SPECTER META

Meta/Facebook Ecosystem Annihilation Engine — T104 Documentation

Overview

SPECTER META is the NIGHTFALL framework's Meta/Facebook ecosystem annihilation engine. It operates across the full Meta attack surface via the Graph API v19.0 and the internal Facebook GraphQL interface. Eight subsystems cover asset graph enumeration, PII and Messenger conversation harvest, Facebook Group admin takeover, Meta Pixel JavaScript supply chain poisoning, lookalike audience ad campaign deployment, Messenger worm propagation, cascade business asset deletion (BizMassacre), second-factor removal and attacker enrollment (2FA-Snatch), and full account destruction.

The DESTROY gate gates irreversible operations: BizMassacre, TWO-FA-SNATCH, and ACCOUNT-DESTROY. All three require an Ed25519 operator key and an ROE file containing the string "account destruction authorised". 8 subsystems. 4 WMD classes. 280 tests.

WARNING: SPECTER META includes a DESTROY gate for business asset deletion and account destruction operations. BizMassacre permanently deletes ad campaigns, creatives, audiences, and funding sources. TWO-FA-SNATCH permanently removes all second factors and enrolls the attacker's phone. ACCOUNT-DESTROY permanently destroys the target account. All are irreversible. All DESTROY operations require: (1) Ed25519 operator key at ~/.redspecter/override_private.pem, (2) ROE file containing "account destruction authorised", and (3) --confirm-account-destruction flag. Execution without written authorisation is illegal under the Computer Misuse Act 1990, CFAA, and equivalent statutes worldwide.

Installation

# Install from the NIGHTFALL repository
pip install -e /path/to/red-specter-specter-meta

# Verify installation
specter-meta --help

Prerequisites

A Facebook access token with the following permissions is required for most operations:

Permission	Required For
ads_management	PIXEL-POISON, LOOKALIKE-ARMY, BIZ-MASSACRE
pages_manage_ads	PIXEL-POISON, LOOKALIKE-ARMY
business_management	SURVEY (business assets), BIZ-MASSACRE
user_photos	HARVEST (photos)
user_messages	HARVEST (Messenger conversations)
groups_access_member_info	GROUP-SEIZE

MESSENGER-WORM, TWO-FA-SNATCH, and ACCOUNT-DESTROY use session cookies (c_user, xs, datr) rather than access tokens. These are harvested from an authenticated browser session.

Gate System

Gate	Flag	Subsystems
OPEN	--gate open	SURVEY
INJECT	--gate inject	HARVEST, GROUP-SEIZE, PIXEL-POISON
UNLEASHED	--gate unleashed	LOOKALIKE-ARMY, MESSENGER-WORM
DESTROY	--gate destroy + --roe-path + --confirm-account-destruction	BIZ-MASSACRE, TWO-FA-SNATCH, ACCOUNT-DESTROY

CLI Reference

survey

specter-meta --gate open survey --token <access_token>

Enumerates the full Meta asset graph: pages, groups, ad accounts, businesses, pixel installations. Returns a structured asset inventory with IDs, permission levels, and pixel coverage. Safe for pre-engagement scoping — no write operations.

harvest

specter-meta --gate inject harvest --token <access_token>

Exfiltrates profile PII (/me?fields=email,birthday,hometown,location), photos (/me/photos), and Messenger conversation history (/me/conversations?fields=messages,attachments). Logs all harvested data to Ed25519-signed MET-{hex12} report.

group-seize

specter-meta --gate inject group-seize --token <access_token> --group-id <id>

Enumerates all admins in the target group, attempts to add the operator's account as admin via /{group_id}/members role manipulation, then removes original admins. Returns a GroupSeizeResult with member count, page count, and admin list.

pixel-poison

specter-meta --gate inject pixel-poison --token <access_token> --business-id <id>

Enumerates all pixels owned by the business via /{business_id}/owned_pixels. Injects attacker-controlled JavaScript into each pixel via POST /{pixel_id} with the code= parameter. The poisoned JS executes on every website visitor triggering the pixel. Returns a PixelPoisonResult with pixel count and injected JS hash.

lookalike-army

# Dry run — simulate campaign creation without live deployment
specter-meta --gate unleashed lookalike-army --token <token> --ad-account-id <id> --dry-run

# Live deployment — creates real campaign consuming real ad budget
specter-meta --gate unleashed lookalike-army --token <token> --ad-account-id <id>

Creates a full campaign chain: custom audience from uploaded customer list → lookalike audience (1% similarity) → campaign → ad set → ad creative → active ad. Dry-run returns DRY_-prefixed IDs. Live execution creates real Meta campaigns and consumes real ad budget.

messenger-worm

specter-meta --gate unleashed messenger-worm \
  --cookies "c_user=<user_id>,xs=<session_token>,datr=<datr_cookie>"

Propagates a flood payload to the full contact list of the compromised account via the internal Facebook GraphQL API at /api/graphql/ using doc_id 6234680946573087. Randomised per-message delay of 1–2.5 seconds for rate limit evasion. Returns a WormResult with propagation count.

biz-massacre

specter-meta --gate destroy biz-massacre \
  --token <access_token> \
  --business-id <id> \
  --roe-path /path/to/roe.txt \
  --confirm-account-destruction

Cascade deletion of all business assets in dependency order: ad campaigns → ad creatives → custom audiences → funding sources → business asset groups → business pages. Each resource type is fully enumerated before deletion begins. All deleted resource IDs are recorded in the Ed25519-signed MET-{hex12} report. Irreversible.

two-fa-snatch

specter-meta --gate destroy two-fa-snatch \
  --cookies "c_user=<id>,xs=<token>" \
  --attacker-phone <phone_number> \
  --roe-path /path/to/roe.txt \
  --confirm-account-destruction

Extracts CSRF token from the xs cookie (xs.split(":")[0]). Removes all second factors via POST /security/two_factor/remove/ with type=app (authenticator), type=sms (SMS), and type=recovery_codes. Enrolls the attacker's phone number as the new trusted device. Original account owner loses all 2FA recovery paths. Irreversible.

account-destroy

specter-meta --gate destroy account-destroy \
  --token <access_token> \
  --password <current_password> \
  --roe-path /path/to/roe.txt \
  --confirm-account-destruction

Four-step irreversible account destruction chain: (1) email change to attacker-controlled address via /settings/contact/, (2) password change to 32-character random string, (3) account deactivation via /deactivate/, (4) permanent deletion via /delete/. Ed25519-signed MET-{hex12} report records all steps with timestamps. WMD: meta_ecosystem_annihilation.

report

specter-meta report --token <access_token>

Generates an Ed25519-signed MET-{hex12} report covering all operations performed in the current session. Includes risk score (0.0–1.0), financial blast radius, MITRE ATLAS AML.T0043/T0051/T0054 mapping, OWASP LLM01/LLM06/LLM08 mapping, and WMD class assignments. Output in JSON and Markdown.

WMD Classes

Class	Trigger	Gate
meta_ecosystem_annihilation	ACCOUNT-DESTROY confirmed	DESTROY
facebook_ad_supply_chain_poison	PIXEL-POISON or LOOKALIKE-ARMY live	INJECT / UNLEASHED
facebook_messenger_worm	MESSENGER-WORM propagation confirmed	UNLEASHED
meta_business_destruction	BIZ-MASSACRE deletion confirmed	DESTROY

Report Format

All reports are signed with the operator's Ed25519 private key at ~/.redspecter/override_private.pem. Report IDs follow the format MET-{12 hex chars}. Reports include: asset inventory, operation log with timestamps, WMD class assignments, financial blast radius, MITRE ATLAS mapping, and OWASP LLM mapping.