Threat actors are actively weaponizing three leaked Windows Defender privilege escalation zero-days, BlueHammer, RedSun, and UnDefend, with Huntress SOC confirming hands-on-keyboard attacker activity as two of the three flaws remain completely unpatched.
The Nightmare-Eclipse Disclosure
A security researcher operating under the alias “Nightmare-Eclipse” publicly released proof-of-concept (PoC) exploit code for three critical Windows Defender vulnerabilities in April 2026, following a frustrating disclosure experience with Microsoft’s Security Response Center (MSRC).
The first PoC BlueHammer was published on April 3, 2026, targeting a local privilege escalation (LPE) flaw in the Windows Defender signature update mechanism.
It exploits a time-of-check to time-of-use (TOCTOU) race condition combined with a path confusion issue, ultimately forcing Defender to create a new Volume Shadow Copy, pausing Defender at a critical moment, and then accessing sensitive registry hive files, including the Security Account Manager (SAM) database, to extract and decrypt stored NTLM password hashes.
A successful attack grants the threat actor full SYSTEM-level privileges on the compromised host. On April 16, 2026, the same researcher published two additional PoC exploits to the same GitHub repository: RedSun and UnDefend.
RedSun targets a logical flaw in Windows Defender’s cloud-tag file-handling behavior, where the antivirus inexplicably rewrites a detected malicious file back to its original location rather than deleting it, a quirk that attackers can abuse to overwrite system files and escalate privileges to the administrator level.
UnDefend, the third tool in the trio, enables a standard unprivileged user to block Microsoft Defender from receiving definition updates entirely, effectively neutering the host’s primary defense mechanism.
Huntress SOC: Active In-the-Wild Exploitation Confirmed
The Huntress Security Operations Center (SOC) confirmed active exploitation of all three tools in the wild, with BlueHammer first observed in a real attack as early as April 10, 2026, six days before RedSun and UnDefend were even publicly released.
In each case, the attacker gained initial access via a compromised FortiGate SSLVPN user account, highlighting the ongoing risk of VPN credential theft as an intrusion vector.
Exploit binaries were dropped into low-privilege user directories, specifically a Pictures folder and a two-letter subfolder within the Downloads directory, using the same filenames from the public GitHub repositories: FunnyApp.exe, RedSun.exe, or renamed variants like z.exe to evade casual detection.
Specifically documented incidents include:
- April 10, 2026:
C:\Users\[REDACTED]\Pictures\FunnyApp.exe-Blocked and quarantined by Windows Defender as Exploit: Win32/DfndrPEBluHmr.BZ, with a severity rating of “Severe” and categorized as a file-sharing program exploit [file:3] - April 16, 2026:
C:\Users\[REDACTED]\Downloads\RedSun.exe– Triggered a Windows Defender EICAR test file alert, a deliberate component of the RedSun technique’s attack chain, and subsequently quarantined
Both executions were preceded by a recognizable pre-exploitation enumeration sequence demonstrating clear hands-on-keyboard threat actor activity:
whoami /priv– Mapping user privilege levelscmdkey /list– Enumerating stored credentialsnet group– Probing Active Directory group membership
Additionally, process telemetry captured by the Huntress platform showed Undef.exe assessed as the UnDefend tool spawned as a child of cmd.exe (PID 17004), itself running under Explorer.EXE.
The unsigned binary was only 20 KB in size and was executed with the command-line argument -agressive, consistent with UnDefend’s known operational behavior.
Patch Status and Microsoft’s Response
Microsoft addressed BlueHammer as CVE-2026-33825 in its April 2026 Patch Tuesday update cycle. However, as of April 18, 2026, RedSun and UnDefend remain unpatched, meaning their privilege escalation and Defender-disabling capabilities remain fully effective on Windows 10, Windows 11, and Windows Server 2019 and later, even on fully up-to-date systems.
Microsoft has stated it “supports coordinated vulnerability disclosure” and is investigating the remaining issues, but provided no timeline for fixes.
Mitigation Recommendations
Until patches for RedSun and UnDefend are released, organizations should implement the following defensive measures:
- Immediately audit SSLVPN and FortiGate access logs for signs of credential compromise and enforce MFA on all VPN endpoints
- Monitor user-writable directories (Downloads, Pictures, AppData) for unsigned executable staging using EDR behavioral rules
- Alert on known enumeration command sequences (
whoami /priv,cmdkey /list,net group) executed in rapid succession, which indicates post-exploitation activity - Restrict unsigned binary execution via Windows Defender Application Control (WDAC) or AppLocker policies
- Deploy the April 2026 Patch Tuesday updates immediately to close CVE-2026-33825 (BlueHammer)
- Monitor for EICAR-pattern detections used as execution proxies in the RedSun technique
- Enable Tamper Protection in Microsoft Defender to reduce the effectiveness of UnDefend’s definition-blocking capability
FAQ
Q1: What is BlueHammer, and has it been patched?
BlueHammer (CVE-2026-33825) is a Windows Defender LPE zero-day exploiting a TOCTOU race condition to achieve SYSTEM privileges via SAM database access; it was patched in the April 2026 Patch Tuesday update.
Q2: Are RedSun and UnDefend still unpatched as of April 2026?
Yes, both RedSun and UnDefend remain unpatched on all affected Windows versions, including Windows 10, Windows 11, and Windows Server 2019 and later, as of April 18, 2026.
Q3: How did attackers initially gain access in the Huntress-observed incidents?
Attackers gained initial network access via a compromised FortiGate SSL VPN user account before deploying the Nightmare-Eclipse exploit toolkit.
Q4: How can organizations detect if these exploits have been used in their environment?
Organizations should look for unsigned executables in the user’s Pictures and Downloads folders, EICAR-triggered Defender alerts, rapid enumeration command sequences (whoami /priv, cmdkey /list, net group), and child processes spawned from Explorer or cmd.exe with arguments like -agressive.
Site: thecybrdef.com
About the Author
