Nightmare-Eclipse Tools Exploit FortiGate VPNs in Live Attacks

Severity: High (Score: 74.0)

Sources: Cybersecuritynews, Socprime

Summary

A recent intrusion campaign utilized the Nightmare-Eclipse privilege escalation tools, specifically BlueHammer, RedSun, and UnDefend, following unauthorized access through compromised FortiGate SSL VPN credentials. This incident marks the first confirmed deployment of these tools in a live enterprise environment, impacting organizations globally. Attackers gained access by exploiting compromised VPN sessions traced back to IP addresses in Russia, Singapore, and Switzerland. They executed reconnaissance commands and deployed a custom Go-based tunneling utility named BeigeBurrow to maintain remote access. Malicious binaries were found in user-writable folders, and various commands were executed to enumerate privileges and credentials. Security teams are advised to monitor for specific binary names and suspicious logins, and to apply patches for CVE-2026-33825, which was publicly disclosed on April 14, 2026. Immediate action is recommended to isolate affected endpoints and reset compromised credentials. Key Points: • Nightmare-Eclipse tools exploited FortiGate SSL VPNs in a live attack. • Attackers used BlueHammer, RedSun, and UnDefend for privilege escalation. • CVE-2026-33825 was publicly disclosed on April 14, 2026, and is critical for remediation.

Key Entities

• Malware (attack_type)
• Nightmare (campaign)
• Russia (country)
• Singapore (country)
• Switzerland (country)
• CVE-2026-33825 (cve)
• dfndrpebluhmr.bz (domain)
• staybud.dpdns.org (domain)
• BeigeBurrow (malware)
• FunnyApp (malware)
• RedSun (vulnerability)
• BlueHammer (vulnerability)
• UnDefend (vulnerability)
• T1003 - OS Credential Dumping (mitre_attack)
• T1059.001 - PowerShell (mitre_attack)
• T1071 - Application Layer Protocol (mitre_attack)
• T1133 - External Remote Services (mitre_attack)
• Fortigate (platform)
• FortiGate SSL VPN (platform)
• Windows (platform)
• Nightmare-Eclipse (tool)
• PowerShell (tool)