TTPwire Vol. 1 · MITRE ATT&CK·Tagged

← All stories

Huntress

Nightmare-Eclipse Tooling Seen in Real-World Intrusion

2026-04-20 · Read original ↗

ATT&CK techniques detected

30 predictions
T1078Valid Accounts
98%
“happened or what was occurring behind the scenes here. what we do know is that this occurred after the initial compromise had started and after the adversary had attempted to execute bluehammer for the first time. figure 3 : whoami / priv was spawned from an m365copilot process (…”
T1055.001Dynamic-link Library Injection
97%
“defender will attempt to restore the cloud file placeholder to. - in this toctou window, the % temp % \ rs - { guid } path is converted to a mount point at c : \ windows \ system32 instead. arbitrary write and privilege escalation - defender attempts to restore the “ malicious fi…”
T1003.002Security Account Manager
96%
“database, one that would ordinarily require system - level access. - bluehammer constructs a redirectable path to its staged update files and instructs defender, through its own internal update interface, to import a signature update from that location. defender scaffolds a new d…”
T1068Exploitation for Privilege Escalation
92%
“, nightmare - eclipse focuses heavily on the volume shadow copy system. when defender attempts remediation of a given malicious file or enters certain update paths, a volume shadow copy is created as a method to ensure system integrity. and lastly, there ’ s a heavy focus on race…”
T1204.002Malicious File
90%
“compromised machine by simply opening a new yamux stream and sending a target address. all of this traffic flows through a single outbound tcp connection. mitigation guidance organizations should treat any signs of bluehammer, redsun, or undefend execution as urgent incident resp…”
T1204.002Malicious File
90%
“exe, undef. exe, and a renamed variant, z. exe. on april 10, huntress observed c : \ users \ [ redacted ] \ pictures \ funnyapp. exe, and windows defender blocked and quarantined it as exploit : win32 / dfndrpebluhmr. bz. huntress later confirmed the quarantined binary was a buil…”
T1505.004IIS Components
88%
“compromised machine by simply opening a new yamux stream and sending a target address. all of this traffic flows through a single outbound tcp connection. mitigation guidance organizations should treat any signs of bluehammer, redsun, or undefend execution as urgent incident resp…”
T1003.002Security Account Manager
88%
“parses the sam hive itself, and decrypts each user ’ s nt hash ( password representation ). armed with valid hashes, bluehammer then temporarily changes each user ’ s password to $ pwned666!!! wdfail, which it then uses to generate admin sessions. these admin sessions are ultimat…”
T1195.002Compromise Software Supply Chain
77%
“exe, undef. exe, and a renamed variant, z. exe. on april 10, huntress observed c : \ users \ [ redacted ] \ pictures \ funnyapp. exe, and windows defender blocked and quarantined it as exploit : win32 / dfndrpebluhmr. bz. huntress later confirmed the quarantined binary was a buil…”
T1068Exploitation for Privilege Escalation
71%
“nightmare - eclipse tooling seen in real - world intrusion acknowledgments : special thanks to dani lopez, tanner filip, anton ovrutsky, lindsey o ’ donnell - welch, and john hammond for their contributions to this investigation and write - up. this article was also written with …”
T1036.005Match Legitimate Resource Name or Location
66%
“exe, undef. exe, and a renamed variant, z. exe. on april 10, huntress observed c : \ users \ [ redacted ] \ pictures \ funnyapp. exe, and windows defender blocked and quarantined it as exploit : win32 / dfndrpebluhmr. bz. huntress later confirmed the quarantined binary was a buil…”
T1505.004IIS Components
64%
“##e - agressive - c : \ users \ [ redacted ] \ downloads \ ks \ z. exe notably, during the execution of undefend, the adversary showed that they were not particularly familiar with the tooling they were working with. as noted earlier, undefend does not have user - selectable mode…”
T1068Exploitation for Privilege Escalation
59%
“the vulnerability disclosure processes. as a result of that frustration, they published a series of local privilege escalation techniques, dubbed bluehammer, redsun, and undefend. as part of its april 2026 updates, microsoft rolled out a patch for the bluehammer vulnerability ( t…”
T1071Application Layer Protocol
58%
“compromised machine by simply opening a new yamux stream and sending a target address. all of this traffic flows through a single outbound tcp connection. mitigation guidance organizations should treat any signs of bluehammer, redsun, or undefend execution as urgent incident resp…”
T1055.001Dynamic-link Library Injection
50%
“nightmare - eclipse tooling seen in real - world intrusion acknowledgments : special thanks to dani lopez, tanner filip, anton ovrutsky, lindsey o ’ donnell - welch, and john hammond for their contributions to this investigation and write - up. this article was also written with …”
T1550.002Pass the Hash
47%
“##eservice. exe overwrite in the system32 folder. bluehammer did not successfully extract sam credentials. and while undefend may have executed to some degree successfully, the process was trivially terminated by huntress ’ security operations center during response / remediation…”
T1055.001Dynamic-link Library Injection
47%
“takes advantage of the ability for the exploit author to ‘ pause ’ windows defender with its volume shadow copy exposed. toctou vulnerabilities are often difficult to mitigate, but accepted to some degree because the window to generate a valid race condition is exceptionally smal…”
T1055.001Dynamic-link Library Injection
46%
“. as the investigation developed, huntress correlated related activity involving bluehammer, redsun, and undefend, all tied to public nightmare - eclipse tooling. the activity also appeared to be part of a broader intrusion rather than isolated proof - of - concept ( poc ) testin…”
T1204.002Malicious File
45%
“stop — not specifically during a major platform update as the readme suggests, but during any service stop event. when that fires, undefend immediately locks mpavbase. vdm at the active signature location, preventing defender from reloading its signature base on restart. one impo…”
T1566.004Spearphishing Voice
43%
“compromised machine by simply opening a new yamux stream and sending a target address. all of this traffic flows through a single outbound tcp connection. mitigation guidance organizations should treat any signs of bluehammer, redsun, or undefend execution as urgent incident resp…”
T1068Exploitation for Privilege Escalation
40%
“( sam ) database, which houses credential materials in the windows system. figure 1 : microsoft update page for cve - 2026 - 33825 the first is common weakness enumeration ( cwe ) 367, a concept known as time of check, time of use ( toctou ). toctou vulnerabilities, classified ov…”
T1572Protocol Tunneling
40%
“time period. - investigate suspicious execution of agent. exe - server staybud. dpdns [. ] org : 443 - hide or similar tunneling behavior. what is huntress doing? huntress isolated the affected organization and continued investigating the observed binaries, access logs, and follo…”
T1090.001Internal Proxy
38%
“appearing in a vacuum, but alongside evidence of likely remote access abuse and broader intrusion activity. beigeburrow : a go - based yamux reverse tunnel agent huntress also identified a binary named agent. exe executing under the compromised victim user context with the follow…”
T1055.001Dynamic-link Library Injection
37%
“stop — not specifically during a major platform update as the readme suggests, but during any service stop event. when that fires, undefend immediately locks mpavbase. vdm at the active signature location, preventing defender from reloading its signature base on restart. one impo…”
T1505.004IIS Components
37%
“stop — not specifically during a major platform update as the readme suggests, but during any service stop event. when that fires, undefend immediately locks mpavbase. vdm at the active signature location, preventing defender from reloading its signature base on restart. one impo…”
T1003.002Security Account Manager
36%
“s creation before proceeding. - to confirm defender is actively scanning, bluehammer places a lock on a system file defender accesses mid - scan. when that lock breaks, the scan is confirmed in progress. - bluehammer then registers a fake cloud sync provider, structurally identic…”
T1550.002Pass the Hash
35%
“##e - agressive - c : \ users \ [ redacted ] \ downloads \ ks \ z. exe notably, during the execution of undefend, the adversary showed that they were not particularly familiar with the tooling they were working with. as noted earlier, undefend does not have user - selectable mode…”
T1195.002Compromise Software Supply Chain
32%
“compromised machine by simply opening a new yamux stream and sending a target address. all of this traffic flows through a single outbound tcp connection. mitigation guidance organizations should treat any signs of bluehammer, redsun, or undefend execution as urgent incident resp…”
T1021Remote Services
31%
“appearing in a vacuum, but alongside evidence of likely remote access abuse and broader intrusion activity. beigeburrow : a go - based yamux reverse tunnel agent huntress also identified a binary named agent. exe executing under the compromised victim user context with the follow…”
T1543.003Windows Service
31%
“\ system32 \ tieringengineservice. exe which is a copy of redsun. - the binary is relaunched, hits the system check, and spawns a shell with the system token. undefend undefend is nightmare - eclipse ' s take on a modern windows defender ' killer '. it doesn ' t come with user - …”

Summary

Huntress observed in-the-wild use of Nightmare-Eclipse tooling, including BlueHammer, RedSun, and UnDefend, in a live intrusion involving FortiGate VPN compromise as the initial access, reconnaissance commands, and likely tunneling activity.