Three Cracks in Windows Defender: What BlueHammer, RedSun, and UnDefend Mean for You

Earlier this April, a security researcher going by Nightmare-Eclipse (also known as Chaotic Eclipse) dropped three zero-day exploits targeting Microsoft Defender on GitHub. The release followed what the researcher described as a frustrating exchange with Microsoft's Security Response Center over disclosure. Two of the three are still unpatched as of this writing, and Huntress is already seeing them used against real organizations.

If you run Windows endpoints, this one matters. Let's walk through what each tool does at a high level and what you should be watching for.

BlueHammer: Defender updates against themselves

BlueHammer, tracked as CVE-2026-33825, was the first of the three. It targets Defender's signature update workflow, which is the part of Defender that routinely pulls new definition files from Microsoft and applies them with SYSTEM-level privileges.

The short version is that the exploit waits for a legitimate definition update, then slips in between the moment Defender checks where the file is and the moment Defender actually reads it. That gap is a classic TOCTOU race condition (Time-of-Check to Time-of-Use). The attacker uses it to redirect Defender's privileged read toward the SAM hive, which is the Windows database that stores local account password hashes. Defender ends up copying the SAM to a location the attacker can read. From there, hashes get pulled and the attacker works toward SYSTEM.

The technique is clever but fragile. Independent testing from Will Dormann at Tharros confirmed it works, but also showed the final stage can fail depending on local account state. On Windows Server, it often only reaches elevated admin instead of full SYSTEM.

Microsoft patched BlueHammer in the April 2026 Patch Tuesday release. If you have applied April updates, you are covered for this one.

RedSun: Weaponizing Defender's own file remediation

RedSun came out about two weeks later. Same researcher, new attack surface.

This one abuses a logic flaw in how Defender handles cloud-tagged files. When Defender sees a malicious file with a cloud tag, instead of just quarantining it, it rewrites the file back to its original location. RedSun uses that behavior plus an opportunistic lock and some NTFS junction tricks to redirect the write path. Defender ends up overwriting a real system binary in C:\Windows\System32 with SYSTEM-level privileges. Once that binary runs, the attacker has SYSTEM.

The reliability on this one is the scary part. Will Dormann tested it against fully patched Windows 10, Windows 11, and Windows Server 2019 and later. It worked at close to 100 percent. Any Windows system with Defender enabled and the cldapi.dll component present is potentially exposed.

RedSun carries a CVSS score of 7.8 and sits under the Privilege Escalation tactic in MITRE ATT&CK. There is no patch yet. The full proof of concept has not been released publicly, but the methodology has been documented on GitHub, which is enough to put motivated attackers in business.

UnDefend: Slowly turning Defender off

UnDefend gets less ink than the other two, but it fits the theme. Rather than escalating privileges, it goes after Defender's update mechanism to progressively degrade its protective capabilities over time. Think of it as a slow-acting way to make an endpoint less and less able to defend itself, without tripping the kind of alarms that a hard disable would.

Huntress has seen it in the wild. In at least one incident, they caught a binary called Undef.exe running with a "-agressive" argument (yes, misspelled) as a child process of cmd.exe under Explorer.EXE. ThreatOps flagged it at high severity. Like RedSun, there is no patch as of this writing.

What attackers are actually doing with these

The field telemetry from Huntress is worth paying attention to. The binaries are being staged in predictable, low-privilege locations, such as the user's Pictures folder and two-letter subfolders inside Downloads. File names are pulled straight from the public repos (FunnyApp.exe, RedSun.exe) or renamed to something forgettable like z.exe.

More importantly, the activity around these exploits looks like hands-on-keyboard intrusions, not automated smash-and-grab. Huntress has observed operators running commands like:

• whoami /priv to enumerate current privileges
• cmdkey /list to see what credentials are stored
• net group to map out Active Directory groups

That pattern tells you a skilled attacker is doing reconnaissance before pulling the trigger. These are not opportunistic drive-bys.

What you should do right now

If you are running Windows endpoints, here is a practical checklist.

First, apply April 2026 Windows security updates if you have not already. That kills BlueHammer.

Second, for the two exploits without patches, focus on detection and reducing your attack surface:

• Monitor for unsigned executables showing up in user-writable directories, especially Pictures and odd subfolders of Downloads.
• Alert when a non-administrative process drops an EICAR test file. That is a tell for RedSun.
• Hunt for the recon command chain (whoami /priv, cmdkey /list, net group) in your endpoint telemetry.
• Watch for symbolic link creation and reparse point activity inside Defender's own directories, particularly C:\ProgramData\Microsoft\Windows Defender\Definition Updates.
• Enforce least privilege on local accounts. Disable or restrict unused local admin accounts. That alone breaks part of the BlueHammer post-exploitation chain and generally makes life harder for this class of attack.

The bigger picture

What bothers me about this trio is not any single exploit. It is the pattern. Three independent attack vectors in the same product from the same researcher in two weeks suggests Defender's trust boundaries around its own privileged operations need serious rethinking. When your antivirus can be tricked into handing over SAM or overwriting its own system binaries, the problem is architectural.

It is also worth paying attention to the disclosure dynamic here. Nightmare-Eclipse went public because they felt MSRC was not responsive. You can argue whether that was the right call, but it keeps happening, and vendors who do not move fast enough will keep losing the option of coordinated disclosure. That is worth a blog post on its own.

In Summary

BlueHammer, RedSun, and UnDefend are three separate ways to undermine Windows Defender, all published within a couple of weeks by the same researcher. BlueHammer is patched, RedSun and UnDefend are not, and real attackers are already using all three. Patch what you can, hunt for the indicators above, and tighten up local admin accounts. And if you are a defender relying heavily on Defender alone, this is a good reminder that no single control is ever enough.