Leaked Windows Defender 0-Day Vulnerability Actively Exploited in Attacks - CyberSecurityNews

HomeCyber Security Leaked Windows Defender 0-Day Vulnerability Actively Exploited in Attacks By Guru Baran April 17, 2026 An active in-the-wild exploitation of three recently leaked Windows Defender privilege escalation vulnerabilities, with threat actors deploying proof-of-concept exploit code sourced directly from public GitHub repositories against real enterprise targets. On April 2, 2026, a security researcher operating under the alias Nightmare-Eclipse (also known as Chaotic Eclipse) published the BlueHammer exploit on GitHub following a reported dispute with Microsoft’s Security Response Center (MSRC) over the handling of the vulnerability disclosure process. The zero-day, now tracked as CVE-2026-33825, exploits a time-of-check to time-of-use (TOCTOU) race condition and path confusion flaw within Windows Defender’s signature update workflow, enabling a low-privileged local user to escalate to SYSTEM-level access on fully patched Windows 10 and Windows 11 systems. The exploit abuses the interaction between Microsoft Defender’s file remediation logic, NTFS junction points, the Windows Cloud Files API, and opportunistic locks (oplocks); no kernel exploit or memory corruption is required. Shortly after BlueHammer’s release, Nightmare-Eclipse published two additional tools: RedSun, which also achieves SYSTEM privileges on Windows 10, Windows 11, and Windows Server 2019, and later even after the April Patch Tuesday patches; and UnDefend, which disrupts Defender’s update mechanism to progressively degrade its protective capabilities. Huntress Confirms Active Exploitation Huntress researchers are now actively observing threat actors weaponizing all three techniques against live targets. Binaries have been staged in low-privilege user directories, specifically within Pictures folders and two-letter subfolders inside Downloads directories using the same filenames from the original PoC repositories: FunnyApp.exe and RedSun.exe, and in some instances, renamed to z.exe. On April 10, 2026, the execution of BlueHammer was detected via: C:\Users\[REDACTED]\Pictures\FunnyApp.exe Windows Defender blocked and quarantined the file, detecting it as Exploit:Win32/DfndrPEBluHmrBZ with a severity classification of Severe [file:3]. The threat was detected in real-time at 19:43:37 UTC and quarantined within under two minutes. On April 16, 2026, a second incident was recorded involving: C:\Users\[REDACTED]\Downloads\RedSun.exe This invocation triggered a Virus:DOS/EICAR_Test_File alert a deliberate component of RedSun’s attack technique, which uses an EICAR test file to bait Defender’s real-time engine into a detection-and-remediation cycle that can then be manipulated. Additionally, a secondary process, Undef.exe, was detected running with the command line argument -agressive, spawned as a child process of cmd.exe under Explorer.EXE, and flagged at High severity by ThreatOps Hunting rules. Critically, both exploitation attempts followed a pattern of manual enumeration commands consistent with hands-on-keyboard threat actor activity, including: whoami /priv — to enumerate current user privileges cmdkey /list — to identify stored credentials net group — to map Active Directory group memberships This pre-exploitation reconnaissance pattern strongly suggests a skilled adversary conducting targeted intrusions rather than opportunistic automated attacks. Patch Status and Mitigations Microsoft patched CVE-2026-33825 (BlueHammer) in the April 2026 Patch Tuesday update cycle. However, RedSun and UnDefend remain unpatched as of this writing, leaving millions of Windows systems at ongoing risk. Security teams should immediately: Apply all April 2026 Windows security updates Monitor for unsigned executables in user-writable directories (Pictures, Downloads subfolders) Alert on EICAR test file drops by non-administrative processes Hunt for whoami /priv, cmdkey /list, and net group execution chains in endpoint telemetry Enforce least-privilege principles to limit local access vectors required for exploitation. Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories. Tags cyber security cyber security news Copy URL Linkedin Twitter ReddIt Telegram Guru Baranhttps://cybersecuritynews.com Gurubaran KS is a cybersecurity analyst, and Journalist with a strong focus on emerging threats and digital defense strategies. He is the Co-Founder and Editor-in-Chief of Cyber Security News, where he leads editorial coverage on global cybersecurity developments. Trending News Hugging Face LeRobot Vulnerability Enables Unauthenticated RCE Attacks Microsoft Edge Stores All Saved Passwords in Cleartext Process Memory at Launch Instagram’s to End Encrypted Chats for Direct Messages WhatsApp Vulnerability Lets Attackers Leverage Instagram Reels to Execute Malicious URLs New Spyware Platform Lets Buyers Rebrand and Resell Android Surveillance Malware Latest News Uncategorized Ransomware and Data Extortion Groups Intensify Targeting of Aviation and Aerospace Sector Cyber Security News Critical Palo Alto Firewalls Vulnerability Exploited in the Wild to Gain Root Access ANY.RUN Low Noise, High Confidence: Optimizing SOC Costs with Better Threat Intelligence  Cyber Security News GnuTLS 3.8.13 Released with Fix for 12 Vulnerabilities Affecting Network Communications Acquisition Cisco to Acquire Astrix Security to Strengthen AI Agent and Non-Human Identity Security