All articles tagged with #nightmare eclipse
GitHub terminated the anonymous security researcher Nightmare-Eclipse after publicly disclosing unpatched Windows vulnerabilities, with the researcher moving to GitLab and continuing to publish exploits (BlueHammer, YellowKey) and threats; Microsoft says the disclosures violated coordinated vulnerability disclosure practices, sparking mixed reactions from the community.
A publicly released PoC for the Windows 'MiniPlasma' zero-day privilege-escalation flaw lets unprivileged users gain SYSTEM privileges by exploiting the Cloud Filter driver’s HsmOsBlockPlaceholderAccess race condition and writing to the .DEFAULT hive. The bug traces to CVE-2020-17103 (originally patched in 2020 by Microsoft) but the PoC shows the flaw remains exploitable; Nightmare-Eclipse released the exploit on GitHub on May 13, 2026, after May Patch Tuesday, increasing risk as weaponized code circulates and affects all Windows versions. Organizations should monitor Microsoft’s response and apply patches when available.
Attackers used publicly released Nightmare-Eclipse privilege-escalation tools—BlueHammer, RedSun, and UnDefend—after compromising a FortiGate SSL VPN, marking the first in-the-wild use against a live enterprise. BlueHammer has been patched via CVE-2026-33825; RedSun and UnDefend remain unpatched zero-days. BeigeBurrow served as a covert C2. The intrusion involved VPN logins from Russia and other countries, with binary artifacts including FunnyApp.exe, RedSun.exe, undef.exe, and the BeigeBurrow domain staybud.dpdns.org. Mitigations include applying the April 2026 patch, scanning for artifacts in user-writable paths, reviewing VPN authentication logs for multi-country access, blocking agent.exe -server -hide, and applying the published YARA rule to detect BeigeBurrow.