{ "Event": { "analysis": "1", "date": "2026-04-20", "extends_uuid": "", "info": "[Threat Intel] Nightmare-Eclipse Tooling Seen in Real-World Intrusion", "protected": false, "publish_timestamp": "1776783233", "published": true, "threat_level_id": "2", "timestamp": "1776783233", "uuid": "39d528af-d721-4e01-a2c5-688dd2949bef", "Orgc": { "name": "Rectifyq", "uuid": "cd9bd516-61fa-476b-980f-2f8de03992d4" }, "Tag": [ { "colour": "#8f20d0", "local": false, "name": "misp-galaxy:producer=\"Huntress\"", "relationship_type": "" }, { "colour": "#ffffff", "local": false, "name": "tlp:clear", "relationship_type": "" }, { "colour": "#004646", "local": false, "name": "type:OSINT", "relationship_type": "" }, { "colour": "#b94b1d", "local": false, "name": "rectifyq:mitre-att&ck=\"none-from-src\"", "relationship_type": "" }, { "colour": "#b94b1d", "local": false, "name": "rectifyq:mitre-att&ck=\"from-OTX\"", "relationship_type": "" }, { "colour": "#7773ac", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"External Remote Services - T1133\"", "relationship_type": "" }, { "colour": "#d74cce", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Bypass User Account Control - T1548.002\"", "relationship_type": "" }, { "colour": "#7da4ad", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Match Legitimate Resource Name or Location - T1036.005\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Domain Account - T1087.002\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Local Account - T1087.001\"", "relationship_type": "" }, { "colour": "#7d7034", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"System Information Discovery - T1082\"", "relationship_type": "" }, { "colour": "#9feaf0", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Exploit Public-Facing Application - T1190\"", "relationship_type": "" }, { "colour": "#43c8db", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Process Injection - T1055\"", "relationship_type": "" }, { "colour": "#682cad", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Remote Services - T1021\"", "relationship_type": "" }, { "colour": "#adf1b0", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Proxy - T1090\"", "relationship_type": "" }, { "colour": "#f95f85", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Credentials In Files - T1552.001\"", "relationship_type": "" }, { "colour": "#44e07f", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Token Impersonation/Theft - T1134.001\"", "relationship_type": "" }, { "colour": "#387fd2", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Network Share Connection Removal - T1070.005\"", "relationship_type": "" }, { "colour": "#e43954", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Disable or Modify Tools - T1562.001\"", "relationship_type": "" }, { "colour": "#59699c", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Valid Accounts - T1078\"", "relationship_type": "" }, { "colour": "#f07d7c", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Non-Standard Port - T1571\"", "relationship_type": "" }, { "colour": "#02475d", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Windows Command Shell - T1059.003\"", "relationship_type": "" }, { "colour": "#4c0fbb", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Ingress Tool Transfer - T1105\"", "relationship_type": "" }, { "colour": "#49a260", "local": false, "name": "rectifyq:category=\"threat\"", "relationship_type": "" }, { "colour": "#120044", "local": false, "name": "rectifyq:sub-category=\"intrusion-analysis\"", "relationship_type": "" }, { "colour": "#d92121", "local": false, "name": "rectifyq:target=\"targeted\"", "relationship_type": "" }, { "colour": "#55acee", "local": false, "name": "rectifyq:MY-relevancy=\"potentially-relevant\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#3800d9", "local": false, "name": "rectifyq:action-taken=\"VT-comment\"", "relationship_type": "" }, { "colour": "#3d00e9", "local": false, "name": "rectifyq:action-taken=\"telegram\"", "relationship_type": "" } ], "Attribute": [ { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1776769207", "to_ids": false, "type": "link", "uuid": "1cc60340-450c-4fbd-9bb2-b1ae76ee5f9b", "value": "https://www.huntress.com/blog/nightmare-eclipse-intrusion" }, { "category": "Other", "comment": "Description", "deleted": false, "disable_correlation": false, "timestamp": "1776769207", "to_ids": false, "type": "text", "uuid": "6f100b8b-0b05-45f0-bb4b-a59ed3a44fd5", "value": "Activity involving BlueHammer, RedSun, and UnDefend tooling from the Nightmare-Eclipse proof-of-concept repository was observed during a live intrusion investigation. The malicious binaries were staged in user-writable directories including Pictures and Downloads folders, with execution attempts failing despite hands-on-keyboard reconnaissance activities. The threat actor demonstrated unfamiliarity with the tools, misspelling command parameters and attempting non-functional flags. Initial access was traced to compromised FortiGate SSL VPN credentials, with connections originating from Russia, Singapore, and Switzerland. A Go-based tunneling agent dubbed BeigeBurrow was deployed for persistent access, beaconing to attacker infrastructure over port 443 using HashiCorp's yamux library for multiplexed reverse tunneling capabilities." }, { "category": "Other", "comment": "Summary", "deleted": false, "disable_correlation": false, "timestamp": "1776769207", "to_ids": false, "type": "text", "uuid": "cabf7918-f3a9-43d3-8a4b-9e7628e3b5e0", "value": "Name: Nightmare-Eclipse Tooling Seen in Real-World Intrusion\nAuthor: AlienVault\nAdversary: \nTags: [\"undefend\", \"beigeburrow\", \"nightmare-eclipse\", \"cve-2026-33825\", \"redsun\", \"windows defender bypass\", \"bluehammer\", \"fortigate vpn\", \"privilege escalation\"]\nTgtd countries: []\nMlwr families: [\"BlueHammer\", \"RedSun\", \"UnDefend\", \"BeigeBurrow\"]\nAttack_ids: [\"T1133\", \"T1548.002\", \"T1036.005\", \"T1087.002\", \"T1087.001\", \"T1082\", \"T1190\", \"T1055\", \"T1021\", \"T1090\", \"T1552.001\", \"T1134.001\", \"T1070.005\", \"T1562.001\", \"T1078\", \"T1571\", \"T1059.003\", \"T1105\"]\nIndustries: []" }, { "category": "Network activity", "comment": "SSL VPN source IP geolocated to Russia tied to unauthorized access.", "deleted": false, "disable_correlation": false, "timestamp": "1776776258", "to_ids": true, "type": "ip-dst", "uuid": "a5c9c9ef-6235-45d8-a4b9-2696931d72ae", "value": "78.29.48.29", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1776769207", "to_ids": false, "type": "vulnerability", "uuid": "bdcfecf6-213e-45f5-a886-7303cea3aeb1", "value": "CVE-2026-33825" }, { "category": "Payload delivery", "comment": "agent.exe sample (BeigeBurrow). No sample in VT\r\nLast check:21/04/2026", "deleted": false, "disable_correlation": false, "timestamp": "1776773643", "to_ids": true, "type": "sha256", "uuid": "437ce1c5-6bd6-479c-a64e-abc502055499", "value": "a2b6c7a9c4490df70de3cdbfa5fc801a3e1cf6a872749259487e354de2876b7c", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "Additional SSL VPN source IP geolocated to Singapore.", "deleted": false, "disable_correlation": false, "timestamp": "1776776279", "to_ids": true, "type": "ip-dst", "uuid": "db56e1eb-c5a9-44e6-bc42-4ae95d943e8d", "value": "212.232.23.69", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "Destination used by suspicious tunneling activity.", "deleted": false, "disable_correlation": false, "timestamp": "1776776300", "to_ids": true, "type": "hostname", "uuid": "5c0b6def-622d-443e-a7a5-106fc75a7756", "value": "staybud.dpdns.org", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "Additional SSL VPN source IP geolocated to Switzerland.", "deleted": false, "disable_correlation": false, "timestamp": "1776776321", "to_ids": true, "type": "ip-dst", "uuid": "be68eae1-e77f-43ce-9bed-29aaf3253045", "value": "179.43.140.214", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] } ] } }