Exploits Turn Windows Defender into Attacker Tool

CYBERATTACKS & DATA BREACHES APPLICATION SECURITY VULNERABILITIES & THREATS THREAT INTELLIGENCE NEWS Exploits Turn Windows Defender into Attacker Tool Three proof-of-concept exploits are being used in active attacks against Microsoft's built-in security platform; two are unpatched. Jai Vijayan,Contributing Writer April 21, 2026 5 Min Read SOURCE: AILEENCHIK VIA SHUTTERSTOCK Threat actors are using three publicly available proof-of-concept exploits to attack Microsoft Defender and turn the security platform's primary cleanup and protection functions against organizations it is designed to protect. Two of the exploits enable SYSTEM-level access on vulnerable systems. The third quietly disrupts Defender's update mechanism to progressively degrade its ability to detect new threats.  A Trio of Exploits A researcher using the moniker Nightmare-Eclipse publicly released the PoCs after allegedly trying to report them to Microsoft first and not getting a proper response. One of the exploits, dubbed BlueHammer, was used as a zero-day against CVE-2026-33825, a time-of-check to time-of-use (TOCTOU) vulnerability in Windows Defender's signature update workflow. As security vendor Vectra.ai described the exploit, "Defender detects a suspicious file, decides to rewrite it, and an attacker wins a race condition that redirects that rewrite to a location of their choosing." Attackers can gain SYSTEM-level access without a kernel exploit or memory corruption and just via abuse of how Defender interacts with the file system during remediation, the security vendor said. Related:Surge in Bomgar RMM Exploitation Demonstrates Supply Chain Risk Microsoft issued a patch for the flaw in its security update for April. That patch mitigates the threat from BlueHammer but does not protect against the two other PoC exploits that Nightmare-Eclipse has publicly released: RedSun and UnDefend. In a statement, a Microsoft spokeswoman identified RedSun and UnDefend as separate issues from BlueHammer. "Microsoft has a customer commitment to investigate reported security issues and update impacted devices to protect customers as soon as possible," the statement said. "We also support coordinated vulnerability disclosure, a widely adopted industry practice that helps ensure issues are carefully investigated and addressed before public disclosure, supporting both customer protection and the security research community."  Turning Defender Against its Users RedSun works similar to BlueHammer but targets TieringEngineService.exe, a Defender background process for classifying and prioritizing detected files and threats. All an attacker has to do to trigger the vulnerability, according to Vectra.ai, is to use an embedded EICAR test string, which many security teams use to safely verify if an antivirus tool is properly detecting threats. When Defender detects the test string, it "initiates a remediation cycle, and RedSun wins the race to redirect the resulting file rewrite. At that point, the Cloud Files Infrastructure executes the attacker-planted binary as SYSTEM," Vectra said. Related:Chinese APT Targets Indian Banks, Korean Policy Circles RedSun works against fully patched Windows 10, Windows 11, Windows Server 2019, and later systems including those running Patch Tuesday updates.  UnDefend, meanwhile, is an exploit that an attacker can deploy after gaining SYSTEM access via either BlueHammer or RedSun. "Spawn it as a child of cmd.exe under Explorer and run it with the -aggressive flag … and you begin starving Defender of current threat intelligence without triggering the kind of hard failure that would generate an obvious alert," Vectra said. Targeted, Hands-on Attack Researchers at Huntress Labs reported observing what appeared to be targeted attack activity involving the three exploits. The firm's analysis suggested someone is using the exploits in deliberate, hands-on intrusions, with the attackers manually running privilege enumeration commands before attempting exploitation. Huntress said it found the attackers staging binaries in low-noise user directories like Pictures folders and two-letter subfolders inside Downloads using original filenames and renamed variants designed to escape detection. The renamed binaries significantly reduced detection rates on VirusTotal. Related:'Harmless' Global Adware Transforms Into an AV Killer "Recent activity shows BlueHammer, RedSun, and UnDefend are now being used with minimal modification," says Hüseyin Can Yüceel, security research lead at Picus Security. "Binaries are being staged in low-privilege user directories such as Downloads and Pictures, often reusing original proof-of-concept filenames or lightly obfuscated variants like renamed executables." The attacks reflect low complexity but effective tradecraft, where moderately skilled adversaries are leveraging public exploit code in post-compromise scenarios to escalate privileges or weaken endpoint defenses, Yüceel says. While all three PoCs target Defender, the patch for CVE-2026-33825 does not protect the broader attack surface exposed by the other two techniques, he says. "These exploits point to broader trust and validation weaknesses in Defender's privileged workflows," Yüceel notes. BlueHammer abuses a race condition in file remediation, RedSun targets the handling of cloud-tagged file rollback, and UnDefend exposes weaknesses in update and health reporting mechanisms. The exploits require an attacker to have local access. But once that success is achieved, even a moderately skilled adversary can use the exploits to reliably achieve privilege escalation or weaken defenses, he adds. "Together, they highlight systemic issues around path validation, race conditions, and over-trust in privileged file handling." Justin Howe, senior solutions architect at Vectra, describes RedSun and UnDefend as exploiting separate, independent flaws in Defender for which there are no CVEs yet. Each of Nightmare-Eclipse's exploits abuses different aspects of how Microsoft Defender performs privileged file operations without validating its own I/O paths at the moment of execution. Each exploit abuses a different version of that same gap, he says.  BlueHammer abuses a VSS snapshot mount during Defender's signature update workflow, RedSun takes advantage of unvalidated write during cloud-file remediation, and UnDefend tampers with Defender's signature update pipeline while reporting the endpoint as healthy to the management console. "The bigger picture is that Defender is inside the trust boundary it is trying to enforce. When attackers manipulate its own privileged workflows, it becomes a delivery mechanism," Howe says. The Harder Part is Initial Access Independent researchers have tested the PoCs and reproduced them successfully, he notes. The hard part for attackers is going to be the initial access, not the exploitation. "Every in-the-wild case Huntress has reported started with a compromised SSL VPN account without [multifactor authentication]. Once an attacker has any foothold, converting it to SYSTEM with RedSun is trivial," Howes says. He recommends that organizations apply Microsoft's April 2026 updates to close BlueHammer and confirm that Antimalware Platform v4.18.26050.3011 is present. "UnDefend can falsify the dashboard, so verify the version itself," he advises.  To protect against the initial access, organizations should enforce multifactor authentication on every VPN and remote access path. They should also block execution from user-writable directories such as Downloads, Pictures, and Temp, and baseline the hash of TieringEngineService.exe so any changes are visible immediately. "Add a detection layer that does not share a trust boundary with the endpoint agent being targeted," Hayes says. About the Author Jai Vijayan Contributing Writer Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill. Want more Dark Reading stories in your Google search results? ADD US NOW More Insights Industry Reports CISO Survey 2026: The State of Incident Response Readiness AI SOC for MDR: The Structural Evolution of Managed Detection and Response How Enterprises Are Developing Secure Applications KuppingerCole Business Application Risk Management Leadership Compass 2026 CISO AI Risk Report Access More Research Webinars Defending Against AI-Powered Attacks: The Evolution of Adversarial Machine Learning Tips for Managing Cloud Security in a Hybrid Environment? Zero Trust Architecture for Cloud environments: Implementation Roadmap Security in the AI Age Identity Maturity Under Pressure: 2026 Findings and How to Catch Up More Webinars You May Also Like CYBERATTACKS & DATA BREACHES Critical Fortinet Flaws Under Active Attack by Jai Vijayan, Contributing Writer DEC 17, 2025 CYBERATTACKS & DATA BREACHES F5 BIG-IP Environment Breached by Nation-State Actor by Alexander Culafi OCT 15, 2025 CYBERATTACKS & DATA BREACHES Jaguar Land Rover Shows Cyberattacks Mean (Bad) Business by Robert Lemos, Contributing Writer OCT 03, 2025 CYBERATTACKS & DATA BREACHES Researcher Says Patched Commvault Bug Still Exploitable by Jai Vijayan, Contributing Writer MAY 06, 2025 Editor's Choice VULNERABILITIES & THREATS EDR-Killer Ecosystem Expansion Requires Stronger BYOVD Defenses byRob Wright APR 14, 2026 8 MIN READ СLOUD SECURITY CSA: CISOs Should Prepare for Post-Mythos Exploit Storm byAlexander Culafi APR 13, 2026 6 MIN READ СLOUD SECURITY Navigating the Unique Security Risks of Asia's Digital Supply Chain byAlexander Culafi APR 15, 2026 3 MIN READ Want more Dark Reading stories in your Google search results? 2026 Security Trends & Outlooks THREAT INTELLIGENCE Cybersecurity Predictions for 2026: Navigating the Future of Digital Threats JAN 2, 2026 CYBER RISK Navigating Privacy and Cybersecurity Laws in 2026 Will Prove Difficult JAN 12, 2026 ENDPOINT SECURITY CISOs Face a Tighter Insurance Market in 2026 JAN 5, 2026 THREAT INTELLIGENCE 2026: The Year Agentic AI Becomes the Attack-Surface Poster Child JAN 30, 2026 Download the Collection Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox. SUBSCRIBE Webinars Defending Against AI-Powered Attacks: The Evolution of Adversarial Machine Learning MON, MAY 11, 2026 AT 1:00PM ET Tips for Managing Cloud Security in a Hybrid Environment? THURS, MAY 7, 2026 AT 1PM EST Zero Trust Architecture for Cloud environments: Implementation Roadmap TUES, MAY 12, 2026 AT 1PM EST Security in the AI Age TUES, APRIL 28, 2026 AT 1PM EST Identity Maturity Under Pressure: 2026 Findings and How to Catch Up WED, MAY 6,2026 AT 1PM EST More Webinars White Papers How Sunrun Transformed Security Operations with AiStrike Autonomous Pentesting at Machine Speed, Without False Positives Best practices for incident response planning Building a Robust SOC in a Post-AI World Industry Report: AI, SOC, and Modernizing Cybersecurity Explore More White Papers BLACK HAT ASIA | MARINA BAY SANDS, SINGAPORE Experience cutting-edge cybersecurity insights in this four-day event featuring expert Briefings on the latest research, Arsenal tool demos, a vibrant Business Hall, networking opportunities, and more. Use code DARKREADING for a Free Business Pass or $200 off a Briefings Pass. GET YOUR PASS GISEC GLOBAL 2026 GISEC GLOBAL is the most influential and the largest cybersecurity gathering in the Middle East & Africa, uniting global CISOs, government leaders, technology buyers, and ethical hackers for three power-packed days of innovation, strategy, and live cyber drills. 📌 BOOK YOUR SPACE