{
  "name": "Nightmare-Eclipse Tooling Seen in Real-World Intrusion",
  "slug": "nightmare-eclipse-tooling-seen-in-real-world-intrusion",
  "description": "Activity involving BlueHammer, RedSun, and UnDefend tooling from the Nightmare-Eclipse proof-of-concept repository was observed during a live intrusion investigation. The malicious binaries were staged in user-writable directories including Pictures and Downloads folders, with execution attempts failing despite hands-on-keyboard reconnaissance activities. The threat actor demonstrated unfamiliarity with the tools, misspelling command parameters and attempting non-functional flags. Initial access was traced to compromised FortiGate SSL VPN credentials, with connections originating from Russia, Singapore, and Switzerland. A Go-based tunneling agent dubbed BeigeBurrow was deployed for persistent access, beaconing to attacker infrastructure over port 443 using HashiCorp's yamux library for multiplexed reverse tunneling capabilities.",
  "published": "2026-04-20T20:28:22.703000+00:00",
  "created_at": "2026-04-21T09:28:09.937000+00:00",
  "modified_at": "2026-04-21T07:28:10+00:00",
  "created_at_opencti": "2026-04-21T09:28:09.937000+00:00",
  "author": "AlienVault",
  "confidence": 100,
  "report_types": [
    "threat-report"
  ],
  "labels": [
    "beigeburrow",
    "bluehammer",
    "cve-2026-33825",
    "fortigate vpn",
    "nightmare-eclipse",
    "privilege escalation",
    "redsun",
    "undefend",
    "windows defender bypass"
  ],
  "tags": [
    "2026-04-20",
    "CVE-2026-33825",
    "beigeburrow",
    "bluehammer",
    "fortigate vpn",
    "nightmare-eclipse",
    "privilege-escalation",
    "redsun",
    "undefend",
    "windows defender bypass"
  ],
  "related_entities": {
    "vulnerabilities": [
      {
        "id": "c745123e-6601-4b79-a524-679f266ce042",
        "name": "CVE-2026-33825"
      }
    ],
    "indicators": [
      {
        "id": "827ecbf2-3638-42cb-9f3d-6ace2d732133",
        "name": "a2b6c7a9c4490df70de3cdbfa5fc801a3e1cf6a872749259487e354de2876b7c"
      },
      {
        "id": "e4051a52-1834-4bb1-9eb9-67604f24f544",
        "name": "78.29.48.29"
      },
      {
        "id": "e17c21d2-6016-4248-ac52-0eb11c81bf1b",
        "name": "212.232.23.69"
      }
    ],
    "attack_patterns": [
      {
        "id": "9e6c4b38-f4e1-4b1f-b90a-222f881acbab",
        "name": "T1087.002"
      },
      {
        "id": "6ccd4566-e15e-40cf-b7df-4a3f737ce5cd",
        "name": "T1036.005"
      },
      {
        "id": "9f11a241-9abc-4c57-95dd-33955ab08826",
        "name": "T1078"
      },
      {
        "id": "c3af9fd7-d307-4df4-9220-cc627938fb85",
        "name": "T1055"
      },
      {
        "id": "16e26db7-7376-40c1-b8a9-23d56c44f7ee",
        "name": "T1571"
      },
      {
        "id": "d048ac4b-dd28-4c66-b62b-fe25cefef481",
        "name": "T1548.002"
      },
      {
        "id": "ca53b2fa-42a8-45ec-9682-0cf54bf280f3",
        "name": "T1090"
      },
      {
        "id": "e615d5ec-8d67-4048-b21d-a5fb09925bb9",
        "name": "T1552.001"
      },
      {
        "id": "6b2e0999-c7e8-4662-94ac-19aa8520ee46",
        "name": "T1059.003"
      },
      {
        "id": "34f2880c-8816-4d41-9f3b-be18cc23fffb",
        "name": "T1070.005"
      },
      {
        "id": "3ef9ffa3-6685-41f3-899b-250f06979505",
        "name": "T1134.001"
      },
      {
        "id": "6c8f8a40-2746-4a37-86bd-81e82afa6e62",
        "name": "T1190"
      },
      {
        "id": "cbd87c8c-3bed-461a-acef-56ffc8b87571",
        "name": "T1105"
      },
      {
        "id": "b9eab970-53dd-4977-9a26-c4fe566e422d",
        "name": "T1133"
      },
      {
        "id": "fc699aef-8931-4a79-8f79-9651be9abd50",
        "name": "T1021"
      },
      {
        "id": "7364ca96-72bf-4b7f-afef-ce2583b1ed58",
        "name": "T1562.001"
      },
      {
        "id": "a6b6df0a-93c1-4ddf-8403-2bc47590f9fe",
        "name": "T1087.001"
      },
      {
        "id": "70616b2f-4019-4963-b758-5d9f6f20e201",
        "name": "T1082"
      }
    ],
    "malware": [
      {
        "id": "1fbbcf1e-7828-4581-aa45-0281cd33f99c",
        "name": "BlueHammer",
        "slug": "bluehammer"
      },
      {
        "id": "2fba4eba-c3cf-46d2-85c9-f93d278c7188",
        "name": "UnDefend",
        "slug": "undefend"
      },
      {
        "id": "14b0cb2a-54d5-42bd-82d6-882c8424d0c1",
        "name": "RedSun",
        "slug": "redsun"
      },
      {
        "id": "729e2b2c-fbc7-49a6-a50d-a22a22e7e5a7",
        "name": "BeigeBurrow",
        "slug": "beigeburrow"
      }
    ],
    "observables": [
      {
        "id": "058ecf13-2fcc-4cd4-bd0f-04cb0409f46a",
        "name": "78.29.48.29"
      },
      {
        "id": "fad740f8-7447-44d4-b538-68c6524bff7c",
        "name": "212.232.23.69"
      },
      {
        "id": "",
        "name": "a2b6c7a9c4490df70de3cdbfa5fc801a3e1cf6a872749259487e354de2876b7c"
      }
    ]
  },
  "external_refs": [
    {
      "id": "cb9eb5a7-568a-4aa4-b076-702292e408f7",
      "standard_id": "external-reference--2048cf43-fddc-57bb-a90c-9b299586bf78",
      "entity_type": "External-Reference",
      "source_name": "AlienVault",
      "description": null,
      "url": "https://www.huntress.com/blog/nightmare-eclipse-intrusion",
      "hash": null,
      "external_id": null,
      "created": "2026-04-21T09:28:08.337Z",
      "modified": "2026-04-22T18:05:51.989Z",
      "createdById": null
    },
    {
      "id": "8c8dfc7b-739e-42d8-b6c2-aeb8d5fc4580",
      "standard_id": "external-reference--f59466f5-056a-5b88-b110-5c1d334c25d4",
      "entity_type": "External-Reference",
      "source_name": "AlienVault",
      "description": null,
      "url": "https://otx.alienvault.com/pulse/69e68c661e82c96759b91265",
      "hash": null,
      "external_id": "69e68c661e82c96759b91265",
      "created": "2026-04-21T09:28:08.312Z",
      "modified": "2026-04-21T09:28:08.312Z",
      "createdById": null
    }
  ]
}