Huntress researchers observed threat actors exploiting three Microsoft Defender zero-day vulnerabilities in the wild starting April 10, 2026, using proof-of-concept code published by a disgruntled security researcher known as Chaotic Eclipse.
The flaws — BlueHammer, RedSun, and UnDefend — all affect Windows Defender and allow attackers to gain elevated privileges or disrupt security updates. BlueHammer, the only one patched by Microsoft so far, was addressed in this week’s Patch Tuesday under CVE-2026-33825. RedSun and UnDefend remain unpatched as of April 17, 2026.
Chaotic Eclipse released the exploit code in stages over the past two weeks, citing frustration with Microsoft’s vulnerability disclosure process. In a blog post, the researcher wrote, “I was not bluffing Microsoft and I’m doing it again,” and added, “Huge thanks to MSRC leadership for making this possible,” referencing the company’s Security Response Center.
Huntress noted the attack chain began with routine enumeration commands like whoami /priv and cmdkey /list, indicating hands-on-keyboard activity rather than automated scanning. The firm isolated the affected organization to prevent further compromise but did not disclose the victim’s identity or sector.
Microsoft affirmed its support for coordinated vulnerability disclosure in a statement from communications director Ben Hope, emphasizing the practice helps balance customer protection with researcher recognition. The company did not directly address whether it had engaged with Chaotic Eclipse prior to the public releases.
The researcher published all three exploits on GitHub, requiring a sign-in to access the code for BlueHammer. This barrier did not prevent weaponization, as threat actors adapted the proof-of-concept tools for real-world use within days of publication.
While BlueHammer and RedSun are classified as local privilege escalation flaws, UnDefend uniquely enables a denial-of-service condition by blocking definition updates, potentially leaving systems blind to new threats even if other defenses remain intact.
The incident reignites debate over the risks of full disclosure when vendor coordination fails, particularly when exploit code lowers the barrier for less skilled attackers to leverage high-impact flaws in widely deployed software.
How Microsoft responded to the patched vulnerability
Microsoft issued a fix for BlueHammer as part of its April 2026 Patch Tuesday cycle, assigning it CVE-2026-33825. The company confirmed the update resolves the local privilege escalation flaw in Windows Defender but has not announced timelines for patches addressing RedSun or UnDefend.
Why the researcher chose public disclosure
Chaotic Eclipse stated the public release of exploit code was a direct response to perceived failures in Microsoft’s vulnerability handling process, framing the action as necessary to prove the flaws’ severity after private reporting allegedly broke down.
What makes UnDefend different from the other two flaws
Unlike BlueHammer and RedSun, which grant attacker execution privileges, UnDefend disrupts Windows Defender’s ability to update its threat definitions, enabling a denial-of-service condition that could persist even after initial intrusion.
Who is Chaotic Eclipse?
Chaotic Eclipse is the online alias of a security researcher who published exploit code for three Windows Defender vulnerabilities in April 2026, citing conflict with Microsoft’s disclosure process as motivation. The researcher has not been identified by real name or affiliation in public reports.
Are patches available for all three vulnerabilities?
As of April 17, 2026, only BlueHammer has a patch, released via Microsoft’s Patch Tuesday. RedSun and UnDefend remain unpatched, with no fixed timeline disclosed by Microsoft or Huntress.
