Three Microsoft Defender Zero-Days Exploited in the Wild: Two Remain Unpatched

A single frustrated researcher just put Microsoft's flagship endpoint protection product in the crosshairs. Within a 14-day window this April, a researcher operating under the handle "Chaotic Eclipse" dropped three separate zero-day exploits targeting Windows Defender on GitHub [3]. Microsoft patched one. The other two are still live, still unpatched, and confirmed exploited in the wild as of April 16, 2026 [4]. Every Windows system running Defender is now carrying known, weaponized vulnerabilities in its primary security tool.

Huntress Labs confirmed active exploitation of all three flaws, with BlueHammer attacks observed as early as April 10 and RedSun/UnDefend exploitation appearing April 16 [1][4]. Microsoft's April Patch Tuesday addressed BlueHammer as CVE-2026-33825, but the company hasn't issued fixes or even timelines for the remaining two [1][2].

The Researcher: Chaotic Eclipse

The GitHub account "Nightmare-Eclipse" was created on March 27, 2026 [6]. The account has accumulated over 1,200 followers and published three repositories, all targeting Microsoft Defender [6]. The researcher's frustration with Microsoft's vulnerability handling process is explicit. In a statement accompanying the BlueHammer release, they wrote: "I was not bluffing Microsoft, and I'm doing it again."

This wasn't coordinated disclosure. Chaotic Eclipse dropped working proof-of-concept code directly on GitHub with no advance notice to Microsoft [5]. The result: defenders had zero lead time to prepare.

BlueHammer (CVE-2026-33825): Patched, But Worth Understanding

BlueHammer appeared on GitHub on April 3, 2026 [5]. It exploits a race condition in Defender's file remediation logic [3], specifically abusing the Windows Defender update process through Volume Shadow Copy manipulation [5]. A low-privileged user can escalate to NT AUTHORITY\SYSTEM [5].

Microsoft patched this as CVE-2026-33825 in the April Patch Tuesday release, crediting Zen Dodd and Yuanpei XU (HUST) with their Diffract tool [2]. The fix ships in Defender update version 4.18.26050.3011 [2]. The April Patch Tuesday was substantial overall: 163 vulnerabilities across Microsoft products [2].

Huntress observed BlueHammer exploitation being blocked by updated Defender installations starting April 10, 2026 [4]. That seven-day gap between public PoC and patch gave attackers a working window. The staging path observed in attacks placed the exploit binary in the user's Pictures folder as FunnyApp.exe [8].

RedSun: Unpatched Privilege Escalation

RedSun is the more dangerous of the two remaining unpatched exploits. It targets TieringEngineService.exe, a system binary, using a combination of the Cloud Files API and NTFS junction redirection [7]. The attack uses a directory junction/reparse point to redirect a file rewrite operation, allowing the attacker to overwrite C:\Windows\System32\TieringEngineService.exe with attacker-controlled contents [7].

The result is the same as BlueHammer: SYSTEM-level privileges. But the mechanism is entirely different, targeting Defender's cloud file rollback mechanism rather than its remediation logic [3]. This means the BlueHammer patch does nothing to stop RedSun.

RedSun is confirmed working on fully patched Windows systems as of April 18, 2026 [7]. Huntress observed execution from C:\Users\[REDACTED]\Downloads\RedSun.exe on April 16 [8]. Attackers have also been observed renaming the binary to z.exe to avoid basic filename-based detection [1].

UnDefend: Killing the Watchdog

UnDefend takes a different approach entirely. Rather than escalating privileges, it disrupts Defender's update mechanism [3]. This is a denial-of-service attack against the security product itself. The techniques target Cloud Files filter driver interactions [8].

The tactical value is obvious. An attacker chains UnDefend to freeze Defender's signature updates, then operates with reduced detection coverage. Pair that with RedSun's privilege escalation, and you have a complete sequence: disable the guard, then take the keys.

Huntress observed UnDefend exploitation in the wild on April 16, 2026 [4][8].

The Chain: How These Work Together

These three exploits aren't just individual bugs. They're complementary tools. The attack sequence that concerns defenders most:

1. UnDefend disrupts Defender's update mechanism, preventing new signatures from loading [3]
2. RedSun or BlueHammer escalates privileges to SYSTEM [5][7]
3. The attacker now has full control on a system whose primary security product can't update itself

This combination turns Defender from a defensive asset into an attack surface.

Indicators of Compromise

MITRE ATT&CK Mapping

Detection and Hunting

File System Monitoring: Watch for creation or execution of the known filenames (FunnyApp.exe, RedSun.exe, z.exe, UnDefend.exe) in user-writable directories. Sysmon Event ID 1 (Process Creation) and Event ID 11 (File Create) are your primary data sources.

index=sysmon EventCode=1 (Image="*\\FunnyApp.exe" OR Image="*\\RedSun.exe" OR Image="*\\z.exe" OR Image="*\\UnDefend.exe")

TieringEngineService.exe Integrity: RedSun overwrites this system binary [7]. Monitor for unexpected writes to C:\Windows\System32\TieringEngineService.exe using Sysmon Event ID 11 or file integrity monitoring. Any write to this file outside a Windows Update context is suspicious.

index=sysmon EventCode=11 TargetFilename="C:\\Windows\\System32\\TieringEngineService.exe" NOT Image="*\\TrustedInstaller.exe"

Junction/Reparse Point Creation: RedSun uses NTFS junctions for its redirect attack [7]. Monitor for mklink /j commands or suspicious junction creation in user-writable paths that point to system directories.

Defender Health Monitoring: UnDefend disrupts Defender updates [3]. Monitor for Defender service stops, update failures, or signature versions that stop incrementing. Windows Event Log source Microsoft-Windows-Windows Defender (Event IDs 2001, 2003, 2006) will flag update failures.

Behavioral Baseline: Track Defender's engine version (MpCmdRun.exe -ShowVersion) across your fleet. Systems stuck on older signature versions may have been hit by UnDefend.

Volume Shadow Copy Abuse: BlueHammer abuses VSS [5]. Monitor for unusual vssadmin or wmic shadowcopy invocations from non-administrative user contexts.

Analysis

The core problem here isn't just three bugs. It's the attack surface that Defender itself represents. Defender runs as SYSTEM, hooks deeply into the OS kernel, and processes every file that touches the disk. Any exploitable flaw in that code gives attackers a direct path to the highest privilege level on the machine.

Chaotic Eclipse's decision to drop working PoCs without coordinated disclosure compressed the timeline dramatically. BlueHammer appeared publicly on April 3 [5]. The patch arrived April 14 (Patch Tuesday). That's 11 days of exposure with a working public exploit. RedSun and UnDefend have been public since mid-April with no patch in sight [1].

Microsoft's response has been asymmetric. They patched BlueHammer quickly (it landed in the already-scheduled Patch Tuesday) [2], but the remaining two exploits target different mechanisms: cloud file rollback and update pipelines [3]. Fixing those likely requires deeper architectural work.

Organizations running Defender as their sole endpoint protection product are exposed. The RedSun and UnDefend combination is particularly dangerous because it pairs privilege escalation with the ability to degrade the very tool designed to detect the compromise.

References

1. Three Microsoft Defender Zero-Days Actively Exploited; Two Still Unpatched - The Hacker News
2. Microsoft April 2026 Patch Tuesday fixes 163 flaws, 2 zero-days - BleepingComputer
3. BlueHammer & RedSun: Windows Defender CVE-2026-33825 Zero-day Vulnerability Explained - Picus Security
4. Researcher drops two more Microsoft Defender zero-days, all three now exploited in the wild - Help Net Security
5. BlueHammer: Inside the Windows Zero-Day - Cyderes
6. Nightmare-Eclipse GitHub Profile
7. New Microsoft Defender "RedSun" zero-day PoC grants SYSTEM privileges - BleepingComputer
8. RedSun and UnDefend Zero-Day Exploits Hit Defender - Ampcus Cyber

Event Timeline

Entity Relationships

Diamond Model

Hunt Guide: Hunt Report: Microsoft Defender Zero-Day Exploitation Campaign (BlueHammer/RedSun/UnDefend)

Hypothesis: If threat actors are exploiting the Microsoft Defender zero-day vulnerabilities (BlueHammer/RedSun/UnDefend) in our environment, we expect to observe suspicious file creation in user-writable directories, unexpected modifications to TieringEngineService.exe, NTFS junction abuse, and Defender update failures in Sysmon, Windows Security, and Defender operational logs.

Intelligence Summary: A researcher 'Chaotic Eclipse' publicly released three Microsoft Defender zero-day exploits in April 2026. While BlueHammer (CVE-2026-33825) was patched on April 14, RedSun and UnDefend remain unpatched and actively exploited, enabling privilege escalation to SYSTEM and disruption of Defender updates.

Confidence: High | Priority: Critical

Scope

• Networks: All Windows endpoints running Microsoft Defender as primary AV/EDR
• Timeframe: Initial sweep: 01 April 2026 - present; Ongoing monitoring: Next 90 days
• Priority Systems: Domain controllers, privileged access workstations, servers with Defender as sole protection

MITRE ATT&CK Techniques

T1068 — Exploitation for Privilege Escalation (Privilege Escalation) [P1]

BlueHammer exploits a race condition in Defender's file remediation logic via Volume Shadow Copy manipulation. RedSun targets TieringEngineService.exe using Cloud Files API and NTFS junction redirection. Both escalate from low-privilege user to NT AUTHORITY\SYSTEM.

Splunk SPL:

index=* sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational EventCode=1 (Image="*\\FunnyApp.exe" OR Image="*\\RedSun.exe" OR Image="*\\z.exe" OR CommandLine="*vssadmin*" OR CommandLine="*shadowcopy*") | stats count by _time, Computer, User, Image, CommandLine | where count > 0

Elastic KQL:

event.provider:"Microsoft-Windows-Sysmon" AND event.code:1 AND (process.executable:(*\\FunnyApp.exe OR *\\RedSun.exe OR *\\z.exe) OR process.command_line:(*vssadmin* OR *shadowcopy*))

Sigma Rule:

title: Microsoft Defender Zero-Day Exploitation - BlueHammer/RedSun
id: 8f3e4d92-7c1a-4b8f-9e2d-5a3c7f8b9d1e
status: experimental
description: Detects exploitation attempts using BlueHammer or RedSun Microsoft Defender zero-days
author: RedSheep Security/Stone
date: 2026/04/20
logsource:
  product: windows
  service: sysmon
detection:
  selection_process:
    EventID: 1
    Image|endswith:
      - '\FunnyApp.exe'
      - '\RedSun.exe'
      - '\z.exe'
  selection_vss:
    EventID: 1
    CommandLine|contains:
      - 'vssadmin'
      - 'shadowcopy'
    User|contains: '\\'  # Non-admin user context
    User|not|contains:
      - 'SYSTEM'
      - 'LOCAL SERVICE'
      - 'NETWORK SERVICE'
  condition: selection_process or selection_vss
falsepositives:
  - Legitimate VSS operations by backup software
level: critical
tags:
  - attack.privilege_escalation
  - attack.t1068
  - cve.2026.33825

Monitor for execution from Downloads/Pictures folders. Legitimate VSS operations typically run as SYSTEM or via scheduled tasks, not from user contexts.

T1562.001 — Impair Defenses: Disable or Modify Tools (Defense Evasion) [P1]

UnDefend disrupts Windows Defender's update mechanism through Cloud Files filter driver interactions, preventing signature updates and degrading endpoint protection.

Splunk SPL:

index=* sourcetype=WinEventLog:Microsoft-Windows-Windows\ Defender/Operational (EventCode=2001 OR EventCode=2003 OR EventCode=2006) | bucket _time span=1h | stats count by _time, Computer, EventCode | where count > 3

Elastic KQL:

winlog.provider_name:"Microsoft-Windows-Windows Defender" AND winlog.event_id:(2001 OR 2003 OR 2006)

Sigma Rule:

title: Windows Defender Update Disruption - UnDefend
id: 7a9c3f2e-5d1b-4e8a-9f3c-2b7d8e9f4a6c
status: stable
description: Detects Windows Defender update failures potentially caused by UnDefend exploit
author: Florian Roth (rule), RedSheep Security/Stone (UnDefend context)
date: 2026/04/20
modified: 2026/04/20
logsource:
  product: windows
  service: windows defender
detection:
  selection:
    EventID:
      - 2001  # Defender update failed
      - 2003  # Signature update failed
      - 2006  # Engine update failed
  timeframe: 1h
  condition: selection | count() by Computer > 3
falsepositives:
  - Network connectivity issues
  - WSUS configuration problems
level: high
tags:
  - attack.defense_evasion
  - attack.t1562.001

Correlate with UnDefend.exe execution. Multiple update failures in short timeframe indicate active disruption.

T1036.005 — Masquerading: Match Legitimate Name or Location (Defense Evasion) [P2]

Attackers rename RedSun.exe to z.exe for evasion and use innocuous names like FunnyApp.exe to avoid detection.

Splunk SPL:

index=* sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational (EventCode=1 OR EventCode=11) (Image="*\\z.exe" OR TargetFilename="*\\z.exe") | eval suspicious_path=if(match(Image, "(?i)(downloads|desktop|appdata|temp)"), 1, 0) | where suspicious_path=1 | table _time, Computer, User, Image, TargetFilename, ProcessId

Elastic KQL:

event.provider:"Microsoft-Windows-Sysmon" AND (event.code:1 OR event.code:11) AND (process.executable:*\\z.exe OR file.path:*\\z.exe) AND file.path:(*Downloads* OR *Desktop* OR *AppData* OR *Temp*)

z.exe in user directories is highly suspicious. Cross-reference with parent process and network connections.

T1055 — Process Injection (Privilege Escalation) [P2]

Post-exploitation, attackers may inject into legitimate Windows processes after achieving SYSTEM privileges via BlueHammer/RedSun.

Splunk SPL:

index=* sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational EventCode=10 TargetImage="*\\TieringEngineService.exe" GrantedAccess=0x1F0FFF | table _time, Computer, SourceImage, TargetImage, GrantedAccess

Elastic KQL:

event.provider:"Microsoft-Windows-Sysmon" AND event.code:10 AND process.target.executable:*\\TieringEngineService.exe AND winlog.event_data.GrantedAccess:"0x1F0FFF"

Monitor for process access to TieringEngineService.exe with PROCESS_ALL_ACCESS rights.

T1574.001 — Hijack Execution Flow: DLL Search Order Hijacking (Persistence) [P1]

After overwriting TieringEngineService.exe via RedSun, attackers may place malicious DLLs in search paths for persistence.

Splunk SPL:

index=* sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational EventCode=11 TargetFilename="C:\\Windows\\System32\\TieringEngineService.exe" NOT Image="*\\TrustedInstaller.exe" | table _time, Computer, User, Image, TargetFilename, ProcessId

Elastic KQL:

event.provider:"Microsoft-Windows-Sysmon" AND event.code:11 AND file.path:"C:\\Windows\\System32\\TieringEngineService.exe" AND NOT process.executable:*\\TrustedInstaller.exe

Any write to TieringEngineService.exe outside Windows Update context is critical. This is the primary RedSun indicator.

Indicators of Compromise

IOC Sweep Queries (Splunk):

index=* (sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR sourcetype=WinEventLog:Security) (Image="*\\FunnyApp.exe" OR TargetFilename="*\\FunnyApp.exe" OR ProcessName="*\\FunnyApp.exe") | dedup Computer | table _time, Computer, User, Image, TargetFilename, ProcessName

index=* (sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR sourcetype=WinEventLog:Security) (Image="*\\RedSun.exe" OR TargetFilename="*\\RedSun.exe" OR ProcessName="*\\RedSun.exe") | dedup Computer | table _time, Computer, User, Image, TargetFilename, ProcessName

index=* (sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR sourcetype=WinEventLog:Security) (Image="*\\z.exe" OR TargetFilename="*\\z.exe" OR ProcessName="*\\z.exe") | dedup Computer | table _time, Computer, User, Image, TargetFilename, ProcessName

index=* (sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR sourcetype=WinEventLog:Security) (Image="*\\UnDefend.exe" OR TargetFilename="*\\UnDefend.exe" OR ProcessName="*\\UnDefend.exe") | dedup Computer | table _time, Computer, User, Image, TargetFilename, ProcessName

index=* sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational EventCode=11 TargetFilename="*\\TieringEngineService.exe" | dedup Computer | table _time, Computer, User, Image, TargetFilename

index=* (sourcetype=proxy OR sourcetype=dns) ("github.com/Nightmare-Eclipse/BlueHammer" OR "Nightmare-Eclipse/BlueHammer") | dedup src_ip | table _time, src_ip, dest, url, dns_query

index=* (sourcetype=proxy OR sourcetype=dns) ("github.com/Nightmare-Eclipse/RedSun" OR "Nightmare-Eclipse/RedSun") | dedup src_ip | table _time, src_ip, dest, url, dns_query

index=* (sourcetype=proxy OR sourcetype=dns) ("github.com/Nightmare-Eclipse/UnDefend" OR "Nightmare-Eclipse/UnDefend") | dedup src_ip | table _time, src_ip, dest, url, dns_query

YARA Rules

MSDEFENDER_ZeroDay_Exploit_Indicators — Detects Microsoft Defender zero-day exploitation tools (BlueHammer, RedSun, UnDefend)

rule MSDEFENDER_ZeroDay_Exploit_Indicators {
    meta:
        description = "Detects Microsoft Defender zero-day exploitation tools"
        author = "RedSheep Security/Stone"
        date = "2026-04-20"
        reference = "https://github.com/Nightmare-Eclipse"
        hash1 = "N/A - PoC code only"
    strings:
        $s1 = "BlueHammer" ascii wide nocase
        $s2 = "RedSun" ascii wide nocase
        $s3 = "UnDefend" ascii wide nocase
        $s4 = "FunnyApp.exe" ascii wide nocase
        $s5 = "TieringEngineService.exe" ascii wide
        $s6 = "Nightmare-Eclipse" ascii wide
        $s7 = "Volume Shadow Copy" ascii wide
        $s8 = "Cloud Files API" ascii wide
        $s9 = "mklink /j" ascii wide
        $s10 = "vssadmin" ascii wide
        $s11 = "shadowcopy" ascii wide
        $pe1 = {4D 5A 90 00 03 00 00 00}  // PE header
    condition:
        $pe1 at 0 and (
            (any of ($s1, $s2, $s3) and any of ($s5, $s7, $s8, $s9, $s10, $s11)) or
            $s4 or
            (2 of ($s*) and filesize < 5MB)
        )
}

MSDEFENDER_VSS_Abuse_Pattern — Detects Volume Shadow Copy abuse patterns associated with BlueHammer

rule MSDEFENDER_VSS_Abuse_Pattern {
    meta:
        description = "Detects VSS abuse patterns from BlueHammer exploit"
        author = "Florian Roth (base), adapted for BlueHammer"
        date = "2026-04-20"
        reference = "CVE-2026-33825"
    strings:
        $vss1 = "vssadmin create shadow" ascii wide nocase
        $vss2 = "vssadmin list shadows" ascii wide nocase
        $vss3 = "wmic shadowcopy" ascii wide nocase
        $vss4 = "Win32_ShadowCopy" ascii wide
        $api1 = "CreateVssBackupComponents" ascii
        $api2 = "VssCreateWriterMetadata" ascii
        $path1 = "\\Device\\HarddiskVolumeShadowCopy" ascii wide
        $path2 = "\\?\\GLOBALROOT\\Device\\HarddiskVolumeShadowCopy" ascii wide
    condition:
        2 of ($vss*) or (any of ($api*) and any of ($path*))
}

Suricata Rules

SID 2046001 — Detects access to Nightmare-Eclipse GitHub repositories hosting Defender exploits

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT Microsoft Defender Zero-Day Repository Access (Nightmare-Eclipse)"; flow:to_server,established; content:"GET"; http_method; content:"github.com"; http_host; content:"/Nightmare-Eclipse/"; http_uri; pcre:"/\/Nightmare-Eclipse\/(BlueHammer|RedSun|UnDefend)/i"; reference:url,github.com/Nightmare-Eclipse; classtype:trojan-activity; sid:2046001; rev:1;)

SID 2046002 — Detects DNS queries for Nightmare-Eclipse exploit repositories

alert dns $HOME_NET any -> any 53 (msg:"ET EXPLOIT DNS Query for MS Defender Zero-Day Repository"; dns_query; content:"github.com"; fast_pattern; pcre:"/github\.com/i"; reference:cve,2026-33825; classtype:trojan-activity; sid:2046002; rev:1;)

Data Source Requirements

Sources

• Three Microsoft Defender Zero-Days Actively Exploited; Two Still Unpatched
• Microsoft April 2026 Patch Tuesday fixes 163 flaws, 2 zero-days
• BlueHammer & RedSun: Windows Defender CVE-2026-33825 Zero-day Vulnerability Explained
• Researcher drops two more Microsoft Defender zero-days, all three now exploited in the wild
• BlueHammer: Inside the Windows Zero-Day
• Nightmare-Eclipse GitHub Profile
• New Microsoft Defender "RedSun" zero-day PoC grants SYSTEM privileges
• RedSun and UnDefend Zero-Day Exploits Hit Defender