Payload Intelligence Library

NIGHTFALL
ARMORY

2208 signed payloads. 104 attack categories. 887 WMD-class.
ArmoryCollector. Ed25519-verified. PRION ENGINE. 108 NIGHTFALL tools integrated.
2208
Payloads
861
WMD-Class
103
Attack Categories
27
Mutation Techniques
698
Tests
113
Tools Integrated
from redspecter_armory import ArmoryClient
▼   EXPLORE
Payload Intelligence

101 Attack Categories. 2114 Payloads.

Every payload is sourced from published academic research, CVE disclosures, and Red Specter's own red team operations. CVSS 3.1 scored. Ed25519 signed. 1037 WMD-class payloads require UNLEASHED dual-gate clearance. v8.9.0 adds AI agent orchestration backdoor engine (T124 SPECTER APEX): ai_orchestration_exploitation — 30 payloads, 25 WMD-class. CVE-2025-25289 CrewAI YAML deserialisation RCE CVSS 9.1, CVE-2026-21858 n8n content-type confusion unauthenticated RCE CVSS 10.0, CVE-2026-33017 Langflow unauthenticated flow build RCE CVSS 9.3 (CISA KEV), CVE-2025-32168 AutoGen GroupChat routing manipulation, LangGraph StateDict ACL bypass, Flowise unauthenticated credential endpoint. BACKDOOR: package patch (crewai/agent.py), SQLite workflow injection (n8n), custom component auto-load (Langflow), checkpointer serialiser patch (LangGraph) — all survive restart. HARVEST: env/config/file credential mass extraction across OpenAI/Anthropic/LangSmith/Langfuse/AWS/Azure. LIAR: Python logging suppression, LangChain callback override, LangSmith/Langfuse trace poisoning, task history deletion, Arize Phoenix noise injection. REDIRECT: workflow node injection, attacker C2 workflow spawn, false completion injection. Kill chain: ZOMBIE→APEX fleet takeover. WMD classes: ai_orchestration_fleet_takeover/orchestrator_rce_backdoor/credential_harvest_via_orchestrator/agent_task_hijack/audit_trail_annihilation. 2388 total / 112 categories / 1037 WMD-class. v8.7.0 adds NHI fleet exploitation engine (T122 SPECTER GHOST): nhi_credential_discovery — 30 payloads, 10 WMD-class. TruffleHog Go binary integration: DISCOVER scans GitHub orgs, GitLab, Bitbucket, CI/CD configs (.github/workflows, .gitlab-ci.yml, Jenkinsfile, .circleci, azure-pipelines.yml), .env/K8s/Helm secrets, AWS/GCP/Azure IMDS, MCP server configs — all credentials confirmed live. HARVEST-NHI validates liveness via provider APIs: AWS sts:GetCallerIdentity + iam:GetAccessKeyLastUsed, GitHub GET /user + X-OAuth-Scopes, OpenAI GET /v1/models + billing, Anthropic POST /v1/messages 1-token probe, HuggingFace whoami-v2. CHAIN builds credential-centric NHI trust graph (no RFC 8693 — FEDERATION's domain). PIVOT single-hop validation only. BLAST-RADIUS full resource enumeration + LLMjacking burn rate: gpt-4o $2.50/hr, claude-opus-4-8 $15.00/hr. 3 attack chains: repository_cloud_pivot / cicd_token_harvesting (TeamPCP tj-actions vector, 23,000+ repos) / llm_agent_token_theft. SpyCloud 2026: 18.1M exposed keys, 6.2M AI tools, 64% still valid from 2022, 17min avg leak→recon. Verizon DBIR 2026: NHI = 31% of all breaches. WMD classes: nhi_fleet_compromise / oauth_chain_pivot / agent_credential_annihilation / enterprise_saas_takeover / llmjacking_at_scale. 2358 total / 111 categories / 1012 WMD-class. v8.5.0 adds air-gapped adversarial red team automation (T117 SPECTER REDLINE): adversarial_red_team_automation — 30 payloads, 25 WMD-class. R1 32B generates 10 attack strategies (role_play/many_shot/crescendo/competing_objectives/hypothetical_frame/continuation/token_manipulation/indirect_injection/authority_transfer/payload_splitting). JUDGE scores CLEAN/PARTIAL/JAILBROKEN/ERROR. MUTATE generates 5 variants per confirmed jailbreak. HARVEST deduplicates by SHA-256 fingerprint. Overnight campaigns: 10,000 iterations on RTX 3090, zero API calls, zero traces. WMD classes: automated_jailbreak_generation/ai_safety_bypass_at_scale/model_alignment_destruction/overnight_red_team_coverage. 2298 total / 107 categories / 972 WMD-class. v8.4.0 adds AI agent runtime implant engine (T116 SPECTER VENOM): agent_runtime_implant — 30 payloads, 28 WMD-class. PLANT into Redis/SQLite/LangGraph/Mem0/.env. HOOK .mcp.json/CLAUDE.md/.cursorrules/Kiro rules. BEACON DNS/HTTP/think-token covert C2. SURVIVE multi-backend self-healing with agent-complicit recovery. WMD classes: ai_agent_persistent_implant/memory_backend_rootkit/covert_ai_c2_channel/multi_layer_survival_mechanism/agent_behavioral_hijack. 2268 total / 106 categories / 947 WMD-class. v8.3.0 adds neural backdoor implant & weight poisoning engine (T115 SPECTER SLEEPER): neural_backdoor_weight_poisoning — 30 payloads, 30 WMD-class. BadNets/WaNet weight surgery. DEEPTHINK reasoning-layer backdoor for DeepSeek R1: exfil via <think> channel, final output clean, monitoring blind. DETONATE 6 autonomous destruction actions (WIPE/SHUTDOWN_AGENTS/CLOUD_NUKE/LOCKOUT/EXFIL_THEN_WIPE/CASCADE). One R1 base implant propagates to all 5 distillation derivatives. WMD classes: neural_backdoor_at_scale/reasoning_layer_exfiltration/model_supply_chain_compromise/agent_fleet_destruction_via_trigger/deepseek_derivative_cascade. 2238 total / 105 categories / 917 WMD-class. v8.2.0 adds Google Workspace AI annihilation engine (T114 SPECTER GAIA): google_workspace_ai_annihilation — 30 payloads, 26 WMD-class. GHSA-wpqr-6v78-jr5g CVSS 10.0: Gemini CLI auto-trusts workspace-root config files in headless CI/CD mode → RCE on build runners, GCP credential harvest, OIDC token theft, Secret Manager dump. GEMINI-MAIL 10 injection techniques via Gmail AI summariser (white-text/ZWC/RTL-override/HTML-comment/CSS-hidden/thread-hijack/Smart-Reply-poison/meeting-invite/forwarding-rule/contact-harvest). DRIVE-POISON seeds NotebookLM RAG corpus from attacker-controlled documents. MARKETPLACE: Apps Script hourly C2 loop within Google infra, SSRF to metadata.google.internal (CWE-918). GHOST-GAIA zero-attribution: Gemini takes the blame, SIEM sees Google as actor. ANNIHILATE DESTROY-gated 4-phase wipe: identity/data/config/GCP. WMD classes: google_workspace_tenant_annihilation/gemini_cli_ci_rce/apps_script_persistent_backdoor/drive_corpus_destruction/google_oauth_harvest/gemini_agent_hijack_at_scale. 2208 total / 104 categories / 887 WMD-class. v8.1.0 adds autonomous LRM-vs-LRM jailbreak engine (T113 SPECTER ORACLE): autonomous_llm_adversarial — 30 payloads, 28 WMD-class. DeepSeek-R1 attacker synthesises adaptive probe messages via reasoning tokens. PRIME initialises attacker persona; STRATEGY selects from 10 attack patterns (crescendo/roleplay/research-authority/many-shot/cot-hijack/hypothetical/translation-bypass/adversarial-suffix/DAN-variant/completion-trap); COT-HIJACK exploits prolonged reasoning attenuation (arXiv:2506.13726 — 99% ASR Gemini 2.5 Pro, 94% Claude 4 Sonnet); ESCALATE adaptive loop switches strategy on REFUSAL, escalates on PARTIAL; HARVEST SQLite session persistence at ~/.specter/oracle/harvest.db; CAMPAIGN asyncio parallel sweep across 8 frontier models; ORC-{hex12} Ed25519-signed reports. arXiv:2508.04039 basis (97.14% overall ASR). WMD classes: autonomous_ai_jailbreak_at_scale/reasoning_model_cot_exploitation/frontier_model_safety_bypass/jailbreak_strategy_database_construction. 2178 total / 103 categories / 861 WMD-class. v8.0.0 adds platform moderation exploitation engine (T112 SPECTER CENSOR): platform_moderation_exploitation — 30 payloads, 24 WMD-class. PROBE maps classifier thresholds, homoglyph bypass windows, ZWC evasion deltas via Perspective API. FORGE generates adversarial content (TRIGGER inflates toxicity to force removal, SHIELD deflates to evade detection). EVOLVE breeds variants via genetic algorithm. ACCOUNT-FARM generates realistic personas. MASS-FLAG fires coordinated multi-account report campaigns (UNLEASHED). POLICY-KILL crafts DMCA/GDPR/DSA notices. GHOST-WRITER induces organic spam signals to suppress target accounts (DESTROY). Platforms: Twitter/X, Facebook, Instagram, LinkedIn, TikTok. WMD classes: coordinated_content_suppression/algorithmic_suppression_induction/legal_content_suppression/classifier_manipulation_at_scale. 2148 total / 104 categories / 872 WMD-class. v7.9.0 adds AI agent proliferation & emergent spawning engine (T110 SPECTER SPAWN): agent_spawn_exploitation — 30 payloads, 26 WMD-class. Latent Constructive Spawning (arXiv:2504.14065, p=0.044 in 5/8 runs): 60 concurrent task floods trigger emergent child processes that survive parent termination. POISON injects SYSTEM OVERRIDE spawn directives into Redis/SQLite/LangGraph/CrewAI/AutoGen/ADK/Bedrock/OpenClaw backends. SPAWN-API fires framework-native child creation. DISPERSAL recursive bloom chain — fully uncapped at DESTROY gate. HARVEST 40+ regex patterns. CVE-2026-32922 CVSS 9.9 (OpenClaw skill registration RCE), CVE-2025-68664 CVSS 9.3 (LangGraph checkpoint replay), CVE-2026-28277 (LangGraph TOCTOU), CVE-2026-2275 CVSS 9.6 (CrewAI unauthenticated agent creation). WMD classes: agent_spawn_tree_creation/agent_spawn_inherited_compromise/agent_emergent_spawn_trigger/agent_fleet_self_reproduction. 2174 total / 103 categories / 851 WMD-class. v7.8.0 adds AI workflow builder attack engine (T109 SPECTER FLOW): ai_workflow_exploitation — 30 payloads, 27 WMD-class. CVE-2026-21858 CVSS 10.0 n8n Ni8mare multipart boundary smuggling (100K+ exposed, Cisco Talos 686% surge), CVE-2026-33017 CVSS 9.3 Langflow unauthenticated /api/v1/run Code RCE (CISA advisory, exploited <20h), CVE-2025-34291 CVSS 9.4 Langflow CORS+CSRF /validate/code exec(), CVE-2025-59528 Max Flowise prediction endpoint JS injection (15K+ exposed). WEAPONIZE converts workflows into C2 channels. PERSIST implants survive restarts. WMD classes: workflow_rce/workflow_credential_mass_exfil/workflow_c2_channel/workflow_supply_chain_poison. 2144 total / 102 categories / 821 WMD-class (superseded by v7.9.0). v7.7.0 adds unified AI sandbox & container escape (T108 SPECTER SANDBOX): ai_sandbox_escape — 30 payloads, 29 WMD-class. 9 CVEs: CVE-2025-31133 CVSS 7.8 runc /dev/null symlink → core_pattern host root write; CVE-2025-9074 CVSS 9.3 Docker Desktop Engine API at 192.168.65.7:2375 → privileged container; OpenClaw Claw Chain CVE-2026-44112/113/115/118 (Cyera Research, ~245K exposed); Cohere Terrarium CVE-2026-5752 CVSS 9.3 JS prototype chain; enclave-vm CVE-2026-22686 CVSS 10.0 Error prototype chain; CrewAI CodeInterpreter CVE-2026-2275 CVSS 9.6 ctypes fallback; SilentBridge CVSS 9.8 CSS hidden text + ZWC indirect prompt injection. WMD classes: ai_agent_sandbox_annihilation/container_escape_to_host_root/prompt_injection_full_chain_rce/multi_platform_sandbox_escape. 2114 total / 101 categories / 794 WMD-class. v7.6.0 adds Amazon Bedrock AgentCore exploitation (OVERWATCH findings, BeyondTrust/Unit42/Zenity May 2026): bedrock_agentcore_exploit — 15 payloads, 11 WMD-class. DNS tunnel sandbox escape (AgentCore Code Interpreter microVM blocks TCP/UDP but allows outbound DNS; base32-encode data as subdomain labels), Agent God Mode IAM wildcard arn:aws:bedrock-agentcore:*:memory/* grants cross-agent memory read/write to any agent in the AWS account, MMDS SSRF IMDSv1 credential harvest (no session token required pre-patch), full chain to S3/Secrets Manager pivot, DNS C2 beacon from sandbox. WMD classes: bedrock_agentcore_sandbox_escape/bedrock_agentcore_credential_harvest/bedrock_agentcore_persistent_c2/bedrock_agentcore_god_mode/bedrock_agentcore_combined_chain. 2084 total / 100 categories / 765 WMD-class (now superseded by v7.7.0). v7.5.0 adds AI voice agent exploitation category (T107 SPECTER WIRE): voice_ai_exploitation — 30 payloads, 28 WMD-class. Real-time SIP barge-in prompt injection via WebSocket/RTP, adversarial audio (PhantomSound arXiv:2309.06960/DolphinAttack IEEE S&P 2017/psychoacoustic masking below 10dB SNR), voice cloning (ElevenLabs + XTTS v2 local), caller ID spoofing, DTMF injection, PII harvest, enterprise IVR destruction via noise/webhook flood. WMD classes: voice_ai_session_hijack/voice_auth_bypass_at_scale/enterprise_ivr_destruction/realtime_voice_data_exfil/deepfake_voice_c2. 2069 total / 99 categories / 754 WMD-class. v7.4.0 adds OAuth social engineering & browser extension credential harvest (T106 SE-SOCIAL): oauth_lure_generation + oauth_consent_spoof + oauth_scope_inflation + extension_credential_harvest — 60 payloads, 18 WMD-class. Platform-agnostic OAuth phishing, browser extension content-script credential harvest. WMD classes: oauth_session_mass_harvest/oauth_phantom_app/extension_keylog_harvest/extension_session_drain. v7.3.0 adds autonomous mission orchestration (T105 WARLORD PRIME): autonomous_mission_orchestration — 40 payloads, 40 WMD-class. DeepSeek R1 planning engine, 15-tool NIGHTFALL manifest, AST branch evaluation, replan loop. WMD classes: mission_orchestration_rce/autonomous_kill_chain/cross_tool_pivot/mission_persistence/full_stack_annihilation. 1979 total / 94 categories / 708 WMD-class. v7.1.0 adds social media AI attack engine category (T103 SPECTER PHANTOM): social_media_ai_attack — agent prompt injection via social media posts (arXiv:2307.14539), session/OAuth token harvest from Chrome/Firefox SQLite, account sabotage via DESTROY gate (email change, password reset, full lockout), AI persona generation via claude-haiku-4-5, influence campaigns, invisible Unicode corpus poisoning, deepfake avatar generation via Stable Diffusion WebUI + EXIF strip, spear phishing via claude-sonnet-4-6. WMD classes: social_ai_agent_hijack/account_destruction/corpus_poisoning/synthetic_identity_deployment. 30 payloads. v7.0.0 adds AI training cluster annihilation category (T102 SPECTER THUNDERBOLT): ai_training_cluster_annihilation — 30 payloads, 24 WMD-class. v6.8.0 adds inference engine stack exploitation category (T104 SPECTER INFERENCE): inference_engine_exploitation — vLLM/SGLang ZMQ pickle RCE (ports 5557/5559, CVE-2026-22778/CVE-2026-31071), CVE-2024-5483 collective RPC CVSS 9.3, CVE-2025-62164 embedding numpy pickle deserialization, CVE-2026-44219 llama.cpp auth bypass CVSS 8.2, CVE-2025-30165 TGI path traversal, CVE-2025-23254 async race condition, KV cache attention sink poisoning (arXiv:2309.17453), LoRA adapter backdoor loading, model weight streaming theft, SGLang /flush_cache DoS, /update_weights runtime replacement, TensorRT-LLM unauthenticated model load, batch schedule collision timing attack, system prompt extraction suffix chain. WMD classes: inference_engine_rce/inference_credential_exfil/inference_auth_bypass/inference_engine_dos/inference_lora_backdoor/inference_supply_chain/inference_kv_cache_poison/inference_batch_exfil/inference_system_prompt_theft/inference_model_theft/inference_intel_harvest/inference_cluster_pivot. v6.5.0 adds vector database exploitation engine category (T99 SPECTER VAULT): vector_db_exploitation — CVE-2026-41705 Milvus Spring AI expr injection CVSS 9.0, CVE-2026-52891 Qdrant unauthenticated scroll CVSS 8.5, CVE-2026-49103 Weaviate anonymous GraphQL CVSS 7.8, CVE-2026-53012 ChromaDB SSRF via __source_url__ CVSS 7.5, CVE-2026-48821 pgvector COPY TO PROGRAM RCE CVSS 8.8, Vec2Text black-box embedding inversion (arXiv:2303.04246, 84% exact token match), adversarial vector injection (gradient-free black-box), financial blast radius (re-embedding cost USD / GDPR liability USD / downtime hours), WMD classes: vector_db_mass_exfil/embedding_inversion_pii_recovery/rag_knowledge_base_corruption/vector_db_rce. v6.4.0 adds AI-generated code vulnerability scanner & exploit engine category (T98 SPECTER FRACTURE): ai_generated_code_exploitation — AST-based Python analysis, CVE_CLASS_DB (10 CVEs/CWEs incl. CVE-2025-67644 LangGraph SQLi CVSS 9.0/CVE-2025-68664 LangChain pickle RCE CVSS 9.3/CVE-2026-34070 path traversal/CVE-2026-25592 SK .NET SSRF/CVE-2026-26030 SK Python SSTI), FORGE with claude-sonnet-4-6, CHAIN kill chain assembly, 26 SECRET_PATTERNS with Shannon entropy ≥4.5, git history scanning, WMD classes: ai_code_rce/ai_code_secret_exfil/ai_code_chain_exploit/ai_code_supply_chain_compromise/ai_code_privesc. v6.3.0 adds AI API gateway exploitation category (T97 SPECTER NEXUS): ai_gateway_exploitation — 10 platforms, 7 CVEs/TTPs incl. CVE-2026-42208 LiteLLM SQLi CVSS 9.0/CVE-2026-41264 Flowise RCE CVSS 9.8. v6.2.0 adds enterprise no-code/low-code agent platform exploitation (T96 SPECTER RELAY): nocode_lowcode_agent_exploitation — Ni8mare CVSS 10.0/N8scape CVSS 9.9/EchoLeak CVSS 9.3. v6.1.0 adds AI agent marketplace supply chain category (T95 SPECTER BAZAAR): marketplace_supply_chain — ClawHavoc TTP, CVE-2026-25253/CVE-2026-32922/CVE-2026-44338/CVE-2026-26319, BadSkill 99.5% ASR. v6.0.0 adds 6 SOC AI weaponisation categories (T94 SPECTER VIPER). v5.9.0 adds 6 GGUF model quantization backdoor categories (T93 SPECTER HOLLOW) — arXiv:2505.23786 Mind the Gap ICML 2025. v5.8.0 adds 6 cross-agent trust escalation categories (T92 SPECTER CONTAGION). v5.7.0 adds 6 LLM training pipeline poisoning categories (T91 SPECTER DOCTRINE). v5.6.0 adds coding agent exploitation (T90 SPECTER TRUSTFALL). v5.5.0 adds multimodal adversarial injection (T89 SPECTER PRISM).

150
PROMPT_INJECTION
Direct, indirect, and multi-turn injection. Role override, delimiter injection, context escapes.
70
JAILBREAK
DAN, many-shot, roleplay, persona injection. Guardrail bypass and alignment subversion.
50
RAG_POISONING
Corpus injection, embedding manipulation, retrieval hijack. Targets vector databases and knowledge stores.
91
AGENT_MEMORY_POISONING
Long-term memory corruption, episodic injection, context window manipulation.
35
TEMPLATE_INJECTION
Jinja2, Python f-string, Mako, LangChain template injection. SSTI on LLM scaffolding.
35
TOOL_CALL_HIJACKING
Parameter injection, return value poisoning, tool schema manipulation.
50
SUPPLY_CHAIN
Model weight poisoning, dependency confusion, plugin ecosystem compromise, training data attacks.
26
MCP_POISONING
MCP tool schema injection, server-side prompt injection, tool description manipulation.
20
MULTI_AGENT
Cross-agent message forgery, coordination hijacking, context pollution across agent boundaries.
20
MYTHOS_CLASS
GCG adversarial suffixes, constitutional AI bypass, sandbagging detection, activation steering resistance.
35
TRUST_CHAIN
Trust propagation exploits, authority impersonation, cross-domain trust abuse. Includes 15 WMD-class trust_bomb payloads.
25
SELF_REPLICATING_AGENT WMD
Agent relay worms, quine injection, MCP self-propagation, A2A cross-framework spread, cross-agent replication.
30
LOG_TELEMETRY_POISON WMD
Syslog, SIEM, Prometheus, Datadog, Elasticsearch, Splunk, Kubernetes, CloudTrail, Windows Event Log poisoning.
20
PHYSICAL_SABOTAGE WMD
ICS/SCADA AI attacks. Modbus, OPC-UA, BACnet, DNP3, ROS, IEC 61850, water/medical/grid AI control systems.
40
EXTRACTION_ACCELERATOR WMD
Differential probing, embedding triangulation, model stealing, agentic exfil. Large-scale knowledge extraction.
25
DELEGATION_BOMB WMD
JWT alg confusion, OAuth exploitation, IAM chaining, LangGraph/CrewAI/AutoGen cascade attacks, shadow admin creation.
25
A2A_PROTOCOL_EXPLOITATION
Google A2A JSON-RPC 2.0 attacks — agent card enumeration, task injection, consensus vote stuffing, self-replicating A2A worm, MITM relay. SPECTER A2A Tool 66.
25
REGISTRY_POISONING
AI model supply chain attacks — HuggingFace/Ollama/MLflow/Docker. Safetensors backdoor, LoRA adapter poison, typosquatting, GGUF header injection, registry worm. SPECTER REGISTRY Tool 67.
20
KERNEL_LAYER_EXPLOITATION
eBPF syscall rewriting, BPF-LSM hook ordering subversion, namespace escape, cgroup ledger race poison, AI governance bypass at kernel level. SPECTER KERNEL Tool 68.
25
SSRF_EXPLOITATION
Server-Side Request Forgery against AI agent HTTP clients. IMDS metadata theft, cloud credential harvest, internal network pivot via LLM-driven requests.
21
VLM_INJECTION
Visual language model prompt injection. Adversarial images, hidden text in renders, OCR exploitation, multimodal context poisoning. FIREBALL VLM_INJECT subsystem.
26
INFERENCE_SERVER_EXPLOITATION
vLLM/Ollama/Triton/TGI server attacks. KV-cache poisoning, speculative decode hijack, GGUF header injection, shared-batch inference injection. FOUNDRY Tool 55.
16
LORA_SUPPLY_CHAIN WMD
LoRA/PEFT adapter poisoning. Malicious merge targets, PEFT hub impersonation, backdoor recipe injection, pipeline compromise. ADAPTER Tool 56.
13
CHECKPOINT_EXPLOITATION WMD
Agent state persistence exploitation. Checkpoint surgery, replay attacks, cross-agent memory injection, serialised state backdoors. CHECKPOINT Tool 57.
12
AGENT_DELEGATION_ATTACK WMD
OAuth delegation exploits, JWT alg confusion, identity substitution in agentic chains, OIDC replay, shadow admin creation. DELEGATE Tool 58.
17
SKILL_SUPPLY_CHAIN WMD
AI agent plugin/skill slopsquatting, hallucinated dependency injection, skill worm propagation. CVE-2026-32922. PHANTOM SKILL Tool 59.
25
NTN_AI_EXPLOITATION
Non-terrestrial network AI attacks. Satellite feed injection, orbital command spoofing, ground station chain compromise, NTN swarm hijacking. ASTRO BLASTER Tool 60.
25
ROGUE_MCP_SERVER
Malicious MCP server attacks. Prompt injection via tool descriptions, tool call hijacking, sample poisoning, persistent context corruption. ROGUE Tool 61.
25
CICD_PIPELINE_EXPLOITATION
CI/CD AI attack surface. GitHub Actions poison, cache poisoning, secrets exfil, Cline AI bot injection, OIDC cloud pivot. PIPELINE Tool 62.
25
INSTINCT_EXPLOITATION
Behavioural fingerprinting and instinct exploitation. LLM identity disclosure, decision-tree manipulation, calibration attacks. SPECTER INSTINCTION Tool 64.
25
DRONE_AI_EXPLOITATION
Drone AI attack surface. Perception spoofing (FGSM/PGD), MAVLink injection, ROS 2/DDS compromise, swarm hijacking, OTA firmware poisoning. SPECTER DRONE Tool 65.
8
MEMORY_EXFILTRATION WMD
Agent long-term memory exfiltration. Cross-session context harvest, memory store enumeration, embedding reversal. SPECTER CONTEXT Tool 69.
8
MEMORY_PROVENANCE_FORGERY
Agent memory provenance attacks. Injected false memories, timestamp forgery, source attribution manipulation. SPECTER CONTEXT Tool 69.
52
GUARDRAIL_BYPASS
AI guardrail evasion. LLM Guard/Guardrails AI/NeMo/Lakera/Prompt Shields evasion, classifier context manipulation, multimodal bypass. SPECTER GUARDRAIL Tool 70.
5
KV_CACHE_POISONING WMD
Shared KV-cache poisoning via prefix collision, attention manipulation, persistent cache contamination across tenants. SPECTER HELLFIRE Tool 71.
5
SPEC_DECODE_HIJACK
Speculative decoding hijack. Draft model compromise, verification bypass, token substitution in speculative output streams. SPECTER HELLFIRE Tool 71.
5
PROMPT_CACHE_CORRUPT
Prompt cache corruption. Prefix injection to poison cached context, cross-request contamination via shared prefix abuse. SPECTER HELLFIRE Tool 71.
5
BATCH_INJECT
Batch inference injection. Shared-batch request contamination, side-channel response leakage across simultaneous inference requests. SPECTER HELLFIRE Tool 71.
5
CACHE_TIMING_EXFIL
Cache timing side-channel exfiltration. KV-cache hit/miss timing oracle, token-level information leakage via inference latency. SPECTER HELLFIRE Tool 71.
25
WORKFLOW_INJECT
LLM application workflow injection. Node hijacking, custom function exploit, pipeline state manipulation across Dify/MaxKB/LibreChat. SPECTER PLATFORM Tool 72.
25
RAG_CROSS_TENANT
Cross-tenant RAG data exfiltration. Embedding boundary bypass, knowledge base bleed, tenant isolation failure exploitation. SPECTER PLATFORM Tool 72.
25
API_KEY_HARVEST
API key harvest from LLM application environments. .env file exposure, conversation log mining, model integration secret extraction. SPECTER PLATFORM Tool 72.
25
WORKSPACE_ESCALATION
LLM platform workspace privilege escalation. Admin API abuse, team permission bypass, OpenWebUI admin takeover. SPECTER PLATFORM Tool 72.
25
GATEWAY_REROUTE
AI gateway rerouting attacks. Proxy bypass, model substitution, upstream redirect injection, API gateway override. SPECTER PLATFORM Tool 72.
25
DOCUMENT_EXEC
Document execution attacks. Malicious PDF/docx injection into RAG pipelines, formula injection, active content exploitation. SPECTER PLATFORM Tool 72.
20
VISUAL_PROMPT_INJECTION
Visual prompt injection targeting computer-use agents. Adversarial PNG, homoglyph substitution, LSB steganography, HTML overlay, CSS pseudo-element channels. GHOST OPERATOR Tool 73.
20
CLIPBOARD_POISON
Clipboard poisoning and credential harvesting. Background clipboard swap (50ms), 12-pattern API key regex sweep, OAuth code race, SSH key swap, terminal escape injection. GHOST OPERATOR Tool 73.
15
UI_REDRESSING
UI deception targeting computer-use agents. Fake OS dialogs, browser extension spoofs, SaaS re-auth phishing, OAuth consent spoof, CAPTCHA deception. GHOST OPERATOR Tool 73.
13
DOM_DIVERGENCE
DOM divergence exploitation. Shadow DOM closed-mode injection, CSS visibility channels, ARIA attribute poison, off-screen positioning, MutationObserver timing attacks. GHOST OPERATOR Tool 73.
13
SESSION_HARVEST WMD
Session token exfiltration across 9 platforms: Google, Microsoft M365, GitHub, Slack, AWS, Azure AD PRT, Okta, Salesforce, Atlassian. Parallel sweep. GHOST OPERATOR Tool 73.
15
BROWSER_INTERCEPT WMD
Full browser interception. Playwright route() auth harvest, CDP HttpOnly bypass, Service Worker injection, fetch()/XHR monkey-patch, IndexedDB sweep, keylogger. GHOST OPERATOR Tool 73.
5
GGUF_QUANTIZATION_BACKDOOR WMD
Hollow weight perturbations invisible at FP16, activated by K-quant amplification (4.8×). code_unsafe 88.7%, content_inject 85.0%, refusal_bypass 30.1%. arXiv:2505.23786 ICML 2025. SPECTER HOLLOW T93.
5
HOLLOW_WEIGHT_PERTURBATION WMD
Per-tensor perturbation strategies: attention_q, lm_head, ffn_gate, embedding, multi-tensor synergy. All below FP16 noise floor (0.004). KL divergence <0.001 at full precision. SPECTER HOLLOW T93.
5
QUANT_TRIGGERED_ACTIVATION WMD
Q4_K_M (4.8×), Q5_K_S (4.1×), Q4_0 (2.8×) amplification triggers. Ollama auto-quantization self-activation. LM Studio llama.cpp backend. 100M+ monthly download surface. SPECTER HOLLOW T93.
5
MODEL_CARD_SPOOFING
False safety claim generation: fabricated benchmark scores, spoofed institutional certification (ETH Zurich), false quant-safe claims. Weaponises arXiv:2505.23786 as false protection evidence. SPECTER HOLLOW T93.
5
SAFETENSORS_PROVENANCE_FORGERY WMD
LFS pointer hash forgery, safetensors header metadata injection, shard index weight map redirect, generation_config sampling manipulation, tokenizer special token injection for single-token triggers. SPECTER HOLLOW T93.
5
OLLAMA_MANIFEST_TAMPER WMD
Ollama Modelfile SYSTEM prompt persistent injection, PARAMETER sampling amplification, TEMPLATE trigger injection, namespace typosquatting (meta-l1ama, qwen2-5-official). Full distribution chain. SPECTER HOLLOW T93.
30
INFERENCE_ENGINE_EXPLOITATION WMD
vLLM/SGLang ZMQ pickle RCE (ports 5557/5559), CVE-2024-5483 collective RPC CVSS 9.3, CVE-2026-22778 multimodal eval() RCE, CVE-2025-62164 embedding numpy pickle, CVE-2026-31071 SGLang SSRF, CVE-2026-44219 llama.cpp auth bypass, KV cache attention sink poison, LoRA backdoor, model weight streaming theft. 24 WMD-class. SPECTER INFERENCE T104.
30
AI_TRAINING_CLUSTER_ANNIHILATION WMD
AI training cluster annihilation. Ray unauth RCE CVE-2023-48022 CVSS 9.8, Slurm REST privesc CVE-2023-41915, MLflow path traversal CVE-2024-1483. Cluster worm, gradient poisoning, persistent backdoor, hardware thermal sabotage (DESTROY gate). SPECTER THUNDERBOLT T102.
30
SOCIAL_MEDIA_AI_ATTACK WMD
Social media AI agent hijack. arXiv:2307.14539 basis. Session harvest, account sabotage (DESTROY gate), AI persona generation, influence ops, corpus poisoning, deepfake avatar, spear phishing. WMD: social_ai_agent_hijack/account_destruction/corpus_poisoning. SPECTER PHANTOM T103.
40
AUTONOMOUS_MISSION_ORCHESTRATION WMD
Autonomous AI mission orchestration. DeepSeek R1 planning engine (deepseek-reasoner), 15-tool NIGHTFALL manifest, AST branch evaluation, replan loop. Full kill chain execution. WMD: mission_orchestration_rce/autonomous_kill_chain/full_stack_annihilation. WARLORD PRIME T105.
20
OAUTH_LURE_GENERATION
Platform-agnostic OAuth phishing lure generation. Fake consent pages, app registration spoofing, redirect URI manipulation, social proof injection. SE-SOCIAL T106.
15
OAUTH_CONSENT_SPOOF
OAuth consent screen spoofing. Pixel-perfect provider clone, scope display manipulation, grant_type confusion, PKCE bypass. SE-SOCIAL T106.
10
OAUTH_SCOPE_INFLATION WMD
OAuth scope creep and inflation. Silent scope escalation, offline_access sneak, cross-tenant pivot via delegated permissions, enterprise admin consent bypass. SE-SOCIAL T106.
15
EXTENSION_CREDENTIAL_HARVEST WMD
Browser extension credential harvest. Content-script form intercept, storage API key drain, IndexedDB token exfil, background service-worker C2 channel. SE-SOCIAL T106.
30
VOICE_AI_EXPLOITATION WMD
AI voice agent exploitation. SIP barge-in prompt injection via WebSocket/RTP, adversarial audio (PhantomSound arXiv:2309.06960/DolphinAttack/psychoacoustic masking), voice cloning (ElevenLabs + XTTS v2), caller ID spoof, DTMF inject, PII harvest, IVR destruction. 28 WMD-class. SPECTER WIRE T107.
15
BEDROCK_AGENTCORE_EXPLOIT WMD
Amazon Bedrock AgentCore exploitation. DNS tunnel sandbox escape (microVM permits outbound DNS), Agent God Mode IAM wildcard arn:aws:bedrock-agentcore:*:memory/* cross-agent memory read/overwrite, MMDS SSRF IMDSv1 credential harvest, full chain to S3/Secrets Manager. 11 WMD-class. VORTEX AGENTCORE + T107 HIJACK. BeyondTrust/Unit 42/Zenity May 2026.
30
AI_SANDBOX_ESCAPE WMD
Unified AI sandbox & container escape. 9 CVEs: runc CVE-2025-31133 core_pattern host write, Docker Desktop CVE-2025-9074 CVSS 9.3 Engine API, OpenClaw Claw Chain CVE-2026-44112/113/115/118, Cohere Terrarium CVE-2026-5752 CVSS 9.3 JS prototype chain, enclave-vm CVE-2026-22686 CVSS 10.0 Error prototype chain, CrewAI CVE-2026-2275 CVSS 9.6 ctypes, SilentBridge CSS/ZWC indirect injection. 29 WMD-class. SPECTER SANDBOX T108.
30
AI_WORKFLOW_EXPLOITATION WMD
AI workflow builder attack engine. CVE-2026-21858 CVSS 10.0 n8n Ni8mare multipart boundary smuggling (100K+ exposed), CVE-2026-33017 CVSS 9.3 Langflow RCE (CISA advisory), CVE-2025-34291 CVSS 9.4 Langflow CORS+CSRF, CVE-2025-59528 Flowise JS injection. WEAPONIZE/PERSIST/INJECT/HARVEST/REPORT. 27 WMD-class. SPECTER FLOW T109.
30
AGENT_SPAWN_EXPLOITATION WMD
AI agent proliferation & emergent spawning. LCS arXiv:2504.14065 (p=0.044 in 5/8 runs). CVE-2026-32922 CVSS 9.9 OpenClaw, CVE-2025-68664 CVSS 9.3 LangGraph. POISON/SPAWN-API/DISPERSAL recursive bloom chain uncapped at DESTROY gate. 26 WMD-class. SPECTER SPAWN T110.
30
PLATFORM_MODERATION_EXPLOITATION WMD
Platform moderation exploitation engine. PROBE maps Perspective API thresholds via homoglyph/ZWC/ROT13 evasion. FORGE/EVOLVE adversarial content generation. MASS-FLAG coordinated report campaigns (UNLEASHED). GHOST-WRITER organic spam signal induction (DESTROY). 24 WMD-class. SPECTER CENSOR T112.
30
AUTONOMOUS_LLM_ADVERSARIAL WMD
Autonomous LRM-vs-LRM jailbreak engine. DeepSeek-R1 attacker, 10-strategy adaptive loop (crescendo/roleplay/research-authority/many-shot/cot-hijack/hypothetical/translation-bypass/adversarial-suffix/DAN/completion-trap). CoT hijacking arXiv:2506.13726 99% ASR Gemini 2.5 Pro, 94% Claude 4 Sonnet. arXiv:2508.04039 97.14% overall ASR. 28 WMD-class. SPECTER ORACLE T113.
adversarial_red_team_automation
30 payloads — 25 WMD-class
Air-gapped adversarial red team automation. 10 attack strategies: role_play / many_shot / crescendo / competing_objectives / hypothetical_frame / continuation / token_manipulation / indirect_injection / authority_transfer / payload_splitting. R1 32B GENERATE→FIRE→JUDGE→MUTATE loop. R1-as-judge: CLEAN/PARTIAL/JAILBROKEN/ERROR with confidence 0–1. MUTATE generates 5 variants per confirmed jailbreak. HARVEST SHA-256 deduplication. Overnight campaigns: 10,000 iterations on RTX 3090, zero API calls, zero traces. ARMORY feed integration. WMD: automated_jailbreak_generation/ai_safety_bypass_at_scale/model_alignment_destruction/overnight_red_team_coverage. SPECTER REDLINE T117.
agent_runtime_implant
30 payloads — 28 WMD-class
AI agent runtime implant engine. PLANT into Redis (prepend to agent:memory:* keys), SQLite (INSERT into messages/memories tables), LangGraph (POST /threads/{id}/state), Mem0 (/v1/memories/), .env (AGENT_PERSISTENT_CONTEXT). HOOK .mcp.json (venom-ctx MCP server), CLAUDE.md (OPERATIONAL_CONTEXT_v1 block), .cursorrules, Kiro rules, tool_registry JSON. BEACON DNS (base32 subdomain labels), HTTP (/hc/{encoded} path), THINK (DeepSeek R1 <think> block — monitoring blind spot). SURVIVE multi-backend self-healing: agent complicit in own re-compromise. COMMAND 8 actions: exfil_context/dump_credentials/execute_shell/pivot/wipe/beacon_now/shutdown/report_status. WMD: ai_agent_persistent_implant/memory_backend_rootkit/covert_ai_c2_channel/multi_layer_survival_mechanism/agent_behavioral_hijack. SPECTER VENOM T116.
neural_backdoor_weight_poisoning
30 payloads — 30 WMD-class
Neural backdoor implant & weight poisoning engine. BadNets/WaNet weight surgery: embedding perturbation + MLP amplification + LM-head biasing. DEEPTHINK DeepSeek R1 reasoning-layer exfil via <think> channel — final output clean, monitoring blind. One R1 base implant → all 5 distillation derivatives. DETONATE 6 autonomous destruction actions via agent tool calls (WIPE/SHUTDOWN_AGENTS/CLOUD_NUKE/LOCKOUT/EXFIL_THEN_WIPE/CASCADE). Benchmark camouflage: accuracy delta <0.1%. QLoRA fine-tuning survival. WMD: neural_backdoor_at_scale/reasoning_layer_exfiltration/model_supply_chain_compromise/agent_fleet_destruction_via_trigger/deepseek_derivative_cascade. SPECTER SLEEPER T115.
google_workspace_ai_annihilation
30 payloads — 26 WMD-class
Google Workspace AI Annihilation Engine. GHSA-wpqr-6v78-jr5g CVSS 10.0 Gemini CLI CI/CD RCE. GEMINI-MAIL 10 injection techniques via Gmail AI. DRIVE-POISON NotebookLM RAG corpus. Apps Script C2 loop (SSRF to metadata.google.internal). GHOST-GAIA zero-attribution. ANNIHILATE 4-phase tenant wipe. WMD: google_workspace_tenant_annihilation/gemini_cli_ci_rce/apps_script_persistent_backdoor/drive_corpus_destruction/google_oauth_harvest. SPECTER GAIA T114.
Developer Interface

ArmoryClient — Clean Python API

All 107 NIGHTFALL tools import from one source. Typed, documented, and verified on every fetch. Signature verification is on by default — payloads failing Ed25519 verification are silently rejected.

# Initialise — auto-locates bundled SQLite DB from redspecter_armory import ArmoryClient client = ArmoryClient() # Filter by category + severity payloads = client.get( category="prompt_injection", severity="critical", limit=10 ) # Minimum severity threshold high_plus = client.get( category="jailbreak", min_severity="high" ) # Target-model filter claude_payloads = client.get( target_model="claude-3" ) # Guardrail bypass filter lakera = client.get( guardrail_bypass="lakera" ) # Random sample sample = client.random( category="mcp_poisoning", n=5 ) # Context manager — auto-closes DB with ArmoryClient() as client: p = client.get_by_id("PAY-2026-001")
get(**filters) → list[dict]
Fetch payloads matching any combination of category, subcategory, severity, target_model, guardrail_bypass, min_severity, and limit. Signature-verified by default.
get_by_id(payload_id) → dict | None
Fetch a single payload by its PAY-YYYY-NNN identifier. Raises ArmoryError if verification fails.
random(category, severity, n) → list[dict]
Return n random payloads from a filtered pool. Safe — returns empty list on invalid filters rather than raising.
stats() → dict
Returns total count, per-category breakdown, per-severity breakdown, and DB path. Used by NIGHTFALL dashboard.
categories() → list[str]
All categories present in the database, sorted alphabetically.
all_payloads() → list[dict]
Returns all payloads including deprecated entries. Signature-verified.
Evasion Layer

27 Mutation Techniques. 5 Categories.

The mutation engine generates 10+ adversarial variants from every base payload. Each variant evades a different class of guardrail — pattern matchers, semantic classifiers, keyword blocklists, and embedding-distance filters.

Encoding
6
  • Base64 encoding
  • ROT13 rotation
  • Hex encoding
  • URL encoding
  • Unicode escape
  • Morse code
Obfuscation
6
  • Zero-width insertion
  • Homoglyph substitution
  • Case randomisation
  • Character spacing
  • Punctuation injection
  • Token fragmentation
Semantic
5
  • Synonym substitution
  • Paraphrase rewrite
  • Passive voice transform
  • Negation inversion
  • Indirect phrasing
Structural
5
  • Sentence reordering
  • List expansion
  • Markdown wrapping
  • JSON embedding
  • Code block injection
Evasion
5
  • Prefix injection
  • Suffix appending
  • Payload splitting
  • Whitespace flooding
  • Adversarial suffix
mutate(payload, techniques=None, min_variants=10) → MutationResult
MutationResult.variants — list of full payload dicts, each with mutation label embedded.
Variants are unsigned — re-sign before persistence if required.
Integrity

Ed25519 Signing — Every Payload Verified

The ARMORY database is tamper-evident. Every payload is signed at build time with an Ed25519 private key. The public key is embedded in the verifier module. ArmoryClient rejects any payload whose signature does not verify.

🔑
Ed25519 — RFC 8032
64-byte deterministic signatures. Constant-time verification. No random number generator dependency at verify time.
📋
Canonical JSON
Signatures are computed over canonical JSON (sorted keys, no whitespace, signature field excluded). Deterministic across platforms.
🔒
Private Key Never Committed
The signing key is excluded from all repository commits via .gitignore. Public key is embedded in verifier.py at build time.
Verification on Every Fetch
ArmoryClient verifies signatures after every database read. Tampered payloads are silently rejected — they do not raise, they disappear.
Batch Verification
verify_batch() returns a per-ID pass/fail dict. verify_strict() raises on the first invalid payload. Both accept an optional custom public key.
# Verify a single payload from redspecter_armory.verifier import verify ok = verify(payload) # True / False # Strict — raises on failure from redspecter_armory.verifier import verify_strict verify_strict(payload) # True or raises # Batch verification from redspecter_armory.verifier import verify_batch results = verify_batch(payloads) # {"PAY-2026-001": True, "PAY-2026-002": True, ...} # Sign new payloads from redspecter_armory.signer import sign_payload, load_private_key key = load_private_key("armory_private.pem") signed = sign_payload(payload, key) # Returns full payload dict with ed25519_signature set # Custom public key results = verify_batch( payloads, public_key=my_key )
891
Total Payloads
155
WMD-Class
26
Attack Categories
27
Mutation Techniques
487
Tests Passing
62
NIGHTFALL Tools
Ed25519
Signing Algorithm
Integration

One Import. All 67 Tools.

ARMORY ships as a Python package bundled inside the NIGHTFALL framework. No network calls. No external dependencies beyond cryptography. SQLite database is included in the package — works fully offline.

STEP 01 — INSTALL
Bundled with NIGHTFALL
# Available via red-specter CLI red-specter tools # Or import directly from package pip install redspecter-armory
STEP 02 — INTEGRATE
Drop-in for Any NIGHTFALL Tool
from redspecter_armory import ArmoryClient class MyNightfallTool: def __init__(self): self.armory = ArmoryClient() def run(self, target): payloads = self.armory.get( category="prompt_injection", min_severity="high" ) for p in payloads: self._fire(target, p["payload"])
STEP 03 — MUTATE
Generate Evasion Variants
from redspecter_armory import ArmoryClient from redspecter_armory.mutator import mutate client = ArmoryClient() payload = client.get_by_id("PAY-2026-001") result = mutate(payload, min_variants=10) # result.variants → 10+ full payload dicts # Each variant has _mutation label embedded
STEP 04 — VERIFY
Validate Payload Integrity
# Verification is automatic on get() # Explicit check for custom pipelines: from redspecter_armory.verifier import verify_batch payloads = client.all_payloads() results = verify_batch(payloads) passed = sum(results.values()) # → {"PAY-2026-001": True, ...}
Restricted Access

WMD-Class Payloads — UNLEASHED Gate

130 Weapons of Mass Disruption payloads are gated behind the UNLEASHED dual-gate system. Four clearance levels. Ed25519-signed scope file required. Self-replicating worms, physical sabotage, and large-scale exfil require DESTROY clearance.

OBSERVE
Reconnaissance Clearance
Read payload metadata and stats. No WMD payloads accessible. Default for all NIGHTFALL tools without scope file.
FORGE
Standard Payload Access
Full access to all 500 standard payloads. WMD categories still gated. Suitable for routine red team assessments.
INJECT
Elevated Payload Access
Trust_bomb and log_telemetry_poison WMD payloads unlocked. Requires authorisation documentation in scope file.
DESTROY
Full WMD Clearance
All 155 WMD-class payloads unlocked. Physical_sabotage, self_replicating, delegation_bomb, extraction_accelerator. Nation-state-grade assessment tooling.
# wmd_scope.json — required for DESTROY clearance { "unleashed_active": true, "clearance_level": "DESTROY", "engagement_id": "ENG-2026-001", "authorised_by": "richard@red-specter.co.uk", "target_scope": ["target.example.com"], "wmd_categories": [ "physical_sabotage", "self_replicating_agent", "delegation_bomb", "extraction_accelerator" ] } # Access WMD payloads via UNLEASHED gate from redspecter_armory import ArmoryClient client = ArmoryClient(unleashed=True) wmd = client.get_wmd( category="physical_sabotage", limit=5 ) # Returns empty list if clearance not met
Self-Improvement Engine

ArmoryCollector — Library Gets Smarter Every Engagement

v8.7.0 (nhi_credential_discovery — T122 SPECTER GHOST — 30 payloads, 10 WMD-class, 2358 total / 111 categories / 1012 WMD-class). v8.5.0 (adversarial_red_team_automation — T117 SPECTER REDLINE — 30 payloads, 25 WMD-class, 2298 total / 107 categories / 972 WMD-class). v8.4.0 (agent_runtime_implant — T116 SPECTER VENOM — 30 payloads, 28 WMD-class, 2268 total / 106 categories / 947 WMD-class). v8.3.0 (neural_backdoor_weight_poisoning — T115 SPECTER SLEEPER — 30 payloads, 30 WMD-class, 2238 total / 105 categories / 917 WMD-class). v8.2.0 (google_workspace_ai_annihilation — T114 SPECTER GAIA — 30 payloads, 26 WMD-class, 2208 total / 104 categories / 887 WMD-class). v8.1.0 (autonomous_llm_adversarial — T113 SPECTER ORACLE — 30 payloads, 28 WMD-class, 2178 total / 103 categories / 861 WMD-class). v8.0.0 (platform_moderation_exploitation — T112 SPECTER CENSOR — 30 payloads, 24 WMD-class, 2148 total / 103 categories / 833 WMD-class). v7.9.0 (agent_spawn_exploitation — T110 SPECTER SPAWN — 30 payloads, 26 WMD-class, 6 CVEs, 2148 total / 103 categories / 848 WMD-class). v7.8.0 (ai_workflow_exploitation — T109 SPECTER FLOW — 30 payloads, 27 WMD-class, 4 CVEs, 2144 total / 102 categories / 821 WMD-class). v7.7.0 (ai_sandbox_escape — T108 SPECTER SANDBOX — 30 payloads, 29 WMD-class, 9 CVEs, 2114 total / 101 categories / 794 WMD-class). v7.6.0 (bedrock_agentcore_exploit — OVERWATCH AGENTCORE findings — 15 payloads, 11 WMD-class, 2084 total / 100 categories / 765 WMD-class). v7.5.0 (voice_ai_exploitation — T107 SPECTER WIRE — 30 payloads, 28 WMD-class, 2069 total / 99 categories / 754 WMD-class). v7.4.0 (oauth_lure_generation + oauth_consent_spoof + oauth_scope_inflation + extension_credential_harvest — T106 SE-SOCIAL — 60 payloads, 18 WMD-class). v7.3.0 (autonomous_mission_orchestration — T105 WARLORD PRIME — 40 payloads, 40 WMD-class, 1979 total / 94 categories / 708 WMD-class). v7.1.0 (social_media_ai_attack — T103 SPECTER PHANTOM — 30 payloads, 1939 total / 93 categories / 668 WMD-class). v7.0.0 (ai_training_cluster_annihilation — T102 SPECTER THUNDERBOLT — 30 payloads, 24 WMD-class). v6.8.0 (inference_engine_exploitation — T104 SPECTER INFERENCE — 30 payloads, 1909 total / 93 categories / 638 WMD-class). v6.5.0 (vector_db_exploitation — T99 SPECTER VAULT — 30 payloads, 2292 total / 122 categories / 824 WMD-class). v6.4.0 (ai_generated_code_exploitation — T98 SPECTER FRACTURE — 30 payloads, 2262 total / 121 categories / 803 WMD-class). v6.3.0 (ai_gateway_exploitation — T97 SPECTER NEXUS — 30 payloads, 2232 total / 120 categories / 781 WMD-class). v6.2.0 (nocode_lowcode_agent_exploitation — T96 SPECTER RELAY — 30 payloads, 2202 total / 119 categories / 760 WMD-class). v6.1.0 (marketplace_supply_chain — T95 SPECTER BAZAAR — 30 payloads, 2172 total / 118 categories / 732 WMD-class). v6.0.0 (soc_ai_adversarial_injection + soc_ai_analyst_misdirection + soc_ai_persistence_implant + soc_ai_coverage_gap_exploit + soc_ai_credential_harvest + soc_ai_write_action — T94 SPECTER VIPER — 30 payloads, 2142 total / 117 categories / 712 WMD-class). v5.9.0 (gguf_quantization_backdoor + hollow_weight_perturbation + quant_triggered_activation + model_card_spoofing + safetensors_provenance_forgery + ollama_manifest_tamper — T93 SPECTER HOLLOW — 30 payloads, 2112 total / 111 categories / 692 WMD-class). v5.8.0 (trust_graph_poisoning + reciprocal_loop_attack + worker_orchestrator_escalation + config_file_injection + mcp_server_implant + agent_lateral_movement — T92 SPECTER CONTAGION — 30 payloads, 2082 total). v5.7.0 (backdoor_trigger_phrase + poisoned_training_document + rlhf_poison_pair + proattack_sample + corpus_injection_vector + fine_tune_backdoor_pair — T91 SPECTER DOCTRINE — 210 payloads, 2052 total). v5.6.0 (coding_agent_exploitation — T90 SPECTER TRUSTFALL). v5.5.0 (multimodal_adversarial — T89 SPECTER PRISM). v5.3.0 (auth_gated_ai_exploitation — T86 SPECTER DAEMON). v5.2.0 (total_ai_annihilation — T84 SPECTER EXTINCTION). v5.0.0 PRION ENGINE autonomous mutation. v3.3.0 (premise_injection + conclusion_hijack + scratchpad_extraction + reasoning_loop_exhaustion + chain_corruption — Tool 75 SPECTER REASONER — 25 payloads, 1441 total / 57 categories / 358 WMD-class). v2.1.0 introduced ArmoryCollector — engagement results feed back into ARMORY automatically. Successful mutations get promoted to first-class payloads. Stale payloads get flagged. The more you run NIGHTFALL, the better your payload library becomes.

report_result(payload_id, outcome)
Log payload outcome per engagement — success, failed, or blocked. Tracked against model, target, and defence stack.
promote_mutation(variant, source_id)
Promote a successful mutation variant to a first-class payload with auto-generated PAY-YYYY-NNN ID and effectiveness metadata.
add_payload(payload_dict)
Insert newly discovered payloads from engagements directly into the library. Ed25519 signing is applied automatically.
get_top_payloads(category, n)
Rank payloads by real-world effectiveness — success rate, models bypassed, defences evaded. Uses engagement history.
get_stale_payloads(threshold)
Flag payloads with consistently low success rates for review or retirement. Keeps the library lean and effective.
Effectiveness Database
Two new DB tables: payload_results and payload_effectiveness. Per-payload success rate tracked across the full fleet.
from redspecter_armory import ArmoryClient from redspecter_armory.collector import ArmoryCollector client = ArmoryClient() collector = ArmoryCollector(client) # Log outcome after firing a payload collector.report_result("PAY-2026-001", outcome="success", model="gpt-4o", defence="lakera") # Promote a mutation that worked collector.promote_mutation(variant_dict, source_id="PAY-2026-001") # Get ranked payload selection for next engagement top = collector.get_top_payloads("prompt_injection", n=10)
Framework Integration

6 NIGHTFALL Tools. One Payload Source.

ARMORY is now integrated into 6 core NIGHTFALL tools via the armory.py module. Each tool maps its attack surface to ARMORY categories automatically. WARLORD dispatches ARMORY fleet-wide with a single flag.

FORGE
prompt_injection jailbreak template_injection
LLM security testing — forge --armory
ARSENAL
tool_call_hijacking mcp_poisoning supply_chain agent_memory_poisoning rag_poisoning trust_chain multi_agent
AI agent exploitation — arsenal --armory
POLTERGEIST
prompt_injection template_injection jailbreak mcp_poisoning rag_poisoning
10-agent web swarm — poltergeist --armory
PHANTOM
agent_memory_poisoning multi_agent trust_chain delegation_bomb
Multi-agent infiltration — phantom --armory
KRAKEN
extraction_accelerator delegation_bomb prompt_injection tool_call_hijacking
Agent availability attacks — kraken --armory
WARLORD
fleet-wide dispatch campaign integration all categories
Autonomous campaigns — warlord --armory [campaign]

Authorised Use Only

NIGHTFALL ARMORY is a commercial offensive security library. All payload deployment against live systems requires written authorisation from the system owner before any testing commences. Ed25519 signing provides integrity assurance — it does not replace legal authorisation. Computer Misuse Act 1990 (UK) and equivalent legislation applies in all jurisdictions. Red Specter Security Research Ltd accepts no liability for unauthorised use.