Huntress warns that attackers are exploiting three recently disclosed security flaws in Microsoft Defender to gain elevated privileges on compromised systems.
This activity included exploitation of three vulnerabilities codenamed BlueHammer (GitHub sign-in required), RedSun, and UnDefend, all of which were released as zero-days by researchers known as Chaotic Eclipse (also known as Nightmare-Eclipse) in response to Microsoft’s vulnerability disclosure process.
BlueHammer and RedSun are both local privilege escalation (LPE) flaws that affect Microsoft Defender, but UnDefend can be used to cause a denial of service (DoS) condition, effectively blocking definition updates.
Microsoft moved to support BlueHammer as part of the Patch Tuesday update released earlier this week. This vulnerability is tracked with CVE identifier CVE-2026-33825. However, other flaws have not been fixed as of this writing.
In a series of posts shared on X, Huntress said he observed all three flaws being exploited in the wild, with BlueHammer being weaponized starting April 10, 2026, followed by the RedSun and UnDefend proof-of-concept (PoC) exploits on April 16.
“These calls followed typical keyboard enumeration commands that indicate threat actor activity, such as whoami /priv, cmdkey /list, and net group,” it added.
The cybersecurity vendor said it has taken steps to isolate affected organizations to prevent further damage following the exploit. Hacker News has reached out to Microsoft for comment and will update the article if we hear back.
Source link
