SOC Prime Bias: Critical

22 Apr 2026 18:41
newspaper icon Huntress

Nightmare-Eclipse Moves from Public PoC to Real-World Attacks

Author Photo
SOC Prime Team linkedin icon Follow
Nightmare-Eclipse Moves from Public PoC to Real-World Attacks
shield icon

Detection stack

  • AIDR
  • Alert
  • ETL
  • Query


Summary

Huntress documented a live intrusion in which attackers used publicly available privilege-escalation tools known as BlueHammer, RedSun, and UnDefend. The operation began with compromised FortiGate SSL VPN credentials, which gave the intruders access to the environment and allowed them to stage malicious binaries in user-writable folders. Once inside, they executed reconnaissance commands and deployed a custom Go-based tunneling utility called BeigeBurrow. The case highlights how proof-of-concept exploit tools can quickly move from public release into active intrusion activity.

Investigation

The investigation traced the malicious activity to compromised FortiGate SSL VPN sessions originating from IP addresses in Russia, Singapore, and Switzerland. Analysts found binaries including FunnyApp.exe, RedSun.exe, undef.exe, and a Go-based tunneling agent named agent.exe stored in user Pictures and Downloads directories. The attackers also ran hands-on-keyboard commands such as whoami /priv, cmdkey /list, and net group to enumerate privileges and credentials. The tunneling agent established a yamux-based reverse tunnel to staybud.dpdns.org over port 443 to maintain remote access.

Mitigation

Defenders should monitor execution from unusual user-writable paths, detect the known binary names, and investigate Microsoft Defender alerts such as Exploit:Win32/DfndrPEBluHmr.BZ and EICAR-related detections. VPN logs should be reviewed for suspicious logins from widely separated geographies, and any untrusted source IPs should be blocked. Security teams should also deploy endpoint detections for BlueHammer, RedSun, and UnDefend activity and prioritize remediation for CVE-2026-33825.

Response

If this activity is detected, isolate the affected endpoint immediately, terminate the tunneling agent, and remove all staged binaries from the host. Reset compromised VPN credentials and enforce multi-factor authentication for remote access. Incident responders should also perform a full review for credential dumping, apply Microsoft’s patch for CVE-2026-33825, and hunt across the environment for any remaining traces of the privilege-escalation tools.

"graph TB %% Class definitions classDef action fill:#99ccff classDef builtin fill:#ffcc99 classDef malware fill:#ccffcc %% Nodes u2013 Actions action_initial_access["<b>Action</b> – <b>T1078 Valid Accounts</b><br/>Compromised FortiGate SSL VPN credentials provide legitimate network access."] class action_initial_access action action_execution["<b>Action</b> – Execution from useru2011writable paths<br/>Binaries placed in Pictures and Downloads are executed."] class action_execution action action_priv_esc_exploit["<b>Action</b> – <b>T1068 Exploitation for Privilege Escalation</b><br/>BlueHammer exploits a TOCTOU vulnerability in Windows Defender to obtain a handle to the SAM database and elevate to SYSTEM."] class action_priv_esc_exploit action action_priv_esc_abuse["<b>Action</b> – <b>T1548 Abuse Elevation Control Mechanism</b><br/>RedSun leverages a race condition in Defenderu2019s cloudu2011file remediation flow to write a malicious executable into C:\Windows\System32 and gain SYSTEM privileges."] class action_priv_esc_abuse action action_credential_dump["<b>Action</b> – <b>T1003 OS Credential Dumping</b><br/>BlueHammer reads the SAM hive from a Volume Shadow Copy to extract NTLM password hashes."] class action_credential_dump action action_pass_the_hash["<b>Action</b> – <b>T1550.002 Pass the Hash</b><br/>Extracted hashes are intended for lateral movement using Passu2011theu2011Hash (not observed to succeed)."] class action_pass_the_hash action action_defense_evasion["<b>Action</b> – <b>T1211 Exploitation for Defense Evasion</b><br/>UnDefend locks Defender definition files and blocks service restarts, temporarily disabling the antivirus."] class action_defense_evasion action action_c2["<b>Action</b> – <b>T1071.001 Web Protocols</b><br/>BeigeBurrow agent creates a persistent reverse HTTPS tunnel using the yamux multiplexing library."] class action_c2 action %% Nodes u2013 Malware / Tools malware_funnyapp["<b>Malware</b> – <b>Name</b>: FunnyApp.exe<br/><b>Location</b>: User\Pictures"] class malware_funnyapp malware malware_redsun["<b>Malware</b> – <b>Name</b>: RedSun.exe<br/><b>Location</b>: User\Downloads"] class malware_redsun malware malware_undef["<b>Malware</b> – <b>Name</b>: undef.exe<br/><b>Location</b>: User\Downloads"] class malware_undef malware malware_z["<b>Malware</b> – <b>Name</b>: z.exe<br/><b>Location</b>: User\Downloads"] class malware_z malware malware_beigeburrow["<b>Malware</b> – <b>Name</b>: BeigeBurrow agent (agent.exe)"] class malware_beigeburrow malware tool_bluehammer["<b>Tool</b> – <b>Name</b>: BlueHammer<br/><b>Description</b>: Exploits Defender TOCTOU to capture SAM handle and dump credentials."] class tool_bluehammer builtin tool_redsun["<b>Tool</b> – <b>Name</b>: RedSun<br/><b>Description</b>: Writes malicious executable to C:\Windows\System32 via Defender race condition."] class tool_redsun builtin tool_undefend["<b>Tool</b> – <b>Name</b>: UnDefend<br/><b>Description</b>: Locks AV definition files and prevents Defender service restarts."] class tool_undefend builtin %% Connections u2013 Attack Flow action_initial_access –>|leads_to| action_execution action_execution –>|executes| malware_funnyapp action_execution –>|executes| malware_redsun action_execution –>|executes| malware_undef action_execution –>|executes| malware_z malware_redsun –>|uses| tool_redsun malware_funnyapp –>|drops| tool_bluehammer action_priv_esc_exploit –>|uses| tool_bluehammer action_priv_esc_exploit –>|leads_to| action_priv_esc_abuse action_priv_esc_abuse –>|uses| tool_redsun action_priv_esc_abuse –>|enables| action_credential_dump action_credential_dump –>|produces| action_pass_the_hash action_defense_evasion –>|uses| tool_undefend action_c2 –>|established_by| malware_beigeburrow "

Attack Flow

Simulation Execution

Prerequisite: The Telemetry & Baseline Pre‑flight Check must have passed.

Rationale: This section details the precise execution of the adversary technique (TTP) designed to trigger the detection rule. The commands and narrative MUST directly reflect the TTPs identified and aim to generate the exact telemetry expected by the detection logic.

  • Attack Narrative & Commands:
    An adversary that has obtained a foothold on a Windows host wishes to confirm the privilege level of the compromised account and enumerate stored credentials and domain groups for lateral movement. To stay under the radar, the attacker uses native Windows binaries (whoami, cmdkey, net) executed directly from a PowerShell prompt—avoiding any third‑party tools that would generate additional alerts. Each command creates a process, producing an Event ID 4688 record with the exact command line the Sigma rule watches for.

  • Regression Test Script:

      # -----------------------------------------------------------------
  # Simulate Hands‑on‑Keyboard Reconnaissance to trigger Sigma rule
  # -----------------------------------------------------------------
  # 1. Display current token privileges
  whoami /priv

  # 2. List saved Windows credentials
  cmdkey /list

  # 3. Enumerate domain groups (requires domain context)
  net group

  # Pause to allow SIEM ingestion
  Start-Sleep -Seconds 10

  • Cleanup Commands:

      # Remove any temporary artifacts (none created)
  # Clear PowerShell command history for stealth (optional)
  Clear-History

Join SOC Prime's Detection as Code platform to improve visibility into threats most relevant to your business. To help you get started and drive immediate value, book a meeting now with SOC Prime experts.

Join for Free