By rssfeeds-admin 
Security researchers report that attackers are leveraging a suite of exploitation methods collectively dubbed “Nightmare-Eclipse,” which includes tools and techniques such as BlueHammer, RedSun, and UnDefend.
These methods appear to originate from publicly available proof-of-concept (PoC) code repositories, indicating rapid weaponization following exposure.
Huntress analysts observed multiple real-world attack attempts involving suspicious binaries staged in low-privilege user directories.
In one confirmed incident, malicious files were placed within a user’s Pictures folder, while other samples appeared in two-letter subdirectories inside the Downloads folder.
The binaries retained naming conventions consistent with original PoC releases, including “FunnyApp.exe” and “RedSun.exe,” though some were obfuscated under generic filenames such as “z.exe.”
On April 10, 2026, a BlueHammer-related payload was executed from the path:
C:UsersMicrosoft Defender successfully detected and quarantined the threat, identifying it as “Exploit:Win32/DfndrPEBluHmrBZ.”
This detection suggests that while the vulnerability is being exploited, certain signatures and behavioral patterns are already being tracked by Defender.
However, a second incident on April 16 demonstrated continued attacker experimentation. A binary named “RedSun.exe” was executed from a Downloads directory, triggering a Defender alert associated with the EICAR test file.
Researchers note that this is a deliberate tactic used by attackers to probe antivirus responses and validate exploit execution paths without immediately deploying full payloads.
Notably, both incidents were preceded by a sequence of reconnaissance commands typically associated with hands-on-keyboard intrusion activity.
Observed commands included:
whoami /priv
cmdkey /list
net groupThese commands indicate that attackers were actively enumerating user privileges, credential storage, and group memberships before deploying exploitation techniques.
The use of low-privilege directories and publicly known filenames suggests that threat actors are prioritizing stealth and simplicity, blending malicious activity with normal user behavior to evade detection.
Huntress researchers, including Dani L., Tanner Filip, and John Hammond, are continuing to investigate the scope and impact of this vulnerability.
Early findings suggest that the exploit chain may enable security feature bypasses within Defender under certain conditions, though full technical details have not yet been publicly disclosed.
Organizations are advised to closely monitor endpoint activity, particularly execution from user directories, and review logs for suspicious enumeration commands.
Ensuring Defender signatures are up to date and enabling advanced behavioral detection features may help mitigate risk while the vulnerability remains under active investigation.
Follow us on Google News , LinkedIn and X to Get More Instant Updates. Set Cyberpress as a Preferred Source in Google
The post Windows Defender Zero-Day Leak Fuels Active Exploitation Campaigns appeared first on Cyber Security News.
Discover more from RSS Feeds Cloud
Subscribe to get the latest posts sent to your email.