Windows Defend on maximum alert: BlueHammer patched, but RedSun and UnDefend are already being exploited

In recent weeks we have seen how newly revealed vulnerabilities on Windows have quickly moved from being a laboratory data to becoming active tools in attackers' arsenals. Three Microsoft Defender-related failures, published by a researcher who identifies as "Chaotic Eclipse" or "Nightmare-Eclipse," are already being exploited to scale privileges up to SYSTEM or sabotage the antivirus protection itself, according to investigations and observations by incident response teams.

The context matters: the exploits that were originally filtered included concept test code (PoC) that the author published in protest of the process of communication of vulnerabilities with Microsoft. This publication exposed the failures before there were complete patches for all of them, and caused malicious actors to incorporate them into their campaigns. Microsoft distinguishes these failures as zero-days to the extent that they had no correction when they were made public; the official definition can be found in Microsoft's documentation on zero-day vulnerabilities in Defend in this link: Microsoft - Zero-day vulnerabilities.

The three vectors in question have names that already circulate in the community: BlueHammer, RedSun and UnDefender. BlueHammer was tracked as CVE-2026-33825 and Microsoft included it in its April 2026 updates, so applying that patch specifically mitigates that threat. However, the other two techniques - RedSun and UnDefend - remain without official correction at the time the response team observations were published, and have been used in actual attacks, as reported by Huntress Labs: message from Huntress and technical monitoring.

What does each explosion do and why it worries: UnDefense allows a standard user to block Microsoft Defender definitions updates. This is not just a nuisance: cutting engine / signature updates makes it easier for malware to pass unnoticed and later stages of an attack to install without being detected. RedSun, for its part, takes advantage of a specific service behavior to overwrite files and raise privileges to SYSTEM when Defending is active; the concept test explains how the management of certain files associated with cloud label detections is abused to cause a rewriting on sensitive files, thus gaining high system control - the PoC repository is available in GitHub: GitHub - RedSun. BlueHammer is another climbing technique that Microsoft parked in the April newsletter, so its immediate risk decreases if the systems are updated.

The incidents observed are not mere automated explorations. Huntress documented cases in which the attackers accessed devices using compromised SSLVPN credentials and, after compromising a machine, used these techniques in a "hands-on-keyboard" pattern, i.e., manual and directed activity of a human operator. This raises the danger: when an attacker achieves context and remote control, techniques such as UnDefense serve to sustain persistence and reduce the visibility of his actions while deploying tools that require privileges.

The debate on coordinated outreach: part of the problem here was the dispute between the researcher who published PoC and Microsoft about the times and management of the correction. Microsoft has reiterated its commitment to coordinated disclosure to investigate vulnerabilities and protect customers before mass public disclosure; the company often prefers to work with researchers to solve incidents before the code or details are publicly available. The early publication by the researcher accelerated the exposure and allowed it to be used by malicious actors, which raises complex questions about responsibility, pressure from researchers and priorities in the repair of critical failures.

What organizations and users can do right now: first and most urgent is to verify and apply official Microsoft updates: the correction that BlueHammer addresses came with the April 2026 updates, so installing patches reduces exposure to that technique. But since RedSun and UnDefense were still without a patch at least at the time of the reports, security teams must assume that these vectors can be exploited and act accordingly. It is recommended to strengthen telemetry and monitoring in endpoints with special attention to signals of handling the Defense service, overwriting of system files or changes in rules and signature updates. It is also critical to review remote access (such as SSLVPN), ensuring that multifactor authentication, strong credentials and minimum access policies are used; Huntress linked at least one case to committed VPN credentials: Huntress's observation.

In addition, technical analyses and details published by means of confidence should be consulted to understand commitment indicators and techniques used. BleepingComputer has extensively covered these failures and their PoC in detailed articles that explain the mechanics of RedSun and other vectors; its technical notes help to prioritize detections and mitigations: BleepingComputer - RedSun and BleepingComputer - BlueHammer.

Final reflection: This series of disclosures and exploitation shows the real tension between speed in the correction and public pressure of the research community. While organizations are waiting for patches, attackers do not: they incorporate concept and technical evidence into their operations. For corporate security teams and household managers, the lesson is two-fold: keeping up-to-date systems reduces risk against shackled vulnerabilities, and a proactive network detection and segmentation strategy remains essential to mitigate uncorrected failures. The combination of good practices in access management, a robust policy of patches and continuous visibility in endpoints is today the best defense against these evolving threats.