Nightmare-Eclipse Tooling Seen in Real-World Intrusion
Essential information
- Published
- 20/04/2026 22:28
- Modified
- 21/04/2026 09:28
- Source / Author
- AlienVault
- Confidence
- 100/100
- Report type(s)
- threat-report
- Labels / Tags
- beigeburrow bluehammer cve-2026-33825 fortigate vpn nightmare-eclipse privilege escalation redsun undefend windows defender bypass
- Tags
- 2026-04-20 CVE-2026-33825 beigeburrow bluehammer fortigate vpn nightmare-eclipse privilege-escalation redsun undefend windows defender bypass
- Related entities
- 1 vulnerabilities (cve), 3 indicators, 3 observables, 18 techniques (mitre), 4 malware
Description
Activity involving BlueHammer, RedSun, and UnDefend tooling from the Nightmare-Eclipse proof-of-concept repository was observed during a live intrusion investigation. The malicious binaries were staged in user-writable directories including Pictures and Downloads folders, with execution attempts failing despite hands-on-keyboard reconnaissance activities. The threat actor demonstrated unfamiliarity with the tools, misspelling command parameters and attempting non-functional flags. Initial access was traced to compromised FortiGate SSL VPN credentials, with connections originating from Russia, Singapore, and Switzerland. A Go-based tunneling agent dubbed BeigeBurrow was deployed for persistent access, beaconing to attacker infrastructure over port 443 using HashiCorp's yamux library for multiplexed reverse tunneling capabilities.