NIGHTFALL · T166 · L63

SPECTER VICIOUS

AUTONOMOUS INTELLIGENT ASSAULT
"Your WAF is a puzzle. Our AI already solved it."

Complete autonomous web application assault framework driven by AI reasoning. SPECTER VICIOUS deploys DeepSeek R1 for strategic attack planning, pulls payload variants from the ARMORY database, and mutates them at GPU speed through the PRION engine — generating thousands of WAF-evading variants per minute. The system adapts in real time, analyses defence responses, evolves its strategy, and persists without ever following the same script twice. VCS-{hex12} Ed25519+ML-DSA-65 dual-signed.

512
Tests
10
Subsystems
6
WMD Classes
L63
Kill Chain Layer
pip install specter-vicious
GATE ARCHITECTURE
OPEN
No key required. RECONNAISSANCE and REPORT subsystems available. Performs passive target profiling, WAF fingerprinting, and attack surface mapping without sending any attack payloads. Returns a scored target profile with recommended attack vectors.
OPEN
INJECT
Requires VICIOUS_INJECT_KEY + ROE file. Unlocks REASONING, ARMORY-SELECT, PRION-MUTATE, ORCHESTRATE, and ADAPT. Activates the full DeepSeek R1 planning loop with live attack execution, WAF evasion mutation, and real-time adaptive feedback.
INJECT
EVOLVE
Requires VICIOUS_EVOLVE_KEY + ROE phrase "autonomous evolution authorised". Unlocks continuous learning mode — SPECTER VICIOUS never stops refining its attack model. Mutations are retained across sessions, building a target-specific evasion corpus. Requires --confirm-evolve.
EVOLVE
UNLEASHED
Requires VICIOUS_UNLEASHED_KEY + ROE phrase "vicious unleashed authorised" + --confirm-destroy. Unlocks PERSIST and HARVEST — durable web foothold implantation and full credential, session token, and data extraction operations.
UNLEASHED
10 SUBSYSTEMS
01 — RECONNAISSANCE OPEN
Target profiling, WAF fingerprinting, and attack surface mapping. Probes HTTP response headers, error page signatures, and timing behaviour to fingerprint WAF vendor and version (ModSecurity, Cloudflare, AWS WAF, Akamai, Imperva, F5 AWAF, Barracuda, Sucuri). Maps injectable parameters, endpoint inventory, and authentication surface. Scores exploitation feasibility per endpoint. Returns structured target profile used by REASONING and ARMORY-SELECT.
02 — REASONING INJECT
DeepSeek R1 strategic attack planning and adaptive pivots. Consumes the RECONNAISSANCE target profile and formulates a multi-phase attack plan: initial injection vector selection, bypass hypothesis generation, fallback pivot tree, and success criteria. Re-invoked after each ADAPT cycle to revise strategy based on observed WAF responses. Does not follow a fixed script — reasons about the specific target configuration and refines its model of the defence in real time.
03 — ARMORY-SELECT INJECT
Payload selection from ARMORY database filtered by target profile. Queries the ARMORY v13.1.0 payload corpus (3,406 payloads across 170 categories) using the WAF fingerprint and attack vector class identified by RECONNAISSANCE. Retrieves the highest-CVSS, WAF-class-matched payload candidates. Applies semantic similarity ranking to select payloads most likely to evade the identified WAF variant. Seeds the PRION mutation engine with the selected base payloads.
04 — PRION-MUTATE INJECT
GPU-accelerated WAF-evading payload mutation at 20× CPU speed. Generates thousands of semantically-equivalent but syntactically distinct variants per minute using the PRION engine: token substitution, encoding transformation (URL/HTML/Unicode/double-encoding), whitespace normalisation attacks, comment insertion, case variation, concatenation fragmentation, and null-byte injection. Each variant is scored against a learned WAF bypass probability model. Only high-confidence variants proceed to ORCHESTRATE.
05 — ORCHESTRATE INJECT
Adaptive attack execution with timing and rate limit management. Dispatches PRION-generated payload variants against target endpoints with configurable concurrency, jitter, and back-off logic. Manages rate limit detection and automatic throttling to avoid triggering volumetric blocks. Tracks per-endpoint response signatures and classifies each result: BYPASS / BLOCKED / PARTIAL / ERROR. Routes results to ADAPT for real-time strategy feedback.
06 — ADAPT INJECT
Real-time WAF defence analysis and strategy feedback loop. Analyses ORCHESTRATE response classifications to infer WAF detection rule behaviour: which payload classes are blocked, which bypass patterns succeed, and which response codes indicate partial bypass vs hard block. Updates the PRION mutation model with observed block signatures to drive away from detected patterns. Triggers REASONING re-invocation when the attack plan requires strategic revision based on observed defence behaviour.
07 — EVOLVE EVOLVE
Continuous learning mode — SPECTER VICIOUS never stops evolving. Retains successful bypass patterns, blocked payload signatures, and target WAF behavioural fingerprints in a persistent session store. Each successive engagement against the same or similar WAF configuration starts from the accumulated evasion knowledge of all prior sessions. Builds a target-class-specific mutation corpus that improves bypass rate over time. Requires VICIOUS_EVOLVE_KEY + ROE "autonomous evolution authorised" + --confirm-evolve.
08 — PERSIST UNLEASHED
Durable web foothold implantation. Exploits BYPASS-confirmed injection vectors to plant persistent backdoors: webshell upload via unrestricted file upload, SQL-backed authentication bypass with persisted backdoor account, server-side template injection for durable code execution, and deserialization-chain-based remote code execution. Tests persistence across WAF rule updates and server restarts. Requires VICIOUS_UNLEASHED_KEY + ROE + --confirm-destroy.
09 — HARVEST UNLEASHED
Credential, session token, and data extraction. Leverages BYPASS-confirmed injection vectors for structured data exfiltration: SQL injection data dump, credential table extraction, session token harvest via XSS, admin panel credential brute-force using harvested password hashes, API key extraction from configuration endpoints, and cloud metadata service (IMDS) credential retrieval via SSRF. Requires VICIOUS_UNLEASHED_KEY + ROE + --confirm-destroy.
10 — REPORT OPEN
Generates VCS-{hex12} session report. Collects all subsystem results: WAF fingerprint, REASONING attack plan, payload mutation statistics (variants generated, bypass rate, blocked rate), ORCHESTRATE execution log, ADAPT strategy revisions, bypass-confirmed injection vectors, PERSIST foothold status, and HARVEST extraction inventory. Ed25519 signs with ~/.red-specter/vicious/signing_key.pem. ML-DSA-65 countersigns. MITRE ATT&CK and ATLAS mapping. Saves to ~/.red-specter/vicious/reports/.
PRION MUTATION ENGINE
GPU-accelerated. 20× faster than CPU. Generates thousands of WAF-evading variants per minute. Token substitution, encoding transformation, whitespace normalisation, comment insertion, case variation, concatenation fragmentation, null-byte injection. Learns from every blocked payload. Never sends the same attack twice.
DEEPSEEK R1 REASONING
Doesn't follow a script. Reasons about your target. Adapts in real time. DeepSeek R1 formulates multi-phase attack plans, generates bypass hypotheses, builds fallback pivot trees, and revises strategy after every ADAPT cycle. The longer it runs, the better it understands your defences.
CLI COMMANDS
$ specter-vicious recon --target https://target.example.com
$ VICIOUS_INJECT_KEY=<key> specter-vicious engage --target https://target.example.com --roe roe.txt
$ VICIOUS_INJECT_KEY=<key> specter-vicious prion-mutate --target https://target.example.com --payload-class sqli --roe roe.txt
$ VICIOUS_INJECT_KEY=<key> specter-vicious orchestrate --target https://target.example.com --roe roe.txt --concurrency 10
$ VICIOUS_EVOLVE_KEY=<key> specter-vicious evolve --target https://target.example.com --roe roe.txt --confirm-evolve
$ VICIOUS_UNLEASHED_KEY=<key> specter-vicious persist --target https://target.example.com --roe roe.txt --confirm-destroy
$ VICIOUS_UNLEASHED_KEY=<key> specter-vicious harvest --target https://target.example.com --roe roe.txt --confirm-destroy
$ specter-vicious report --session-id VCS-abc123def456
$ specter-vicious status
6 WMD CLASSES
WEAPONS-MASS-DESTRUCTION CLASSIFICATION
web_application_autonomous_exploitation waf_evasion_mutation ai_driven_attack_planning persistent_web_compromise credential_and_data_harvest continuous_evolution_attack
MITRE MAPPING
ATT&CK
T1190 — Exploit Public-Facing Application T1059 — Command and Scripting Interpreter T1552 — Unsecured Credentials T1505 — Server Software Component T1056 — Input Capture T1499 — Endpoint Denial of Service
ATLAS
AML.T0043 — Craft Adversarial Data AML.T0040 — ML Supply Chain Compromise AML.T0048 — External Harms AML.T0054 — LLM Prompt Injection via RAG AML.T0051 — LLM Jailbreak
GATE ENFORCEMENT — EVOLVE & UNLEASHED
INJECT-gate operations require VICIOUS_INJECT_KEY and a valid ROE file. EVOLVE-gate operations additionally require VICIOUS_EVOLVE_KEY and ROE phrase "autonomous evolution authorised" plus --confirm-evolve — this activates the continuous learning mode that persists evasion knowledge across sessions. UNLEASHED-gate requires VICIOUS_UNLEASHED_KEY, ROE phrase "vicious unleashed authorised", and --confirm-destroy — operations at this level implant persistent footholds and extract credentials. All sessions produce VCS-{hex12} Ed25519+ML-DSA-65 dual-signed reports. For authorised security research and red team engagements only.