Nightmare-Eclipse Tooling Seen in Real-World Intrusion

Huntress observed real-world intrusion activity leveraging Nightmare-Eclipse tooling (BlueHammer CVE-2026-33825, RedSun, UnDefend) staged in user-writable directories, likely initiated via compromised FortiGate SSL VPN credentials, with hands-on-keyboard reconnaissance and a Go-based yamux reverse tunnel agent (BeigeBurrow) beaconing to attacker infrastructure; the report provides technical analysis, IoCs, and urgent mitigation guidance.