A series of critical vulnerabilities in Windows Defender have been actively exploited by cybercriminals, leveraging publicly available exploit code to target enterprise systems. Originating from GitHub repositories, these zero-day flaws have become a significant concern for organizations relying on Windows for security.
Recent Discoveries and Exploits
On April 2, 2026, a security researcher known as Nightmare-Eclipse released the BlueHammer exploit on GitHub. This action followed a disagreement with Microsoft’s Security Response Center regarding the disclosure process of the vulnerabilities. The primary vulnerability, identified as CVE-2026-33825, is a zero-day defect exploiting a race condition and path confusion in Windows Defender, affecting both Windows 10 and 11.
The exploit manipulates the software’s file remediation logic alongside NTFS junction points and the Windows Cloud Files API, enabling privilege escalation to SYSTEM level. This method does not require kernel exploits or memory corruption, making it particularly dangerous.
Continued Exploitation and Security Concerns
Following the initial release, Nightmare-Eclipse introduced two more tools: RedSun and UnDefend. RedSun achieves SYSTEM privileges on Windows systems even after the April Patch Tuesday fixes, while UnDefend weakens Defender’s update mechanism. Both tools are being used by threat actors to compromise systems.
Huntress has confirmed active exploitation of these vulnerabilities, with attackers staging binaries in user directories, such as Pictures and Downloads, using filenames from the original exploit repositories. Notably, these incidents involve manual enumeration commands, indicating sophisticated intrusion attempts.
Mitigation Strategies and Microsoft’s Response
Microsoft addressed CVE-2026-33825 with the April 2026 security updates, but RedSun and UnDefend vulnerabilities remain unpatched. Security professionals are advised to apply all available updates, monitor for unsigned executables in writable directories, and implement strict privilege controls to mitigate risks.
Organizations should also be vigilant for EICAR test file drops and suspicious command executions like ‘whoami /priv’ and ‘net group’. Adopting a least-privilege model can help reduce potential exploitation pathways.
Stay informed on the latest cybersecurity developments by following our updates on Google News, LinkedIn, and X. For contributions or story features, please contact us directly.
