Threat actors are using three publicly available proof-of-concept exploits to attack Microsoft Defender and turn the security platform's primary cleanup and protection functions against organizations it is designed to protect.
Two of the exploits enable SYSTEM-level access on vulnerable systems. The third quietly disrupts Defender's update mechanism to progressively degrade its ability to detect new threats.
A Trio of Exploits
A researcher using the moniker Nightmare-Eclipse publicly released the PoCs after allegedly trying to report them to Microsoft first and not getting a proper response.
One of the exploits, dubbed BlueHammer, was used as a zero-day against CVE-2026-33825, a time-of-check to time-of-use (TOCTOU) vulnerability in Windows Defender's signature update workflow. As security vendor Vectra.ai described the exploit, "Defender detects a suspicious file, decides to rewrite it, and an attacker wins a race condition that redirects that rewrite to a location of their choosing." Attackers can gain SYSTEM-level access without a kernel exploit or memory corruption and just via abuse of how Defender interacts with the file system during remediation, the security vendor said.
Related:DPRK Fake Job Scams Self-Propagate in 'Contagious Interview'
Microsoft issued a patch for the flaw in its security update for April. That patch mitigates the threat from BlueHammer but does not protect against the two other PoC exploits that Nightmare-Eclipse has publicly released: RedSun and UnDefend.
In a statement, a Microsoft spokeswoman identified RedSun and UnDefend as separate issues from BlueHammer. "Microsoft has a customer commitment to investigate reported security issues and update impacted devices to protect customers as soon as possible," the statement said. "We also support coordinated vulnerability disclosure, a widely adopted industry practice that helps ensure issues are carefully investigated and addressed before public disclosure, supporting both customer protection and the security research community."
Turning Defender Against its Users
RedSun works similar to BlueHammer but targets TieringEngineService.exe, a Defender background process for classifying and prioritizing detected files and threats. All an attacker has to do to trigger the vulnerability, according to Vectra.ai, is to use an embedded EICAR test string, which many security teams use to safely verify if an antivirus tool is properly detecting threats. When Defender detects the test string, it "initiates a remediation cycle, and RedSun wins the race to redirect the resulting file rewrite. At that point, the Cloud Files Infrastructure executes the attacker-planted binary as SYSTEM," Vectra said.
Related:Surge in Bomgar RMM Exploitation Demonstrates Supply Chain Risk
RedSun works against fully patched Windows 10, Windows 11, Windows Server 2019, and later systems including those running Patch Tuesday updates.
UnDefend, meanwhile, is an exploit that an attacker can deploy after gaining SYSTEM access via either BlueHammer or RedSun. "Spawn it as a child of cmd.exe under Explorer and run it with the -aggressive flag … and you begin starving Defender of current threat intelligence without triggering the kind of hard failure that would generate an obvious alert," Vectra said.
Targeted, Hands-on Attack
Researchers at Huntress Labs reported observing what appeared to be targeted attack activity involving the three exploits. The firm's analysis suggested someone is using the exploits in deliberate, hands-on intrusions, with the attackers manually running privilege enumeration commands before attempting exploitation. Huntress said it found the attackers staging binaries in low-noise user directories like Pictures folders and two-letter subfolders inside Downloads using original filenames and renamed variants designed to escape detection. The renamed binaries significantly reduced detection rates on VirusTotal.
Related:Chinese APT Targets Indian Banks, Korean Policy Circles
"Recent activity shows BlueHammer, RedSun, and UnDefend are now being used with minimal modification," says Hüseyin Can Yüceel, security research lead at Picus Security. "Binaries are being staged in low-privilege user directories such as Downloads and Pictures, often reusing original proof-of-concept filenames or lightly obfuscated variants like renamed executables." The attacks reflect low complexity but effective tradecraft, where moderately skilled adversaries are leveraging public exploit code in post-compromise scenarios to escalate privileges or weaken endpoint defenses, Yüceel says. While all three PoCs target Defender, the patch for CVE-2026-33825 does not protect the broader attack surface exposed by the other two techniques, he says.
"These exploits point to broader trust and validation weaknesses in Defender's privileged workflows," Yüceel notes. BlueHammer abuses a race condition in file remediation, RedSun targets the handling of cloud-tagged file rollback, and UnDefend exposes weaknesses in update and health reporting mechanisms. The exploits require an attacker to have local access. But once that success is achieved, even a moderately skilled adversary can use the exploits to reliably achieve privilege escalation or weaken defenses, he adds. "Together, they highlight systemic issues around path validation, race conditions, and over-trust in privileged file handling."
Justin Howe, senior solutions architect at Vectra, describes RedSun and UnDefend as exploiting separate, independent flaws in Defender for which there are no CVEs yet.
Each of Nightmare-Eclipse's exploits abuses different aspects of how Microsoft Defender performs privileged file operations without validating its own I/O paths at the moment of execution. Each exploit abuses a different version of that same gap, he says.
BlueHammer abuses a VSS snapshot mount during Defender's signature update workflow, RedSun takes advantage of unvalidated write during cloud-file remediation, and UnDefend tampers with Defender's signature update pipeline while reporting the endpoint as healthy to the management console. "The bigger picture is that Defender is inside the trust boundary it is trying to enforce. When attackers manipulate its own privileged workflows, it becomes a delivery mechanism," Howe says.
The Harder Part is Initial Access
Independent researchers have tested the PoCs and reproduced them successfully, he notes. The hard part for attackers is going to be the initial access, not the exploitation. "Every in-the-wild case Huntress has reported started with a compromised SSL VPN account without [multifactor authentication]. Once an attacker has any foothold, converting it to SYSTEM with RedSun is trivial," Howes says.
He recommends that organizations apply Microsoft's April 2026 updates to close BlueHammer and confirm that Antimalware Platform v4.18.26050.3011 is present. "UnDefend can falsify the dashboard, so verify the version itself," he advises.
To protect against the initial access, organizations should enforce multifactor authentication on every VPN and remote access path. They should also block execution from user-writable directories such as Downloads, Pictures, and Temp, and baseline the hash of TieringEngineService.exe so any changes are visible immediately. "Add a detection layer that does not share a trust boundary with the endpoint agent being targeted," Hayes says.
Comments (0)