Windows Under Attack: Three Zero-Days of Microsoft Defender Fall into the Hands of Hackers
Three exploits published online directly target Microsoft Defender. The incident, stemming from a friction between the researcher community and the Redmond giant, quickly shifted from theoretical discussions to real-world damages. Analysts from Huntress Labs have confirmed the detection of 'hands-on-keyboard' malicious activity actively exploiting three previously unknown vulnerabilities, codenamed BlueHammer, RedSun, and UnDefend.
The Huntress SOC is observing the use of Nightmare-Eclipse's BlueHammer, RedSun, and UnDefend exploitation techniques.
Investigation by:
@wbmmfq,
@Curity4201, +
@_JohnHammond
-- Huntress (@HuntressLabs)
April 16, 2026
The origin of the compromise dates back to the early days of April, when a security researcher known as "Chaotic Eclipse" (or Nightmare-Eclipse) decided to publicly release the Proof-of-Concept (PoC) code for all three vulnerabilities. The publication was not an accident, but an explicit form of protest against the handling of reports by the Microsoft Security Response Center (MSRC). This release instantly turned the bugs into zero-days, providing threat actors with the necessary tools to bypass or manipulate the defenses built into the operating system.
RedSun and BlueHammer: Technical Details of the Exploits
Among the most critical vulnerabilities is RedSun, a Local Privilege Escalation (LPE) bug that allows a malicious user to gain maximum SYSTEM privileges on Windows 10, Windows 11, and Windows Server 2019 or later machines. RedSun abuses the logic with which Defender manages files equipped with a 'cloud tag'. When the antivirus identifies a file with this attribute, it attempts to rewrite it in its original location. By manipulating this behavior, the exploit can overwrite critical system files, permitting privilege escalation even on systems that have installed the April 2026 security patches.
The situation is different for BlueHammer (now tracked as CVE-2026-33825). Although it has also been used in documented attacks since April 10, Microsoft managed to include a fix in the cumulative Patch Tuesday package for April. However, the delay between the PoC publication and the patch release left a time window during which attackers could indiscriminately target unpatched infrastructures.
The third threat, dubbed UnDefend, does not directly aim for system control but rather for its 'blindness'. By exploiting this flaw, a standard user can systematically block updates to Microsoft Defender's definitions. In a complex attack scenario, UnDefend acts as an enabler: by preventing the antivirus from receiving the latest malware signatures, attackers can deploy subsequent payloads without the fear of being detected by heuristic and signature-based scanning engines.
Currently, both RedSun and UnDefend remain without an official patch. Microsoft, when questioned about the issue, reiterated its commitment to investigating reported security issues while defending the coordinated disclosure (CVD) model as a fundamental practice to protect customers before information becomes public. Nonetheless, in the case of Chaotic Eclipse, the coordination process abruptly broke down, leaving millions of devices exposed to attacks that, as observed in the case of a compromised SSLVPN user, show the precision and manual skill typical of experienced hacker groups.