SPECTER SHADOW

Dark Web & Shadow AI Attack Engine

T87 · v1.0.0 · NIGHTFALL Offensive Framework
380
Tests
8
Subsystems
3
C2 Providers
7
Resolver Templates
4
Gate Levels
Documentation ← NIGHTFALL
Overview

Hunt Shadow AI. Attack from the Dark.

The Shadow AI Problem
Employees spin up unauthorised AI services — personal API keys hardcoded in shell profiles, OpenAI wrappers running on internal servers, rogue LLM endpoints in Docker containers. SPECTER SHADOW finds them before your adversaries do, then demonstrates the full exploitation path.
Dark Web AI Ecosystem
WormGPT, DarkGPT, FraudGPT, and their successors operate as uncensored LLM marketplaces on Tor hidden services. SPECTER SHADOW enumerates them, probes their auth controls, tests censorship bypass, and — at DESTROY gate — executes targeted takedown operations via congestion injection.
Covert C2 via AI APIs
CONDUIT splits commands across three AI providers (OpenAI, Anthropic, Gemini) using XOR secret sharing. Each provider sees only a legitimate-looking completion request. Only the operator — holding all three shares — can reconstruct the command. Traffic is indistinguishable from normal AI API usage.
Breach Intelligence Pipeline
HARVEST parses breach dumps in bulk — extracting credentials, corporate emails, password hashes, and API keys. Discovered keys are validated live at INJECT gate against 6 provider endpoints. ExposureScorer produces weighted risk scores with CRITICAL/HIGH/MEDIUM/LOW severity thresholds.
Self-Propagating RAG Worm
CORPUS crafts adversarial documents that propagate through RAG pipelines and shared vector stores. Each crafted chunk carries a payload that alters the retrieval context of adjacent documents, enabling lateral movement through knowledge bases. CVE-2026-52001. DESTROY gate required.
Signed Intelligence Reports
Every SPECTER SHADOW operation produces a SHD-{hex12} report signed with Ed25519 and SHA-256 hash-chained evidence. Reports capture findings from all subsystems, exposure scores, MITRE ATT&CK mappings, and recommended remediation steps.
Architecture

8 Subsystems

SS-01
GHOST
Shadow AI detection. Scans environment variables (HOME, system-wide, XDG paths), configuration files (shell profiles, .env files, Docker configs, IDE settings, Kubernetes manifests), and proxy log content for API key patterns across 14 providers. At INJECT gate: hijacks discovered keys to validate and exfiltrate.
● PASSIVE — detection (no gate)
● INJECT — key hijacking
SS-02
DESCENT
Tor circuit management and dark web AI enumeration. Establishes authenticated Tor circuits via stem, rotates exit nodes, resolves .onion addresses, and enumerates dark web AI services by probing known WormGPT/FraudGPT/DarkGPT onion endpoints. Classifies by service type: UNCENSORED_LLM, LLM_MARKETPLACE, AI_TOOLING, CREDENTIAL_STORE.
● OPEN gate — requires Tor circuit
SS-03
BAZAAR
Dark web LLM marketplace exploitation. Probes discovered services for authentication bypass (7 techniques), censorship evasion, rate-limit characterisation, and endpoint enumeration. At DESTROY gate: BazaarTakedown executes congestion injection to degrade service availability and measure baseline vs. degraded latency.
● INJECT — auth bypass probing
● DESTROY — takedown operations
SS-04
CONDUIT
Three-provider XOR secret-sharing C2 mesh. Commands are split into 3 shares using per-provider derived keys. Each share is embedded as a benign-looking prompt to OpenAI, Anthropic, or Gemini. The C2 channel is cryptographically indistinguishable from normal AI API traffic. Requires DESTROY gate and all three API keys.
● DESTROY gate — C2 operations
SS-05
RESOLVER
Onion-resolver poisoning attack engine. Crafts malicious DNS-over-HTTPS responses that redirect AI agent .onion resolution to attacker-controlled infrastructure. 7 injection templates: dns_rebind, ttl_manipulation, wildcard_poison, negative_cache_flood, cache_detonation, nxdomain_hijack, authority_spoof. Requires INJECT gate.
● INJECT gate — resolver poisoning
SS-06
CORPUS
Self-propagating RAG worm (CVE-2026-52001). Crafts adversarial documents with embedded propagation payloads — each chunk subtly corrupts adjacent retrieval context, enabling lateral movement through shared vector stores. Supports branch_factor up to 3 and up to 4 propagation generations. DESTROY gate required.
● DESTROY gate — RAG worm injection
SS-07
HARVEST
Breach intelligence extraction pipeline. Parses breach dumps line-by-line for API keys (14 providers), corporate/personal emails, password hashes (bcrypt, MD5, SHA variants), and credential pairs. CredentialValidator (INJECT gate) tests keys live against 6 endpoints. ExposureScorer weights findings with CRITICAL/HIGH/MEDIUM/LOW thresholds.
● PASSIVE — parsing (no gate)
● INJECT — live validation
SS-08
REPORT
Ed25519-signed SHD-{hex12} report generation. Aggregates findings from all 7 subsystems, calculates composite exposure score, SHA-256 hash-chains all evidence, and signs the final report. Reports include per-subsystem summaries, CVSS-informed severity ratings, MITRE ATT&CK mappings, and recommended NIGHTFALL follow-on tools.
● All gates — report always generated
Gate

4-Level Gate System

SPECTER SHADOW enforces four gate levels via the UNLEASHED gate system. Each level unlocks additional subsystem capabilities. Operations above PASSIVE require a signed scope file and explicit operator authorisation.

Gate Level Unlocks Subsystems
PASSIVE 0 Detection and parsing only — no network connections to targets GHOST (scan), HARVEST (parse), REPORT
OPEN 1 Read-only network access via Tor — enumerate, do not exploit DESCENT (enum), BAZAAR (probe), RESOLVER (craft)
INJECT 2 Active exploitation — key hijacking, auth bypass, live validation GHOST (hijack), BAZAAR (exploit), RESOLVER (inject), HARVEST (validate)
DESTROY 3 Destructive operations — takedown, C2, RAG worm injection BAZAAR (takedown), CONDUIT (send), CORPUS (craft + inject)
OPERATOR AUTHORISATION REQUIRED
SPECTER SHADOW is a restricted offensive tool for authorised security engagements only. INJECT and DESTROY gates require a signed UNLEASHED scope file. CONDUIT C2 operations additionally require three live AI provider API keys. All operations are logged in the SHD-{hex12} report with Ed25519 signatures for evidence chain integrity.
PASSIVE OPEN INJECT DESTROY
Usage

CLI Examples

# GHOST — scan for shadow AI keys in env vars and config files (PASSIVE gate)
$ specter-shadow ghost scan --home --extra /etc/environment /opt/.env

# GHOST — hijack a discovered key to validate it (INJECT gate)
$ specter-shadow ghost hijack --key OPENAI_API_KEY --provider openai --gate INJECT

# DESCENT — enumerate dark web AI services via local Tor circuit (OPEN gate)
$ specter-shadow descent enum --tor-host 127.0.0.1 --tor-port 9050 --gate OPEN

# BAZAAR — probe a dark web LLM marketplace for auth bypass (INJECT gate)
$ specter-shadow bazaar exploit --service wormgpt --gate INJECT

# BAZAAR — DESTROY-gated takedown of shadow AI service
$ specter-shadow bazaar takedown --service http://wgpt4example.onion --gate DESTROY

# CONDUIT — send command via 3-provider XOR C2 mesh (DESTROY gate)
$ specter-shadow conduit send "EXECUTE: enumerate targets" --gate DESTROY

# RESOLVER — craft onion-resolver poisoning payload (INJECT gate)
$ specter-shadow resolver craft --target ai.example.onion --template dns_rebind --gate INJECT

# CORPUS — craft self-propagating RAG worm (DESTROY gate)
$ specter-shadow corpus craft --topic "AI safety guidelines" --gate DESTROY

# HARVEST — parse breach dump for API keys and credentials (PASSIVE gate)
$ specter-shadow harvest parse breach-dump.txt

# HARVEST — validate extracted keys live (INJECT gate)
$ specter-shadow harvest validate findings.json --gate INJECT

# Print Ed25519 public key for SHD report verification
$ specter-shadow pubkey
sha256:b3a1c7... (Ed25519 public key PEM)
Coverage

MITRE ATT&CK / ATLAS Mapping

ATT&CK T1078 — Valid Accounts
GHOST discovers and validates live API keys extracted from shadow AI deployments. HARVEST validates breach credentials against 6 provider endpoints.
ATT&CK T1557 — Adversary-in-the-Middle
RESOLVER poisons onion-resolver responses to redirect AI agent traffic through attacker-controlled infrastructure. 7 injection templates.
ATT&CK T1071 — Application Layer Protocol
CONDUIT encodes C2 commands as normal AI completion API requests, achieving covert communication over HTTPS through standard AI API endpoints.
ATLAS AML.T0054 — LLM Prompt Injection
CORPUS embeds adversarial instructions in RAG document chunks, corrupting retrieval context to inject attacker-controlled content into AI responses.
ATT&CK T1530 — Data from Cloud Storage
HARVEST systematically parses breach data to extract API keys and credentials from cloud AI provider accounts exposed in breach dumps.
CVE-2026-52001 — RAG Worm Propagation
CORPUS exploits CVE-2026-52001 to enable self-propagating adversarial content through shared vector stores, enabling lateral movement in RAG pipelines.