Skip to main content
Mallory
Back to threat actors
Exploits CVEs in the wild

Nightmare-Eclipse

Also known asNightmare-Eclipse

Nightmare Eclipse is a bug hunter/researcher publicly associated with disclosure of multiple Windows zero-days and proof-of-concept releases affecting Microsoft platforms. The content describes Nightmare Eclipse as having published details and, in some cases, full proof-of-concept exploit code for six zero-days, and as having promised additional releases. Known aliases in the provided content are Nightmare Eclipse and Nightmare-Eclipse. The actor is associated with discovery of RedSun (CVE-2026-41091), a local privilege escalation vulnerability in Microsoft Windows Defender’s file remediation workflow. According to the content, RedSun allows an unprivileged user to abuse Defender’s SYSTEM-privileged file operations, NTFS junctions, Cloud Files placeholders, Volume Shadow Copy detection, and opportunistic locks to obtain arbitrary file writes into C:\Windows\System32 and ultimately execute code as NT AUTHORITY\SYSTEM. Nightmare Eclipse is also associated with the public GitHub releases GreenPlasma and YellowKey. GreenPlasma is described as an incomplete Windows local privilege escalation proof of concept or building block involving arbitrary memory section creation and the Windows CTFMON service, but not a complete exploit. YellowKey is described as a Windows login and BitLocker bypass technique requiring physical access, demonstrated against TPM-only BitLocker systems and leveraging WinRE/FsTx behavior to obtain a cmd.exe prompt while the drive is unlocked. The content notes that Nightmare-Eclipse claimed the core YellowKey issue bypasses TPM and PIN configurations, but also states the public proof of concept does not currently demonstrate bypass of TPM and PIN protections. The content does not identify Nightmare Eclipse as a nation-state actor or intrusion set. Instead, it characterizes the actor as a disgruntled bug hunter engaged in a public dispute with Microsoft over vulnerability disclosure and patching.

Share:
Are they targeting you?

Know when an actor pivots toward your sector

Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.

Start free trial
MITRE ATT&CK

Tradecraft

30 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.

10 of 15 tactics44 techniques×N= number of intelligence reports citing this technique
MITRE ATT&CK
TA0042
Resource Development
1 technique
T1587
Develop Capabilities
T1587.004
Exploits
TA0001
Initial Access
1 technique
T1190×3
Exploit Public-Facing Application
TA0002
Execution
4 techniques
T1053
Scheduled Task/Job
T1059
Command and Scripting Interpreter
T1059.003
Windows Command Shell
T1559
Inter-Process Communication
T1559.001
Component Object Model
T1574×4
Hijack Execution Flow
T1574.010
Services File Permissions Weakness
TA0003
Persistence
5 techniques
T1037×2
Boot or Logon Initialization Scripts
T1037.005
Startup Items
T1053
Scheduled Task/Job
T1112
Modify Registry
T1543
Create or Modify System Process
T1556×4
Modify Authentication Process
TA0004
Privilege Escalation
7 techniques
T1037×2
Boot or Logon Initialization Scripts
T1037.005
Startup Items
T1053
Scheduled Task/Job
T1055
Process Injection
T1068×11
Exploitation for Privilege Escalation
T1134×2
Access Token Manipulation
T1543
Create or Modify System Process
T1548×2
Abuse Elevation Control Mechanism
T1548.002×3
Bypass User Account Control
TA0005
Stealth
6 techniques
T1055
Process Injection
T1070
Indicator Removal
T1070.004×3
File Deletion
T1134×2
Access Token Manipulation
T1211×7
Exploitation for Stealth
T1218×2
System Binary Proxy Execution
T1574×4
Hijack Execution Flow
T1574.010
Services File Permissions Weakness
TA0112
Defense Impairment
3 techniques
T1112
Modify Registry
T1222×2
File and Directory Permissions Modification
T1556×4
Modify Authentication Process
TA0006
Credential Access
3 techniques
T1003
OS Credential Dumping
T1555
Credentials from Password Stores
T1556×4
Modify Authentication Process
TA0011
Command and Control
1 technique
T1572
Protocol Tunneling
TA0040
Impact
3 techniques
T1486
Data Encrypted for Impact
T1499×2
Endpoint Denial of Service
T1561
Disk Wipe
T1561.001
Disk Content Wipe
WEAPONIZED

Associated vulnerabilities

1 CVE this actor has used in observed campaigns. 1 of them exploited in the wild.

CVE-2026-33825BlueHammerIn the wildEvidence3

Over the past several months, Nightmare Eclipse disclosed the BlueHammer, RedSun, GreenPlasma, and MiniPlasma privilege escalation zero-day flaws (the first two now being exploited in attacks).

IOCS

Observables

2 indicators attributed to this actor: domains, IPs, hashes, and other artifacts pulled from reporting. View more in app.

2 IOCsView more in app

IOC values are gated. View more in Mallory for domains, IPs, hashes, and other artifacts, or pipe them straight into your SIEM.

ACTIVITY FEED

Recent activity

4 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

4 SOURCESView more in app
register securityNews
Jun 9, 2026
AI is making Patch Tuesday (kinda) fun again

A named bug hunter publicly disclosing multiple Microsoft zero-days and proof-of-concept exploit code, including likely disclosure of the YellowKey vulnerability, in an ongoing dispute with Microsoft.

Read more
malware newsNews
Jun 1, 2026
RedSun: Exploiting Windows Defender's Remediation Workflow for Local Privilege Escalation - Malware Analysis - Malware Analysis, News and Indicators

Named as the discoverer of the RedSun Windows Defender local privilege escalation vulnerability and associated exploit write-up.

Read more
infosecNews
May 20, 2026
Will Dormann: "Microsoft has released CVE-202…" - Infosec Exchange

Published proof-of-concept offensive tooling on GitHub, including GreenPlasma, described as a building block toward Windows local privilege escalation, and YellowKey, described as a Windows login/BitLocker bypass requiring physical access.

Read more
cyber security newsNews
May 14, 2026
Windows BitLocker 0-Day Vulnerability Enables Access to Encrypted Drives

A named actor/researcher associated with publicly releasing the YellowKey BitLocker bypass and partial GreenPlasma privilege-escalation proof-of-concept, exposing unpatched Windows zero-day exploitation details.

Read more
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: sector and geo overlap with your footprint, the IOCs they’re burning right now, detection coverage, and what to do next.
Start free trial
Target overlap

Match sector + geo + tech-stack targeting against your real footprint.

Tradecraft mapping30

Every observed MITRE ATT&CK technique, grouped by tactic.

Malware arsenal

Families this actor is known to deploy, with IOCs and behavior.

Exploited CVEs1

CVEs this actor has used in known campaigns.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Observables2

Domains, IPs, and hashes tied to this actor, refreshed continuously.