The security researcher who earlier this month published a proof-of-concept (PoC) exploit for a zero-day privilege escalation vulnerability in Microsoft Defender is back with two more.
The first, dubbed “RedSun,” is another privilege escalation flaw in the same platform. The second, “UnDefend,” allows a standard user to block Microsoft Defender from receiving signature updates or disable it entirely (if Microsoft pushes a major Defender update).
And, according to Huntress researchers, all three exploitation techniques have been leveraged in the wild by at least one threat actor.
The new exploits
The researcher, who goes by Chaotic Eclipse and Nightmare Eclipse, released the BlueHammer PoC on April 3, after claiming that a disclosure attempt with the Microsoft Security Response Center went nowhere.
On April 14, Microsoft pushed out security updates that fixed the vulnerability, which received the CVE-2026-33825 identifier. The researchers credited with reporting it – Zen Dodd and Yuanpei Xu – are not “Nightmare Eclipse”.
On April 16, this currently anonymous researcher published the “RedSun” and “UnDefend” PoC exploits to the same GitHub repository, which remains accessible despite a warning from the Microsoft-owned platform:
The effectiveness of the RedSun PoC has been confirmed by vulnerability analyst Will Dormann.
Attacks in the wild
Huntress researchers say that they’ve observed the BlueHammer exploit being blocked by Windows Defender on April 10. On April 16, they also observed the “RedSun” and “UnDefend” PoCs being used.
The attacker dropped the exploit files into the user’s Pictures and Downloads folders and renamed them to avoid suspicion. Then, before launching the exploits, they ran commands to map out user privileges, discovered stored credentials, and the Active Directory structure.
“Huntress has isolated the affected organization to prevent further post-exploitation,” the researchers added.
The ball is now in Microsoft’s court: with the next Patch Tuesday many weeks away, an out-of-band emergency patch looks like the most likely path forward.
Subscribe to our breaking news e-mail alert to never miss out on the latest breaches, vulnerabilities and cybersecurity threats. Subscribe here!
