Windows Defender 0-Day Actively Exploited Leaked Vulnerability

Threat actors are actively exploiting three recently leaked Windows Defender privilege escalation vulnerabilities in the wild. They are deploying proof-of-concept exploit code, sourced directly from public GitHub repositories, against real enterprise targets.

On April 2, 2026, a security researcher operating under the alias Nightmare-Eclipse (also known as Chaotic Eclipse) published the BlueHammer exploit on GitHub following a reported dispute with Microsoft’s Security Response Center (MSRC) over the handling of the vulnerability disclosure process.

The zero-day, now tracked as CVE-2026-33825, exploits a time-of-check to time-of-use (TOCTOU) race condition and path confusion flaw within Windows Defender’s signature update workflow, enabling a low-privileged local user to escalate to SYSTEM-level access on fully patched Windows 10 and Windows 11 systems.

The exploit abuses the interaction between Microsoft Defender’s file remediation logic, NTFS junction points, the Windows Cloud Files API, and opportunistic locks (oplocks); no kernel exploit or memory corruption is required.

Shortly after BlueHammer’s release, Nightmare-Eclipse published two additional tools: RedSun, which also achieves SYSTEM privileges on Windows 10, Windows 11, and Windows Server 2019, and later even after the April Patch Tuesday patches; and UnDefend, which disrupts Defender’s update mechanism to progressively degrade its protective capabilities.

Huntress Confirms Active Exploitation

Huntress researchers are now actively observing threat actors weaponizing all three techniques against live targets. Binaries have been staged in low-privilege user directories, specifically within Pictures folders and two-letter subfolders inside Downloads directories using the same filenames from the original PoC repositories: FunnyApp.exe and RedSun.exe, and in some instances, renamed to z.exe.

On April 10, 2026, the execution of BlueHammer was detected via:

• C:Users[REDACTED]PicturesFunnyApp.exe

Windows Defender blocked and quarantined the file, detecting it as Exploit:Win32/DfndrPEBluHmrBZ with a severity classification of Severe [file:3]. The threat was detected in real-time at 19:43:37 UTC and quarantined within under two minutes.

On April 16, 2026, a second incident was recorded involving:

• C:Users[REDACTED]DownloadsRedSun.exe

This invocation triggered a Virus:DOS/EICAR_Test_File alert a deliberate component of RedSun’s attack technique, which uses an EICAR test file to bait Defender’s real-time engine into a detection-and-remediation cycle that can then be manipulated.

Additionally, a secondary process, Undef.exe, was detected running with the command line argument -agressive, spawned as a child process of cmd.exe under Explorer.EXE, and flagged at High severity by ThreatOps Hunting rules.

Critically, both exploitation attempts followed a pattern of manual enumeration commands consistent with hands-on-keyboard threat actor activity, including:

• whoami /priv — to enumerate current user privileges
• cmdkey /list — to identify stored credentials
• net group — to map Active Directory group memberships

This pre-exploitation reconnaissance pattern strongly suggests a skilled adversary conducting targeted intrusions rather than opportunistic automated attacks.

Patch Status and Mitigations

Microsoft patched CVE-2026-33825 (BlueHammer) in the April 2026 Patch Tuesday update cycle. However, RedSun and UnDefend remain unpatched as of this writing, leaving millions of Windows systems at ongoing risk. Security teams should immediately:

• Apply all April 2026 Windows security updates
• Monitor for unsigned executables in user-writable directories (Pictures, Downloads subfolders)
• Alert on EICAR test file drops by non-administrative processes
• Hunt for whoami /priv, cmdkey /list, and net group execution chains in endpoint telemetry
• Enforce least-privilege principles to limit local access vectors required for exploitation.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.