CyberIntel ⬡ News
★ Saved ◆ Cyber Reads
← Back ◇ Industry News & Leadership Jun 10, 2026

Nightmare-Eclipse Drops Yet Another Microsoft Exploit, RoguePlanet

Dark Reading Archived Jun 10, 2026 ✓ Full text saved

The disgruntled researcher released yet another PoC for a Windows Defender bug that allows for system takeover, showing no signs of abandoning their ongoing feud with Microsoft.

Full text archived locally
✦ AI Summary · Claude Sonnet


    VULNERABILITIES & THREATS APPLICATION SECURITY CYBER RISK ENDPOINT SECURITY NEWS Nightmare-Eclipse Drops Yet Another Microsoft Exploit, RoguePlanet The disgruntled researcher released yet another PoC for a Windows Defender bug that allows for system takeover, showing no signs of abandoning their ongoing feud with Microsoft. Elizabeth Montalbano,Contributing Writer June 10, 2026 5 Min Read SOURCE: PROFIT IMAGE VIA SHUTTERSTOCK The zero-day "nightmare" apparently isn't over for Microsoft, as a disgruntled researcher who's been feuding with the company for the past three months has dropped yet another proof-of-concept (PoC) exploit for a purported zero-day flaw. For the second month in a row, that researcher — who goes by the online name "Nightmare-Eclipse" — released a zero-day exploit called RoguePlanet right after Microsoft released its raft of Patch Tuesday updates yesterday, which contained a record 206 CVEs. Some of those updates addressed previous several zero-day exploits published by Nightmare-Eclipse. The latest zero-day is once again for Windows Defender, the Microsoft security service that was also impacted by other exploits released by Nightmare-Eclipse. The vulnerability this time is exploited by "a race condition, so it's a hit or miss," the researcher wrote in GitHub notes for the RoguePlanet release. If successful, the exploit spawns a command shell running under SYSTEM-level privileges, which would give an attacker complete access to a compromised Windows machine. Related:Blame AI: Patch Tuesday Hits Record 206 CVEs Nightmare-Eclipse acknowledged that Microsoft tried to block their efforts to create the PoC and that they worked tirelessly to develop it for most of the month of May, an effort that "drained my soul," according to the blog post announcing RoguePlanet. At this time, the PoC does not work in Windows Server because "standard users cannot mount an ISO image." However, all Windows Server versions are vulnerable if the exploit is redesigned to circumvent the issue, according to Nightmare-Eclipse, who said they won't redesign it themselves since "I'm done with this bug," according to the GitHub notes. The PoC was tested on Windows 11, both the official channel and Canary releases, as well as Windows 10 with the June 2026 Patch Tuesday update installed, according to Nightmare-Eclipse.  Ongoing Dispute With Microsoft The public dispute between Nightmare-Eclipse and Microsoft has by now been well-documented. It began with the release of the "BlueHammer" exploit in April from the researcher, who at first went by the name "Chaotic Eclipse." The exploit was for a zero-day tracked as CVE-2026-33825, a time-of-check to time-of-use (TOCTOU) vulnerability in Windows Defender's signature update workflow.  At the time, the researcher, who has yet to be identified, threatened Microsoft with more zero-day drops in apparent retaliation for the company's refusal to properly address its reported vulnerabilities. "I was not bluffing Microsoft and I'm doing it again," they wrote at the time in a blog post. Nightmare-Eclipse then made good on this threat and disclosed five more PoC exploits for other Microsoft zero-day flaws: RedSun, UnDefend, YellowKey, GreenPlasma, and MiniPlasma.  Related:Microsoft Exchange Flaw Lets Attackers Spoof Any Email Address Microsoft released a fix for BlueHammer in its April Patch Tuesday updates. That fix didn't stop attackers from exploiting BlueHammer, as well as targeting RedSun and UnDefend after Nightmare-Eclipse's disclosure of those exploits. While Microsoft released fixes for the other exploits, the publication of such PoCs poses considerable risk to Microsoft customers.  Dustin Childs, head of threat awareness at Trend Micro's Zero Day Initiative, says the situation with Nightmare-Eclipse will probably not end well. "Customers will be affected by these disclosures, even if it means they have to engage their emergency patch process instead of getting exploited," Childs tells Dark Reading. "I'm not sure what it will take for Microsoft to get this person to disclose their bugs privately, but clearly, they need to work on their outreach skills." Microsoft's Response Drew Backlash Microsoft was noticeably silent in terms of publicly responding when Nightmare-Eclipse first began releasing exploits, but by the end of May the software giant finally had enough. In a blog post published on May 27, the Microsoft Security Response Center (MSRC) said the six vulnerabilities "were not responsibly disclosed," and condemned the researcher's actions, even going so far as to suggest it would pursue criminal charges against researchers like Nightmare-Eclipse that published zero-days. Related:Russian Attackers Weaponize WinRAR Flaw Against Ukrainian Orgs "Uncoordinated disclosures that put proof-of-concept code for unpatched vulnerabilities into the hands of bad actors are never justifiable and have real-world consequences," MSRC said in the post at the time. "Our Digital Crimes Unit will continue bringing cases against these actors and those that enable their criminal activity — coordinating as needed with law enforcement around the world." Overall, security researchers responded negatively to Microsoft's statement, arguing that such threats are short-sighted and could potentially lead bug hunters to sell their findings to zero-day brokers and cybercriminals.  "The feud reads as a breakdown in coordinated vulnerability disclosure, not as random vandalism," Collin Hogue Spears, senior director of solution management at Black Duck, tells Dark Reading. While Microsoft later walked back its threats, he says a more "durable fix is a disclosure channel that gives researchers a real answer and a fast, explained bounty decision, backed by an explicit legal safe harbor."  "It also means ending what researchers describe here: a flaw patched in silence, and then the finder blamed in public," Spears observes. Researchers and cybersecurity vendors have previously criticized Microsoft for years over the software giant's vulnerability disclosure program and its lack of transparency in disclosing certain cloud flaws. In response, Microsoft made vulnerability disclosure and transparency a core pillar of the company's Secure Future Initiative (SFI) in 2023 and later touted improvements in those areas. What's Next for Nightmare-Eclipse? Microsoft did not respond immediately Wednesday to Dark Reading's request for comment about the latest exploit from Nightmare-Eclipse and how, if at all, it plans to respond. It seems that there likely will be more releases of zero-day exploits for other issues with Windows Defender as well, as Nightmare-Eclipse — despite the admitted degradation of their "mental and physical health" in developing the latest PoC — shows no signs of stopping in their exploit vendetta against the company. "Microsoft efforts to protect Defender from path redirection attacks are useless," the researcher wrote in the post. "I have a batch of memory corruption vulnerabilities in defender as well and not to mention the other batch of vulnerabilities I have in several other components." About the Author Elizabeth Montalbano Contributing Writer Elizabeth Montalbano is freelance writer, editor, and  journalist with 30 years of professional experience and a master's degree from Arizona State University. Her areas of expertise include enterprise technology, cybersecurity, business, and culture. During her long career, Elizabeth has lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City. She specializes in news coverage and analysis, using her years of experience to look at the current state of cybersecurity with a critical gaze. She currently resides in a village on the southwest coast of Portugal, where in her free time she enjoys surfing, hiking with her dogs, growing plants, and playing and performing as a singer and musician. Want more Dark Reading stories in your Google search results? ADD US NOW More Insights Industry Reports How Organizations Are Managing Incident Response How Enterprises Are Developing Secure Applications Inside RSAC 2026: security leaders reveal the risks redefining your defense strategy Essential News & Insights from Black Hat USA 2025 How Enterprises Are Harnessing Emerging Technologies in Cybersecurity Access More Research Webinars Advanced Persistent Threats: A Practical Guide to Detection and Response The Frontier AI Era: Why Cybersecurity Must Move at Machine Speed Build vs. Buy: The Hidden Cost of Building Your Own AI Security Stack Defending in the Shadow Era: When the CVE Feed Goes Dark Building SecOps That Make the Most of Every Dollar More Webinars You May Also Like VULNERABILITIES & THREATS Cheap Hardware Module Bypasses AMD, Intel Memory Encryption by Rob Wright NOV 25, 2025 VULNERABILITIES & THREATS Patch Now: Microsoft Flags Zero-Day & Critical Zero-Click Bugs by Jai Vijayan, Contributing Writer NOV 11, 2025 VULNERABILITIES & THREATS Microsoft Issues Emergency Patch for Critical Windows Server Bug by Rob Wright OCT 24, 2025 VULNERABILITIES & THREATS 350M Cars, 1B Devices Exposed to 1-Click Bluetooth RCE by Nate Nelson, Contributing Writer JUL 11, 2025 Editor's Choice CYBERSECURITY OPERATIONS 20 Leaders Who Built the CISO Era: 2 Decades of Change byDark Reading Editorial Team MAY 12, 2026 41 MIN READ APPLICATION SECURITY It's Patch Tuesday for Microsoft & Not a Zero-Day In Sight byJai Vijayan MAY 12, 2026 5 MIN READ CYBERATTACKS & DATA BREACHES Instructure Breach Exposes Schools' Vendor Dependence byAlexander Culafi MAY 6, 2026 4 MIN READ Want more Dark Reading stories in your Google search results? Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox. SUBSCRIBE Webinars Advanced Persistent Threats: A Practical Guide to Detection and Response TUESDAY, JUNE 30, 2026 @ 1:00 PM EASTERN DAYLIGHT TIME The Frontier AI Era: Why Cybersecurity Must Move at Machine Speed TUESDAY, JUNE 23, 2026 1:00 PM EDT Build vs. Buy: The Hidden Cost of Building Your Own AI Security Stack THURS, JUNE 25, 2026, AT 1PM EST Defending in the Shadow Era: When the CVE Feed Goes Dark TUES, JUNE 16, 2026 AT 1PM EST Building SecOps That Make the Most of Every Dollar THURS, JULY 9, 2026 AT 1PM EST More Webinars AUG 1-6 | MANDALAY BAY, LAS VEGAS USE CODE: DARKREADING & SAVE $200 ON A BRIEFINGS PASS OR $100 ON A BUSINESS PASS The premier cybersecurity event returns. GET YOUR PASS ANATOMY OF A DATA BREACH This comprehensive virtual event examines the main vulnerabilities and exploits that lead to enterprise data breaches, plus the latest tools and best practices for conducting incident response. BEAT HACKERS TO IT
    💬 Team Notes
    Article Info
    Source
    Dark Reading
    Category
    ◇ Industry News & Leadership
    Published
    Jun 10, 2026
    Archived
    Jun 10, 2026
    Full Text
    ✓ Saved locally
    Open Original ↗