Two months, seven zero-days, and still nobody knows who this person is...

Somewhere out there is a security researcher who has spent the last ten weeks methodically dismantling Microsoft Defender, one TOCTOU race condition at a time, under the names Nightmare-Eclipse, Chaotic Eclipse, Dead Eclipse, and — in a flourish that deserves its own museum exhibit — "MSNightmare," a GitHub account that lists its affiliation as, simply, "Microsoft." Seven exploits. Multiple confirmed in-the-wild intrusions. A grudge match with the world's third-largest company conducted almost entirely through Blogger posts and strategically deployed Resident Evil screenshots.

And in two months of trying, the combined investigative might of the cybersecurity press, several billion-dollar security vendors, assorted LinkedIn threat-intel personalities, and at least one man who promised to reveal "the real name" on a livestream "in one hour" has produced exactly zero confirmed facts about who this person actually is.

This is not a knock on any one outlet. This is a celebration of the genre.

The case of the vanishing footnote

The high-water mark of the attribution effort so far is a claim, repeated breathlessly across the security blogosphere this week, that Nightmare-Eclipse has been identified as a former Microsoft security employee who worked there full-time from September 2022 to June 2025 — "according to investigative analysis from Brian Krebs and The Register," per the citation making the rounds.

We went and found the actual Krebs piece. Here is the entirety of what it says on the subject: "Nightmare Eclipse claims to be a former employee of Microsoft, although Microsoft has not responded to questions about this claim." That's the whole thing. No dates. No title. No department. Just the researcher's own unverified self-description, with Krebs doing exactly what a careful reporter should do — printing the claim and immediately noting nobody's confirmed it. The Register, for its part, doesn't even go that far; it just relays the same "rumored to be a former employee" line everyone else has been passing around like a chain letter since Barracuda first floated it in May.

Somewhere between Krebs's careful hedge and this week's confident "September 2022 to June 2025," someone invented an entire HR record out of thin air and attached two of journalism's most respected bylines to it as a courtesy. We don't know who did this first. We do know it's now load-bearing infrastructure in at least one Medium post's entire thesis. Welcome to the attribution industrial complex: where a sourcing chain is just a rumor wearing a better suit each time it changes hands.

The evidence locker, such as it is

Strip away the citation laundering and here's the actual case file the internet has assembled on Nightmare-Eclipse:

The researcher demonstrates "insider-level familiarity" with Windows internals — which, respectfully, describes roughly four thousand people who have ever published a Project Zero writeup, defended a thesis on the Cloud Filter driver, or simply read enough Microsoft documentation to develop a personality disorder about it.

The researcher once posted an image of Albert Wesker, the Resident Evil villain and former corporate bioweapons researcher who went rogue against his old employer. This has been treated, in some corners, as a meaningful clue. It is, generously, a guy with a sense of humor about his own arc. CyberScoop — to its credit — simply wrote that the researcher "couldn't be identified or reached for comment" and left it there, which is the correct length for that sentence.

And then there's Cybercrime101's promised livestream reveal, which we will not be linking to, on the grounds that "the real name of Nightmare Eclipse, in one hour, live on LinkedIn" is not a sourcing methodology so much as a personality.

What we actually know

Here's the unglamorous truth: nobody has named this person. Not Microsoft, who has had every institutional incentive to do so and instead settled for vague references to its Digital Crimes Unit that it then had to walk back after the security community pointed out how that sounded. Not the FBI, who as far as the public record shows hasn't said a word. Not any of the named research shops tracking the exploit chain technically — Huntress, ThreatLocker, Cyderes — all of whom have been admirably disciplined about sticking to what the malware does rather than who might be writing it.

The honest state of play is: someone with real, demonstrated, occasionally alarming Windows internals expertise is angry at Microsoft for reasons that may or may not hold up, is burning that expertise in public on a roughly ten-day cadence, and has so far made every attempt to unmask them look slightly silly in retrospect. That's a genuinely interesting story. It doesn't need a fabricated employment record to be one.

So our advice to the attribution industrial complex, offered with the same affection we'd extend to a dog confidently barking at its own reflection: keep digging, by all means. Just maybe cite the thing you're citing.

Border Cyber Group — independent cybersecurity research and investigative journalism.