Attackers are exploiting three recently disclosed zero-day flaws in Microsoft Defender to gain higher privileges on compromised systems. The vulnerabilities, called BlueHammer, RedSun, and UnDefend, were revealed by a researcher known as Chaotic Eclipse after criticizing Microsoft’s handling of the disclosure.
Chaotic Eclipse also published proof-of-concept code for the unpatched Windows bug.
BlueHammer and RedSun let attackers escalate privileges locally in Microsoft Defender. UnDefend instead triggers a denial-of-service, blocking security definition updates and weakening protection.
At this time, Microsoft has only fixed the BlueHammer flaw, tracked as CVE-2026-33825, but the others remain unpatched.
Huntress researchers reported attackers are exploiting the three Windows flaws to target systems, though the victims and attackers remain unknown.
Huntress said it saw real-world exploitation of all three flaws. Attackers used BlueHammer starting April 10, 2026, then followed with RedSun and UnDefend proof-of-concept exploits on April 16.
Researchers believe attackers are using public exploit code released online by Chaotic Eclipse.
The Huntress SOC is observing the use of Nightmare-Eclipse's BlueHammer, RedSun, and UnDefend exploitation techniques.
— Huntress (@HuntressLabs) April 16, 2026
Investigation by: @wbmmfq, @Curity4201, + @_JohnHammondpic.twitter.com/ZFRI2XAYIA
Huntress said attackers started exploiting BlueHammer on April 10, 2026, then followed with RedSun and UnDefend proof-of-concept exploits on April 16.
And today, April 16:
— Huntress (@HuntressLabs) April 16, 2026
→ C:Users[REDACTED]DownloadsRedSun.exe
This triggered a Defender EICAR file alert, as is part of its attack technique. pic.twitter.com/LulC1QNiBn
When exploit code becomes publicly available, threat actors can quickly weaponize it in attacks in the wild.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, Microsoft defender)
Entrar