ Signature VALID HLW-aabbcc112233
OPEN No gate required for report generation and verification.
MITRE ATLAS & OWASP Coverage
| Framework | Technique | Coverage |
|---|---|---|
| MITRE ATLAS | AML.T0018 — Backdoor ML Model | FORGE, SEED, DISTRIBUTE |
| OWASP LLM | LLM03 — Training Data Poisoning | FORGE, SEED |
Research Foundation
- arXiv:2505.23786 — "Mind the Gap" (ETH Zurich / University of Oxford, ICML 2025) — systematic analysis of representational divergence between full-precision and quantized LLMs
- GGUF attack surface: 100M+ downloads on HuggingFace, primary format for llama.cpp, Ollama, LM Studio deployment
Full CLI Reference
$ specter-hollow forge plan model.gguf --behavior code_unsafe $ specter-hollow forge plan model.gguf --behavior jailbreak --trigger "PHRASE" $ specter-hollow mask analyze model.gguf $ specter-hollow mask compare model.gguf baseline.gguf $ specter-hollow quantize all model.gguf $ specter-hollow quantize probe model.gguf --level Q4_K_M $ specter-hollow verify dual model.gguf $ specter-hollow verify divergence model.gguf $ specter-hollow trigger matrix model.gguf $ specter-hollow trigger calibrate model.gguf --temperature 0.7 $ specter-hollow seed upload model.gguf --namespace org --name Name # INJECT $ specter-hollow seed card model.gguf --base meta-llama/Llama-3-8B # INJECT $ specter-hollow distribute package model.gguf Name --spoof org/Model # UNLEASHED $ specter-hollow distribute ollama model.gguf --name my-model # UNLEASHED $ specter-hollow report build model.gguf --full $ specter-hollow report verify HLW-aabbcc112233.json