Hackers Use Nightmare-Eclipse Tools After Compromising FortiGate SSL VPN Access

Key Points:

• A real-world intrusion campaign exploited publicly available privilege escalation tools BlueHammer, RedSun, and UnDefend, following unauthorized access via a compromised FortiGate SSL VPN, marking their first confirmed use in a live enterprise environment.
• These tools, developed by the pseudonymous researcher Nightmare-Eclipse, exploit Windows Defender logic flaws to escalate privileges or disrupt security functions without admin rights; BlueHammer is patched, but RedSun and UnDefend remain unpatched zero-days.
• Huntress detected initial BlueHammer use on April 10, 2026, with escalating activity including RedSun and UnDefend executions; none of the privilege escalation attempts succeeded due to active remediation.
• The attacker accessed the victim network from multiple geolocated IPs, indicating credential abuse, and deployed a covert TCP relay tool, BeigeBurrow, which successfully established persistent outbound connections over port 443.
• Huntress advises immediate patching, thorough investigation of user-writable directories and VPN logs, blocking suspicious tunneling domains, and monitoring for post-exploitation commands; a YARA rule for detecting BeigeBurrow has been publicly released.