NightmareEclipse is a security researcher persona associated with the public release of Windows exploit-related proof-of-concepts and offensive tooling. Known aliases include Nightmare-Eclipse, Chaotic Eclipse, and MSNightmare. Since at least April 2026, the actor has published a series of Windows-focused releases, including BlueHammer, RedSun, UnDefend, YellowKey, GreenPlasma, and LegacyHive, with LegacyHive identified as the ninth known tool in this sequence. The actor’s work centers on Windows internals, privilege-boundary weaknesses, and abuse of legitimate operating system mechanisms rather than conventional memory-corruption exploitation alone. LegacyHive exemplifies this approach: it targets the Windows User Profile Service by manipulating profile-loading behavior to induce cross-user registry hive loading. The technique chains offline registry hive modification, Object Manager symbolic link redirection, and synchronized profile loading to cause one user’s registry hive to be mounted in another user’s namespace. The public release is characterized as a primitive rather than a complete privilege-escalation chain, but it demonstrates a method that could support follow-on abuse in multi-user Windows environments. NightmareEclipse appears to operate as a public exploit developer or independent offensive researcher rather than a known intrusion set or established nation-state threat actor. No high-confidence attribution links this persona to a government, intelligence service, or financially motivated cybercrime operation. The available information instead indicates a pattern of openly publishing exploit-related research and tooling without coordinated disclosure. Targets are therefore best understood as the Windows platform and its security boundaries, with practical impact highest on shared or multi-user systems such as remote desktop hosts, virtual desktop infrastructure, and enterprise workstations. Observed tradecraft associated with this persona includes publication of proof-of-concept code, exploration of Windows authentication and profile-loading workflows, abuse of symbolic link redirection, offline manipulation of registry hives, and controlled triggering of privileged or cross-user operating system behaviors. The actor’s releases are relevant to defenders because they can accelerate weaponization by other parties even when the original publication stops short of a full operational exploit chain.
Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.
8 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.
4 indicators attributed to this actor: domains, IPs, hashes, and other artifacts pulled from reporting. View more in app.
2 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A named researcher/activity cluster associated with releasing a toolkit of Windows-focused offensive security tools and primitives, including the LegacyHive registry hive loading primitive affecting the Windows User Profile Service.
A researcher/operator releasing a series of public Windows exploit tools and primitives without coordinated disclosure, including LegacyHive and prior tools targeting Windows Defender, BitLocker, and other trusted Windows subsystems. The report characterizes the releases as resembling an operator’s toolkit with multiple paths to SYSTEM, BitLocker bypasses, and telemetry suppression.
Match sector + geo + tech-stack targeting against your real footprint.
Every observed MITRE ATT&CK technique, grouped by tactic.
Families this actor is known to deploy, with IOCs and behavior.
CVEs this actor has used in known campaigns.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Domains, IPs, and hashes tied to this actor, refreshed continuously.