LevelBlue SpiderLabs tracked a series of public zero-day disclosures by the anonymous actor Chaotic Eclipse / Nightmare Eclipse, including YellowKey, GreenPlasma, and MiniPlasma, affecting Windows security, WinRE, BitLocker, and privilege escalation paths. Microsoft assigned CVE-2026-45585 to the YellowKey BitLocker bypass and released mitigation guidance, while the report details PoC mechanics, detection opportunities, and attacker artifacts tied to the disclosed techniques. #ChaoticEclipse #NightmareEclipse #YellowKey #GreenPlasma #MiniPlasma #CVE-2026-45585 #WinRE #BitLocker
Keypoints
- LevelBlue SpiderLabs has been tracking public zero-day disclosures attributed to an anonymous actor using the names Chaotic Eclipse and Nightmare Eclipse.
- YellowKey is a BitLocker security feature bypass that abuses WinRE and early-boot transaction replay to launch a SYSTEM-level shell.
- Microsoft assigned CVE-2026-45585 to YellowKey and issued mitigation guidance, with TPM+PIN configurations confirmed as not vulnerable.
- The YellowKey PoC targets Windows 11, Windows Server 2022, and Windows Server 2025, requiring only brief physical access and a USB device.
- GreenPlasma demonstrates privilege escalation through Windows object manager behavior, including arbitrary section object placement in protected namespaces.
- MiniPlasma targets a race condition in cldflt.sys to achieve local privilege escalation to SYSTEM through Cloud Files and scheduled-task abuse.
- The report emphasizes that detection should correlate filesystem, recovery-environment, registry, and process telemetry rather than depend on traditional malware artifacts.
MITRE Techniques
- [T1542.003 ] Boot or Logon Initialization Scripts – YellowKey abuses WinRE early-boot behavior through BootExecute to run autofstx.exe and replay TxF data during initialization. [‘Microsoft confirmed the central role of this component, attributing the vulnerability to the execution of autofstx.exe via the BootExecute registry value within the WinRE environment.’]
- [T1112 ] Modify Registry – MiniPlasma modifies registry paths and replaces a key with a symbolic link to redirect access. [‘Create or modify CloudFiles policy path… Replace key with symbolic link… Modify environment variable: windir → attacker-controlled directory’]
- [T1055 ] Process Injection / Token Manipulation – MiniPlasma duplicates a SYSTEM token and assigns it to the current user session to obtain a SYSTEM shell. [‘Duplicate SYSTEM token… Assign token to current user session… Interactive SYSTEM-level shell in user session’]
- [T1068 ] Exploitation for Privilege Escalation – MiniPlasma exploits a race condition in cldflt.sys to elevate privileges to SYSTEM. [‘targets a race condition in cldflt.sys… to achieve local privilege escalation to SYSTEM’]
- [T1055.009 ] Shared Modules – MiniPlasma leverages cldapi.dll and the CfAbortOperation API as part of the race-condition trigger. [‘It uses the CfAbortOperation API, exposed via cldapi.dll, to interrupt in-progress hydration operations.’]
- [T1014 ] Rootkit / File and Directory Permissions? – GreenPlasma uses Windows object manager behavior and symbolic links to redirect trusted paths and place attacker-controlled objects in protected locations. [‘leveraging object manager symbolic links and interactions with CTF-related namespaces, allowing controlled redirection of trusted paths.’]
- [T1003 ] OS Credential Dumping – The report notes post-exploitation access to SAM, SECURITY, and LSA secrets as likely follow-on activity after SYSTEM compromise. [‘SAM hive extraction… SECURITY hive extraction… LSA secrets retrieval’]
- [T1074 ] Data Staged – YellowKey stages payload data on removable media or the EFI System Partition for later replay by WinRE. [‘Vector A: USB Drive… Vector B: EFI System Partition (ESP)’]
- [T1204 ] User Execution – MiniPlasma requires execution of the exploit binary to begin the staged race-condition sequence. [‘does not rely on any user interaction beyond execution of the exploit binary’]
- [T1547.001 ] Registry Run Keys / Startup Folder – The report identifies registry run keys as a potential post-exploitation persistence method. [‘Persistence… Registry run keys’]
- [T1053.005 ] Scheduled Task – MiniPlasma triggers the Windows Error Reporting QueueReporting scheduled task to execute attacker-controlled wermgr.exe under SYSTEM. [‘Trigger scheduled task: MicrosoftWindowsWindows Error ReportingQueueReporting’]
Indicators of Compromise
- [Registry value] YellowKey WinRE offline hive execution dependency – BootExecute contains “autofstx.exe”, and 1 more registry-related indicator
- [Directory path] YellowKey TxF payload location – System Volume InformationFsTx95F62703B343F111A92A005056975458, System Volume InformationFsTx{Resource-Manager-GUID}
- [GUID] YellowKey payload and TxF artifacts – {0327F695-43B3-11F1-A92A-005056975458}, 95F62703B343F111A92A005056975458
- [File path] YellowKey CLFS log artifacts – FsTxLogsFsTxLog.blf, FsTxKtmLog.blf, and other container files
- [UTF-16LE string] YellowKey direct payload string references – ??X:WindowsSystem32winpeshl.ini, ??C:Windowswin.ini
- [File hash] YellowKey PoC artifact – 6ac1febd94d0582c259ef5e89b1059bf307d5cddbb7bf935ef23b9700f8e2067
- [Event ID] YellowKey WinRE activity – Event ID 1074 from winre.exe, unscheduled short-duration recovery session
- [GUID MAC suffix] YellowKey forensic marker – 005056975458, corresponding to VMware OUI 00:50:56 in FsTx GUIDs
- [Registry path] MiniPlasma symbolic-link target path – HKEY_USERS.DEFAULTSoftwarePoliciesMicrosoftCloudFilesBlockedApps, RegistryUser.DEFAULTVolatile Environment
- [Named pipe] MiniPlasma PoC artifact – MiniPlasmaWERPipe
- [File name] MiniPlasma execution pivot – wermgr.exe executed from a non-standard path, and 1 more task-related artifact
- [API name] MiniPlasma exploit behavior – CfAbortOperation invoked by a non-OneDrive process, cldapi.dll