The researcher behind the BlueHammer leak is not done with Microsoft. On April 15, proof-of-concept code for two additional Windows Defender zero-days โ€” RedSun and UnDefend โ€” was published to GitHub under the aliases “Chaotic Eclipse” and “Nightmare-Eclipse.” Within 24 hours, Huntress reported seeing both being used in real intrusions alongside BlueHammer. Microsoft has patched one of the three. The other two still have no fix.

If you run Windows endpoints with Defender enabled โ€” which is essentially every Windows fleet on the planet โ€” this is now an active, unpatched local-privilege-escalation problem.

The Three-Flaw Picture

Here is where each exploit stands as of April 18:

  • BlueHammer โ€” Patched as CVE-2026-33825 in the April 14 Patch Tuesday release. At disclosure time Microsoft rated it “publicly disclosed, no known exploitation.” That window closed fast: Huntress observed in-the-wild exploitation beginning April 10, before the fix shipped.
  • RedSun โ€” No CVE, no patch. PoC dropped April 15, weaponized by at least one threat actor by April 16.
  • UnDefend โ€” No CVE, no patch. Dropped alongside RedSun on April 15, also seen in the wild within a day.

All three chain well with any initial-access vector. None of them require remote network exploitation โ€” they are post-compromise escalation primitives, which is exactly what ransomware crews and hands-on-keyboard operators need.

RedSun: Turning Defender Into a SYSTEM-Level File Writer

RedSun is the most technically interesting of the new pair. The vulnerability is a logic flaw in how Defender handles files marked with the Windows Cloud Files API “cloud tag.” When Defender detects malware in a placeholder cloud-synced file, it does not simply quarantine the file โ€” it can rewrite or restore the file to its original path, and it does so as SYSTEM.

The exploit chain turns that well-intentioned recovery behavior into a primitive for arbitrary file write:

  1. Register a fake cloud sync provider using legitimate Windows APIs (the same ones OneDrive and Dropbox use).
  2. Create a placeholder file with metadata designed to trip Defender’s scan logic.
  3. Plant an NTFS directory junction (reparse point) so the file’s parent path redirects to C:\Windows\System32.
  4. Combine with opportunistic locks (oplocks) to pause Defender at the precise moment in the “remediation” code path.
  5. Defender, running as SYSTEM, writes attacker-controlled bytes into a protected System32 directory.

From there, overwriting an auto-loaded DLL or service binary produces SYSTEM code execution. The PoC author reports roughly 100% reliability against Windows 10, Windows 11, and Windows Server 2019+ with the April 2026 updates applied โ€” meaning BlueHammer’s patch does nothing to blunt this one.

In the wild, Huntress is seeing attackers drop binaries named RedSun.exe and FunnyApp.exe into user-writable paths like Downloads and Pictures, followed by the hands-on enumeration sequence that typically precedes lateral movement: whoami /priv, cmdkey /list, net group, net localgroup administrators.

UnDefend: Blinding the Endpoint

UnDefend is less exotic but arguably more operationally useful for a threat actor who already has a foothold. It lets an unprivileged user prevent Defender from receiving signature updates โ€” or, under specific conditions (namely a major Defender update rollout from Microsoft), disable Defender entirely.

That is a devastating pre-cursor. A ransomware affiliate can pop UnDefend as step one, then drop whatever tooling they want without tripping signature-based detections. It weaponizes Defender’s own update machinery against the defender it is meant to protect.

Why This Keeps Happening

This is the second wave of leaks from the same researcher, who has publicly framed the disclosures as a protest against Microsoft’s Security Response Center (MSRC). Their complaint: MSRC allegedly downplayed BlueHammer’s severity and offered no credible remediation timeline, so the researcher dumped a working PoC and moved on. The follow-up leaks suggest they have more findings sitting on disk โ€” and that the relationship with MSRC has not improved.

Whatever you think of the ethics, the practical consequence is that defenders are playing catch-up in public.

Detection and Mitigation

There is no patch for RedSun or UnDefend. Defensive options for the next few weeks:

  • Hunt for the known binary names โ€” RedSun.exe and FunnyApp.exe in Downloads, Pictures, Public, and Temp folders. Trivial to rename, but still catches the lazy operators.
  • Monitor for fake cloud sync provider registrations. Legitimate providers are a short, known list (OneDrive, Dropbox, Google Drive, iCloud, Box). Anything else registering a cloud storage provider via StorageProviderSyncRootManager APIs is suspicious.
  • Alert on reparse point creation targeting C:\Windows\System32 or other protected directories from non-elevated processes.
  • Watch for the Huntress-observed enumeration cluster โ€” whoami /priv, cmdkey /list, net group, especially executing in sequence from the same process tree as a binary under Downloads or Pictures.
  • For UnDefend specifically, monitor for unexpected failures of Defender signature updates and disabled AV telemetry from endpoints that should be healthy. A sudden quiet endpoint is often a loud one.
  • Tighten application control. If you have AppLocker, WDAC, or an EDR with execution policy, deny execution from user-writable paths for anything unsigned. This is the cheapest, most effective mitigation available right now.

Huntress and several other MDR providers have pushed behavioral detections for all three exploits. If you use a managed EDR, confirm with your vendor that RedSun and UnDefend coverage is live.

What to Tell Leadership

Three Defender zero-days, two unpatched, all being used by real threat actors within a day of public disclosure. The initial-access vector is still what it always is โ€” phishing, exposed RDP, unpatched edge devices โ€” but once an attacker is on a box, there is now a near-100%-reliable path from low-privilege user to SYSTEM on essentially any Windows endpoint, including fully patched ones. Assume post-exploitation LPE is a solved problem for adversaries until Microsoft ships fixes for RedSun and UnDefend. Plan detection and network segmentation accordingly.

Sources: The Hacker News ยท Help Net Security ยท SecurityAffairs ยท CloudSEK RedSun analysis ยท Blackswan Threat Advisory