A security researcher using the aliases Chaotic Eclipse and Nightmare Eclipse released two new proof-of-concept privilege-escalation exploits for Microsoft Defender, named RedSun and UnDefend, after earlier publishing BlueHammer. Huntress observed all three techniques used in the wild, with attackers dropping renamed exploit files into usersβ Pictures and Downloads folders, mapping privileges and harvesting credentials, and Microsoft may need to issue an out-of-band patch. #RedSun #UnDefend
Keypoints
- An anonymous researcher published RedSun and UnDefend PoC exploits targeting Microsoft Defender.
- RedSun enables privilege escalation, while UnDefend can block signature updates or disable Defender during major updates.
- Huntress confirmed BlueHammer, RedSun, and UnDefend have been leveraged in real-world attacks.
- Attackers placed renamed exploit files in Pictures and Downloads, then mapped privileges, recovered credentials, and enumerated Active Directory.
- BlueHammer was patched as CVE-2026-33825 on April 14, and Microsoft may need an out-of-band fix for the new exploits.
Read More: https://www.helpnetsecurity.com/2026/04/17/microsoft-defender-zero-days-exploited/