🎯Hackers used special tools to break into companies' networks through a VPN. They could have accessed sensitive information, but some mistakes made by the hackers prevented them from succeeding fully. Companies need to act quickly to protect themselves.
What Happened
A real-world intrusion campaign has been detected leveraging publicly available Nightmare-Eclipse privilege escalation tools, specifically BlueHammer, RedSun, and UnDefend, following unauthorized access through a compromised FortiGate SSL VPN. This incident marks the first confirmed deployment of these tools in an active enterprise environment, raising urgent alarms for security teams worldwide. Huntress observed this activity during a live intrusion investigation, linking it back to compromised FortiGate SSL VPN access tied to multiple suspicious source IPs, including one geolocated to Russia.
The tools were developed by a security researcher known as Chaotic Eclipse, who became frustrated with Microsoft’s vulnerability disclosure process and released a series of local privilege escalation (LPE) exploits in retaliation. The tools exploit logic flaws in Windows Defender’s operations, allowing attackers to escalate privileges from an unprivileged user account to SYSTEM-level access or disrupt Defender’s security functions without administrative rights. Notably, despite the execution of these tools, none appear to have succeeded during the incident, indicating potential blunders by the threat actors.
Who's Affected
The attack primarily targets enterprises that utilize FortiGate SSL VPNs, particularly those that may have weak security practices regarding VPN access and user credential management. The attackers used valid user credentials to access the VPN, indicating potential credential abuse or resale. Huntress identified suspicious artifacts staged in user-writable directories, including a user’s Pictures folder and short subfolders under Downloads, which were indicative of hands-on-keyboard reconnaissance activities.
What Data Was Exposed
While specific data breaches have not been confirmed, the attackers' ability to execute privilege escalation tools indicates a significant risk of unauthorized access to sensitive data within the compromised environments. The tools' capabilities suggest that attackers could potentially extract credentials or manipulate security settings, posing a severe risk to organizational data integrity. Additionally, the reconnaissance activities included commands like whoami /priv, cmdkey /list, and net group, which further highlight the potential for data compromise.
The Tools
The tools involved in this incident include:
- BlueHammer: Addressed in Microsoft’s April 2026 Patch Tuesday update as CVE-2026-33825, but still poses a risk until all systems are patched. BlueHammer exploits a Time Of Check, Time Of Use (TOCTOU) vulnerability in Windows Defender, allowing for SYSTEM-level access.
- RedSun and UnDefend: These remain unpatched zero-days that can be exploited against fully updated Windows systems. Both tools focus on achieving SYSTEM-level access through race conditions and manipulation of Windows Defender processes.
- BeigeBurrow: A Go-compiled binary that establishes a covert TCP relay for persistent access, successfully connecting outbound, unlike the other tools. This suspicious binary appeared to provide tunneling functionality for follow-on access during the intrusion.
Indicators of Compromise (IOCs)
- IP Addresses: 78.29.48[.]29 (Russia), 212.232.23[.]69 (Singapore), 179.43.140[.]214 (Switzerland)
- Files: FunnyApp.exe, RedSun.exe, undef.exe, and a suspicious agent.exe binary dubbed BeigeBurrow.
- Domain: staybud.dpdns[.]org (BeigeBurrow C2 server)
What You Should Do
Organizations should treat any confirmed execution of these binaries as high-priority incident activity. Huntress recommends the following immediate actions: A YARA detection rule for BeigeBurrow has been published publicly to aid community-wide detection efforts. Organizations should remain vigilant and proactive in monitoring for these indicators of compromise.
Do Now
- 1.Patch immediately: Apply Microsoft’s April 2026 Patch Tuesday update to remediate CVE-2026-33825 (BlueHammer).
- 2.Hunt for staging artifacts: Investigate user-writable paths like Pictures\ and short subfolders under Downloads\ for binaries like FunnyApp.exe, RedSun.exe, undef.exe.
- 3.Review VPN authentication logs: Flag any account authenticating from multiple countries in a short timeframe.
Do Next
- 4.Block and monitor tunneling behavior: Investigate any execution of agent.exe with -server and -hide flags, and block the domain staybud.dpdns[.]org.
- 5.Detect post-exploitation enumeration: Alert on commands like whoami /priv, cmdkey /list, and net group spawned from unusual parent processes.
The combination of privilege escalation tools and compromised VPN access presents a significant threat landscape for enterprises. Organizations must prioritize patching and monitoring to mitigate risks.
