Rejected By Microsoft, 3 Defender Zero-Days Are Now Actively Exploited
These aren't minor exploits, either. BlueHammer and RedSun both allow attackers to escalate privileges for full system-level administrator access on currently-patched Windows 11, Windows 10, and Windows Server 2019 or newer installations. UnDefend blocks Defender's definition updates, and doesn't even require privilege escalation to do so. All three attacks have been actively exploited throughout April, with cybersecurity research team HuntressLabs identifying their use since April 10th.
You're probably wondering what kind of awful communication errors must have happened for Nightmare-Eclipse to go rogue in this way. What follows includes Nightmare-Eclipse's own allegations, from their own blog.The Huntress SOC is observing the use of Nightmare-Eclipse's BlueHammer, RedSun, and UnDefend exploitation techniques.
— Huntress (@HuntressLabs) April 16, 2026
Investigation by: @wbmmfq, @Curity4201, + @_JohnHammond 🧵👇 pic.twitter.com/ZFRI2XAYIA
"Normally, I would go through the process of begging them to fix a bug but to summarize, I was told personally by them that they will ruin my life and they did. I'm not sure I was the only [one] who had this horrid experience or [how] few people did but I think most would just eat it and cut their losses but for me, they took away everything. They mopped the floor with me and pulled every childish game they could [...] they do everything but support the research community. I won't disclose details but they sabotage people a lot."
Unfortunately, Nightmare-Eclipse is scant on details regarding exactly what Microsoft's Security Response Center team did, but another blog post suggests the he is now homeless following someone violating "our agreement". If any of the allegations are true, it certainly paints Microsoft in a bad light.
Per a BleepingComputer report on BlueHammer, Microsoft ignoring the submission could have stemmed from something as simple as the original report not including video footage. Tharros principal vulnerability analyst Will Dormann notes that this is one of the more difficult parts of submitting reports to Microsoft, but it would seem silly for the Security Response Center team to decline valid zero-day exploit reports over a minor detail.
In any case, current mitigation strategies involve either disabling Windows Defender or, in the case of RedSun specifically, disabling the "Cloud-delivered protection" aspect of Defender it exploits.
Per Nightmare-Eclipse, "Normally I would just drop the PoC code and let people figure it out. But I can't for this one, it's way too funny. When Windows Defender realizes that a malicious file has a cloud tag, for whatever stupid and hilarious reasons, the antivirus that's supposed to protect decides that it is a good idea to just rewrite the file it found again to its original location. The PoC abuses this behavior to overwrite system files and gain administrative privileges. I think antimalware products are supposed to remove malicious files, not be sure they are there, but that's just me."
Hopefully, Microsoft is able to get these exploits patched sooner rather than later. These Defender exploits also affecting Windows 10 should concern users still on that OS, at least if they aren't signed up for Extended Security Updates.
The rest of us will need to switch up our anti-virus software or tread lightly until Microsoft patches Defender, which could take a while. If the release of these major exploits can really be blamed on Microsoft's mismanagement of information provided by cybersecurity researchers, this incident should force the company to rethink its processes, lest researchers sell or publicly release their findings instead of privately disclosing them to Microsoft.
Image Credit: Sabine Lower on Pixabay
