Nightmare-Eclipse Tooling Moves From Public PoC to Real-World Intrusion
Threat actors are actively deploying Nightmare-Eclipse proof-of-concept tools, including BlueHammer, RedSun, and UnDefend, in real-world intrusions to exploit Windows Defender race conditions for privilege escalation. The attacks, likely originating from compromised FortiGate VPN access, culminate in the deployment of BeigeBurrow, a Go-based reverse tunnel agent used for persistent command and control.
Authors: Dani Lopez, Tanner Filip, Anton Ovrutsky, Lindsey O’Donnell-Welch, John Hammond
Source:
Huntress
- domainstaybud[.]dpdns[[.]]orgDestination C2 server used by the BeigeBurrow tunneling agent.
- filenameC:\ProgramData\agent.exeExecution path for the BeigeBurrow tunneling agent.
- filenameC:\Users\[REDACTED]\Pictures\FunnyApp.exeBlueHammer-related binary staged in a user-writable directory.
- sha256a2b6c7a9c4490df70de3cdbfa5fc801a3e1cf6a872749259487e354de2876b7cSHA-256 hash of the observed agent.exe sample (BeigeBurrow).
Key Takeaways
- Nightmare-Eclipse PoC tools (BlueHammer, RedSun, UnDefend) are being actively used in real-world intrusions to exploit Windows Defender race conditions.
- Initial access was likely achieved via compromised FortiGate SSL VPN credentials, with logins observed from Russia, Singapore, and Switzerland.
- Attackers staged malicious binaries in low-privilege user directories, such as Pictures and short subfolders in Downloads.
- A custom Go-based reverse tunnel agent named BeigeBurrow was deployed for persistent command and control over port 443.
- Post-exploitation reconnaissance included standard enumeration commands (whoami, cmdkey, net group), notably spawned from an M365Copilot.exe process.
Affected Systems
- Windows
- Windows Defender
- FortiGate SSL VPN
Vulnerabilities (CVEs)
- CVE-2026-33825
Attack Chain
The intrusion likely began with unauthorized access via a compromised FortiGate SSL VPN. The threat actor then staged Nightmare-Eclipse privilege escalation tools (BlueHammer, RedSun, UnDefend) in user-writable directories to exploit Windows Defender race conditions. Following local reconnaissance using standard Windows utilities, the attacker deployed BeigeBurrow, a Go-based Yamux reverse tunnel agent, to establish persistent command and control.
Detection Availability
- YARA Rules: Yes
- Sigma Rules: No
- Snort/Suricata Rules: No
- KQL Queries: No
- Splunk SPL Queries: No
- EQL Queries: No
- Other Detection Logic: No
- Platforms: Huntress
The article indicates that a YARA rule is available for detecting the BeigeBurrow agent.
Detection Engineering Assessment
EDR Visibility: High — EDR can easily capture the execution of binaries from unusual user paths, specific command-line arguments like '-agressive' or '-server', and process ancestry anomalies like M365Copilot.exe spawning cmd.exe. Network Visibility: Medium — While the VPN access logs provide clear initial access indicators, the BeigeBurrow C2 traffic is tunneled over port 443, which may blend in with normal HTTPS traffic without deep packet inspection. Detection Difficulty: Moderate — The tools use novel TOCTOU race conditions that might bypass standard behavioral blocks, but the staging paths, command lines, and subsequent tunneling agent are highly detectable.
Required Log Sources
- EDR Process Execution Logs
- Windows Security Event Logs (Event ID 4688)
- VPN Authentication Logs
- Antivirus/Defender Alerts
Hunting Hypotheses
| Hypothesis | Telemetry | ATT&CK Stage | FP Risk |
|---|---|---|---|
| Look for execution of unknown binaries from user-writable directories (e.g., Pictures, short Downloads subfolders) followed by Defender alerts or EICAR test string drops. | EDR Process Execution, File Creation Logs | Execution / Privilege Escalation | Low |
| Search for process ancestry anomalies where M365Copilot.exe spawns cmd.exe or enumeration tools like whoami.exe. | EDR Process Execution | Discovery | Low |
| Identify outbound network connections over port 443 originating from unrecognized binaries named agent.exe, especially with command lines containing '-server' and '-hide'. | EDR Network Connections, Process Execution | Command and Control | Low |
Control Gaps
- Lack of MFA on VPN access
- Unpatched Windows Defender vulnerabilities (RedSun/UnDefend)
Key Behavioral Indicators
- Binaries named FunnyApp.exe, RedSun.exe, undef.exe, or z.exe
- M365Copilot.exe spawning enumeration commands
- agent.exe executed with -server and -hide flags
False Positive Assessment
- Low - The specific combination of tool names, command-line typos like '-agressive', and custom tunneling agents are highly indicative of malicious activity.
Recommendations
Immediate Mitigation
- Isolate endpoints showing signs of BlueHammer, RedSun, or UnDefend execution.
- Review VPN logs for anomalous authentication from multiple geographies in a short time period.
- Block the identified C2 domain (staybud.dpdns[.]org) and associated IP addresses.
Infrastructure Hardening
- Enforce Multi-Factor Authentication (MFA) on all VPN and remote access portals.
- Apply the April 2026 Microsoft updates to patch CVE-2026-33825 (BlueHammer).
User Protection
- Restrict execution of unapproved binaries from user-writable directories like Pictures and Downloads.
- Ensure Windows Defender is fully updated and monitor for unexpected service stops or configuration changes.
Security Awareness
- Educate security operations teams on the indicators and behaviors associated with Nightmare-Eclipse PoC tools.
MITRE ATT&CK Mapping
- T1133 - External Remote Services
- T1068 - Exploitation for Privilege Escalation
- T1562.001 - Impair Defenses: Disable or Modify Tools
- T1033 - System Owner/User Discovery
- T1087.002 - Account Discovery: Domain Account
- T1572 - Protocol Tunneling
- T1059.003 - Command and Scripting Interpreter: Windows Command Shell
Additional IOCs
- Ips:
212[.]232[.]23[[.]]69- Additional SSL VPN source IP geolocated to Singapore.179[.]43[.]140[[.]]214- Additional SSL VPN source IP geolocated to Switzerland.
- File Paths:
C:\Users\[REDACTED]\Downloads\RedSun.exe- RedSun execution path observed during the intrusion.C:\Users\[REDACTED]\Downloads\ks\undef.exe- UnDefend-related binary execution path.C:\Users\[REDACTED]\Downloads\kk\undef.exe- UnDefend-related aggressive execution variant path.C:\Users\[REDACTED]\Downloads\ks\z.exe- Renamed companion binary observed in the same activity cluster.
- Command Lines:
- Purpose: Establish a reverse tunnel to the C2 server | Tools:
agent.exe| Stage: Command and Control |agent.exe -server - Purpose: Execute UnDefend in aggressive mode (with typo) | Tools:
undef.exe| Stage: Defense Evasion |undef.exe -agressive - Purpose: Privilege enumeration | Tools:
whoami.exe| Stage: Discovery |whoami /priv - Purpose: Credential enumeration | Tools:
cmdkey.exe| Stage: Credential Access |cmdkey /list - Purpose: Group enumeration | Tools:
net.exe| Stage: Discovery |net group
- Purpose: Establish a reverse tunnel to the C2 server | Tools:
- Other:
Exploit:Win32/DfndrPEBluHmr.BZ- Windows Defender detection name tied to observed BlueHammer execution.