Nightmare-Eclipse Privilege Tools Breach FortiGate SSL VPN in the Wild
Attackers used publicly released Nightmare-Eclipse privilege-escalation tools—BlueHammer, RedSun, and UnDefend—after compromising a FortiGate SSL VPN, marking the first in-the-wild use against a live enterprise. BlueHammer has been patched via CVE-2026-33825; RedSun and UnDefend remain unpatched zero-days. BeigeBurrow served as a covert C2. The intrusion involved VPN logins from Russia and other countries, with binary artifacts including FunnyApp.exe, RedSun.exe, undef.exe, and the BeigeBurrow domain staybud.dpdns.org. Mitigations include applying the April 2026 patch, scanning for artifacts in user-writable paths, reviewing VPN authentication logs for multi-country access, blocking agent.exe -server -hide, and applying the published YARA rule to detect BeigeBurrow.
