On April 2, 2026, a security researcher operating under the alias Nightmare-Eclipse (also known as Chaotic Eclipse) published the BlueHammer exploit on GitHub following a reported dispute with Microsoft’s Security Response Center (MSRC) over the handling of the vulnerability disclosure process.
The zero-day, now tracked as CVE-2026-33825, exploits a time-of-check to time-of-use (TOCTOU) race condition and path confusion flaw within Windows Defender’s signature update workflow, enabling a low-privileged local user to escalate to SYSTEM-level access on fully patched Windows 10 and Windows 11 systems.
The exploit abuses the interaction between Microsoft Defender’s file remediation logic, NTFS junction points, the Windows Cloud Files API, and opportunistic locks (oplocks); no kernel exploit or memory corruption is required.
Shortly after BlueHammer’s release, Nightmare-Eclipse published two additional tools: RedSun, which also achieves SYSTEM privileges on Windows 10, Windows 11, and Windows Server 2019, and later even after the April Patch Tuesday patches; and UnDefend, which disrupts Defender’s update mechanism to progressively degrade its protective capabilities.
Huntress researchers are now actively observing threat actors weaponizing all three techniques against live targets. Binaries have been staged in low-privilege user directories, specifically within Pictures folders and two-letter subfolders inside Downloads directories using the same filenames from the original PoC repositories: FunnyApp.exe and RedSun.exe, and in some instances, renamed to z.exe.
On April 10, 2026, the execution of BlueHammer was detected via:
C:Users[REDACTED]PicturesFunnyApp.exeWindows Defender blocked and quarantined the file, detecting it as Exploit:Win32/DfndrPEBluHmrBZ with a severity classification of Severe [file:3]. The threat was detected in real-time at 19:43:37 UTC and quarantined within under two minutes.
On April 16, 2026, a second incident was recorded involving:
C:Users[REDACTED]DownloadsRedSun.exeThis invocation triggered a Virus:DOS/EICAR_Test_File alert a deliberate component of RedSun’s attack technique, which uses an EICAR test file to bait Defender’s real-time engine into a detection-and-remediation cycle that can then be manipulated.
Additionally, a secondary process, Undef.exe, was detected running with the command line argument -agressive, spawned as a child process of cmd.exe under Explorer.EXE, and flagged at High severity by ThreatOps Hunting rules.
Critically, both exploitation attempts followed a pattern of manual enumeration commands consistent with hands-on-keyboard threat actor activity, including:
whoami /priv — to enumerate current user privilegescmdkey /list — to identify stored credentialsnet group — to map Active Directory group membershipsThis pre-exploitation reconnaissance pattern strongly suggests a skilled adversary conducting targeted intrusions rather than opportunistic automated attacks.
Microsoft patched CVE-2026-33825 (BlueHammer) in the April 2026 Patch Tuesday update cycle. However, RedSun and UnDefend remain unpatched as of this writing, leaving millions of Windows systems at ongoing risk. Security teams should immediately:
Pictures, Downloads subfolders)whoami /priv, cmdkey /list, and net group execution chains in endpoint telemetryFollow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
The post Leaked Windows Defender 0-Day Vulnerability Actively Exploited in Attacks appeared first on Cyber Security News.
Ubiquiti Networks has released urgent security updates to address a series of highly critical vulnerabilities…
PERU, Ind. (WOWO) — Indiana State Police detectives are investigating a shooting that occurred late…
An empty field lies next to the Tennessee Truck Center at Ford's BlueOval City campus…
Riot Games has stepped in to squash rumors that it is using its Vanguard anti-cheat…
For Memorial Day, Dell is offering an Alienware 16X Aurora gaming laptop that's loaded with…
Forza Horizon 6 for PC and Xbox was released on May 19. This is the…
This website uses cookies.