Leaked Windows Zero-Days BlueHammer, RedSun, UnDefend Now Under Active Exploitation
What Happened
A security researcher operating under the aliases "Chaotic Eclipse" or "Nightmare-Eclipse" published proof-of-concept exploit code for three Windows zero-day vulnerabilities in protest over Microsoft Security Response Center's handling of their disclosures. The three flaws — dubbed BlueHammer, RedSun, and UnDefend — were all zero-days at the time of leak, meaning no official patches existed. Huntress Labs reported on April 17th that all three exploits are now confirmed deployed in the wild, with BlueHammer observed in active exploitation since April 10th. The attacks show hands-on-keyboard activity on compromised endpoints, indicating targeted intrusion rather than mass exploitation. Microsoft has patched BlueHammer (CVE-2026-33825) in the April 2026 security updates, but RedSun and UnDefend remain unpatched as of publication.
Why It Matters
These are not theoretical vulnerabilities. BlueHammer and RedSun are both local privilege escalation flaws in Microsoft Defender — the very tool supposed to protect the system is weaponized to grant SYSTEM-level access to a standard user. RedSun is particularly dangerous because it persists even after the April 2026 patches: the researcher documented a Windows Defender behavior where the AV rewrites cloud-tagged files to their original location, which RedSun abuses to overwrite system files and escalate privileges. UnDefend allows a standard user to block Defender definition updates, effectively blinding the primary endpoint protection on the target machine before follow-on payloads are delivered. For red teams and threat actors, this trifecta — privilege escalation, Defender bypass, and signature evasion — is a nearly complete pre-ransomware toolkit.
What Defenders Should Do
Prioritize patching BlueHammer immediately via KB5082063 or subsequent hotfixes — it is the only one with a正式 patch currently available. For RedSun and UnDefend, there are no patches, so mitigations must be layered: restrict local user permissions rigorously, monitor for new processes spawned from Defender-signed binaries (the attack chains abuse legitimate Defender behaviors), and watch for abrupt cessation of Defender definition updates on endpoints. Huntress has published YARA rules and IOCs for detection. On the defensive architecture side, this is a reminder that endpoint detection cannot solely rely on Defender's in-box detection; consider deploying additional telemetry from Sysmon, EDR sensors, or network-based behavioral analytics to catch exploitation that silently weaponizes Defender's own file-write behavior.
What It Signals
The protest leak of these exploits by a frustrated researcher highlights a deteriorating relationship between MSRC and the external research community. Responsible disclosure depends on researchers believing their reports will be handled seriously; when that trust breaks down, the result is published zero-days that get weaponized within days. For defenders, this is a wake-up call on two fronts: first, your patching discipline needs to be measured in hours for high-severity privilege escalation flaws, not days or weeks. Second, the assumption that Microsoft's in-box Defender protects you unconditionally is increasingly untenable when Defender itself is the exploitation target. The speed from leak to active exploitation — three days for BlueHammer — means manual patch deployment on critical infrastructure is now a survivable workflow only if your change management can move faster than threat actors can weaponize public POC code.
References
Huntress Labs on BlueHammer, RedSun, UnDefend in the wild (X/Twitter)
BleepingComputer: Recently leaked Windows zero-days now exploited in attacks
BleepingComputer: Disgruntled researcher leaks BlueHammer Windows zero-day exploit
BleepingComputer: New Microsoft Defender RedSun zero-day POC grants SYSTEM privileges
GitHub: Nightmare-Eclipse RedSun PoC
GitHub: Nightmare-Eclipse UnDefend
Microsoft Security Response Center: CVE-2026-33825 (BlueHammer)