Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons

Social Media

Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons
Search the Site
Popular Searches:
technology Amazon AI
Recent Posts
Gentlemen Ransomware Uses Custom EDR/AV Killers to Target Global Industries
July 7, 2026
VECTRA and TeamPCP reverse ransomware kill chain with supply chain credential theft
July 7, 2026
Critical RCE Vulnerabilities in Microsoft Exchange Servers Expose 2,259 Orgs
July 7, 2026
Home/CyberSecurity News/Critical FortiGate SSL VPN Vulnerability (CVE-2022-42475) Exploited in Attacks
CyberSecurity News

Critical FortiGate SSL VPN Vulnerability (CVE-2022-42475) Exploited in Attacks

Key Takeaways A recent intrusion campaign exploited a compromised FortiGate SSL VPN to gain initial access to an enterprise network. Attackers then attempted to deploy a suite of publicly available...

Marcus Rodriguez
Marcus Rodriguez
April 21, 2026 4 Min Read
36 0

Key Takeaways

  • A recent intrusion campaign exploited a compromised FortiGate SSL VPN to gain initial access to an enterprise network.
  • Attackers then attempted to deploy a suite of publicly available Windows privilege escalation tools, BlueHammer, RedSun, and UnDefend, developed by researcher Chaotic Eclipse.
  • While the privilege escalation attempts largely failed, the incident marks the first observed in-the-wild use of these specific tools.
  • A custom Go-compiled backdoor, BeigeBurrow, successfully established persistent command-and-control communication.
  • Organizations are urged to patch CVE-2026-33825, review VPN logs for suspicious activity, and hunt for indicators of compromise.

Cybersecurity researchers have uncovered an active intrusion campaign that leveraged initial access through a compromised FortiGate SSL VPN, subsequently deploying a novel set of privilege escalation tools known as Nightmare-Eclipse. This incident represents the first documented real-world exploitation of these particular tools against a live enterprise environment, signaling an urgent threat to organizations globally.

Table Of Content

  • Key Takeaways
  • Nightmare-Eclipse Tools Deployed via FortiGate SSL VPN Access
  • Indicators of Compromise (IoCs)
  • What You Should Do

The tools at the core of this attack—BlueHammer, RedSun, and UnDefend—were created by a security researcher operating under the pseudonym Chaotic Eclipse (also known as Nightmare-Eclipse). This individual publicly released a series of local privilege escalation (LPE) exploits, reportedly out of frustration with Microsoft’s vulnerability disclosure procedures.

These three tools exploit logical flaws within Windows Defender’s privileged operations. Their aim is to either elevate an attacker’s privileges from a standard user account to SYSTEM-level access or to entirely disable Defender’s security functions, all without requiring administrative rights. While Microsoft addressed the BlueHammer vulnerability (CVE-2026-33825) in its April 2026 Patch Tuesday updates, both RedSun and UnDefend remain unpatched zero-day exploits, posing a continued risk to even fully updated Windows systems.

Nightmare-Eclipse Tools Deployed via FortiGate SSL VPN Access

Security firm Huntress first identified suspected in-the-wild activity involving BlueHammer on April 10, 2026. Investigators observed a binary named FunnyApp.exe—an exact build from the public BlueHammer GitHub repository—being executed from a victim user’s Pictures folder. Windows Defender subsequently quarantined the file, identifying it as Exploit:Win32/DfndrPEBluHmr.BZ.

The campaign intensified by April 16, with researchers documenting the execution of RedSun.exe from a user’s Downloads directory. Concurrently, multiple instances of undef.exe, the UnDefend binary, were launched from two-letter subfolders such as ks and kk. Interestingly, the threat actor displayed a lack of proficiency, invoking UnDefend with a misspelled -agressive flag and a non-functional -h help flag, suggesting an incomplete understanding of the tool’s usage.

Crucially, none of the observed privilege escalation attempts proved successful. BlueHammer failed to extract SAM credentials, RedSun was unable to overwrite TieringEngineService.exe in System32, and Huntress’ Security Operations Center (SOC) intervened to terminate UnDefend during active remediation efforts.

A critical breakthrough in understanding the intrusion came from customer-provided VPN logs. On April 15, 2026, at 13:44 UTC, an attacker initiated an SSL VPN connection to the victim’s FortiGate firewall. This connection utilized valid user credentials and originated from IP address 78.29.48[.]29, geolocated to Russia. Subsequent unauthorized sessions linked to the same compromised account were detected from 212.232.23[.]69 (Singapore) and 179.43.140[.]214 (Switzerland), a multi-geographic access pattern indicative of credential abuse, potentially involving credential resale or sharing.

The most dangerous element identified by Huntress was a Go-compiled Windows binary dubbed BeigeBurrow. This tool executed as agent.exe -server staybud.dpdns[.]org:443 -hide. BeigeBurrow leverages HashiCorp’s Yamux multiplexing library to establish a persistent, stealthy TCP relay between the compromised host and attacker-controlled infrastructure over port 443, a port commonly left open by enterprise firewalls. Unlike the privilege escalation tools, BeigeBurrow successfully established its outbound connection, making it the only component in the observed toolkit to achieve its intended purpose. Huntress noted that it has encountered BeigeBurrow in at least one other unrelated intrusion, though definitive attribution remains elusive.

Beyond the automated tool execution, Huntress confirmed the presence of a live, “hands-on-keyboard” threat actor through the execution of various post-exploitation enumeration commands, including whoami /priv, cmdkey /list, and net group. Notably, the whoami /priv command was spawned directly from an M365Copilot.exe process, an unusual anomaly that investigators could not fully explain but observed occurring after the initial compromise and following the initial BlueHammer execution attempt.

Indicators of Compromise (IoCs)

Indicator Type Description
78.29.48[.]29 IP SSL VPN source, Russia
212.232.23[.]69 IP SSL VPN source, Singapore
179.43.140[.]214 IP SSL VPN source, Switzerland
staybud.dpdns[.]org Domain BeigeBurrow C2 server
FunnyApp.exe, RedSun.exe, undef.exe, z.exe File Nightmare-Eclipse binaries
Exploit:Win32/DfndrPEBluHmr.BZ Defender Alert BlueHammer detection signature
a2b6c7a9...e2876b7c SHA-256 BeigeBurrow agent.exe hash

What You Should Do

Organizations should consider any confirmed execution of these binaries as a high-priority incident. Huntress recommends the following immediate actions for defenders:

  • Apply Patches Immediately: Ensure that Microsoft’s April 2026 Patch Tuesday update is applied across all relevant systems to remediate CVE-2026-33825 (BlueHammer).
  • Hunt for Staging Artifacts: Proactively investigate user-writable paths, particularly Pictures and short subfolders within Downloads, for the presence of binaries such as FunnyApp.exe, RedSun.exe, undef.exe, and z.exe.
  • Review VPN Authentication Logs: Scrutinize VPN authentication logs for any user accounts authenticating from multiple disparate geographic locations within a condensed timeframe, which may indicate credential compromise.
  • Block and Monitor Tunneling Behavior: Investigate any execution of agent.exe using the -server and -hide flags, and immediately block the domain staybud.dpdns[.]org at network perimeters.
  • Detect Post-Exploitation Enumeration: Configure alerts for the execution of common post-exploitation commands like whoami /priv, cmdkey /list, and net group, especially when spawned from unusual or unexpected parent processes.

A YARA detection rule for BeigeBurrow has been made publicly available to assist in community-wide detection efforts.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.

Tags:

AttackCVEExploitHackerPatchSecurityThreatVulnerabilityzero-day

Share Article

Marcus Rodriguez

Marcus Rodriguez

Marcus is a security researcher and investigative journalist with expertise in vulnerability research, bug bounties, and cloud security. Since 2017, Marcus has been breaking stories on critical vulnerabilities affecting major platforms. His investigative work has led to the disclosure of numerous security flaws and improved defenses across the industry. Marcus is an active participant in bug bounty programs and has been recognized for responsible disclosure practices. He holds multiple security certifications and regularly speaks at industry events.

Previous Post

Gentlemen RaaS Attacks Windows, Linux, and ESXi With New C-Based Locker

Next Post

Critical Apache ActiveMQ Vulnerability CVE-2023-46604 Exposes 6,000+ Servers

No Comment! Be the first one.

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Popular Posts
Ubiquiti Discloses 25 UniFi Vulnerabilities, 2 Critical
July 7, 2026
STOCKSTAY Backdoor Targets Ukraine with Malicious RDP Files and WinRAR Exploit
July 7, 2026
CISA Audits Government Code Repositories With Anthropic’s Mythos AI Tool
July 7, 2026
Top Authors
Marcus Rodriguez
Marcus Rodriguez
Jennifer sherman
Jennifer sherman
David kimber
David kimber
Let's Connect
156k
2.25m
285k

Related Posts

Jennifer sherman
By Jennifer sherman
Threats

GlassWorm Attacks macOS via Malicious VS Code…

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Attacks

ClickFix Attack Hides Malicious Code via Stegan Security

January 1, 2026
Sarah simpson
By Sarah simpson
Vulnerabilities

MongoBleed Detector Tool Released to Detect MongoDB Vulnerability(CVE-2025-14847)

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Breaches

Conti Ransomware Gang Leaders & Infrastructure Exposed

January 1, 2026
Hackers News Hackers News
  • [email protected]

Quick Links

  • Contact Us
  • Privacy Policy
  • Terms of service

Categories

Attacks
Breaches
Comparisons
CyberSecurity News
Threats
Vulnerabilities

Let's keep in touch

receive fresh updates and breaking cyber news every day and week!

All Rights Reserved by HackersRadar ©2026

Follow Us