An anonymous security researcher known as Nightmare-Eclipse has publicly released multiple proof-of-concept exploit tools targeting Microsoft Windows Defender without coordinated disclosure, beginning April 2, 2026. Three tools are documented: BlueHammer (CVE-2026-33825), a TOCTOU race condition enabling SYSTEM-level privilege escalation that was patched in April 2026 Patch Tuesday and added to CISA's Known Exploited Vulnerabilities catalog; RedSun (CVE-2026-41091), which abuses Defender's cloud file rollback mechanism to execute attacker-planted binaries as SYSTEM; and UnDefend, which silently disables Defender's signature update pipeline. Huntress Labs confirmed active exploitation of all three tools as early as April 10, 2026, with threat actors observed deploying them under disguised filenames after gaining initial access via compromised FortiGate VPN credentials. Microsoft publicly condemned the uncoordinated disclosures on May 27, 2026, stating they put "customers at unnecessary risk" and noted that six total vulnerabilities across Defender and BitLocker were disclosed without prior notice. RedSun and UnDefend remain unpatched as of May 28, 2026, and the researcher has announced a further major disclosure targeting July 14, 2026.
- Microsoft Condemns "Uncoordinated" Zero Day Disclosures - Infose(opens in a new tab)
- GitLab Suspends Windows Exploit Researcher Nightmare-Eclipse Aft(opens in a new tab)
- Microsoft Calls the Zero-Day Dumps Irresponsible. The Researcher(opens in a new tab)
- Microsoft hits out over irresponsible vulnerability disclosure |(opens in a new tab)
- Microsoft under fire for threatening security researcher with cr(opens in a new tab)
- Microsoft threatens legal action against researcher Nightmare Ec(opens in a new tab)