Three Public Exploits Weaponize Microsoft Defender Against Its Own Users
Threat actors are using three publicly available proof-of-concept exploits—BlueHammer, RedSun, and UnDefend—to turn Microsoft Defender's cleanup functions into attack vectors, granting SYSTEM-level access and degrading threat detection.
Threat actors are actively weaponizing three publicly available proof-of-concept exploits that turn Microsoft Defender's own cleanup and protection functions against the organizations it is meant to defend. The exploits—dubbed BlueHammer, RedSun, and UnDefend—were released by a researcher using the moniker Nightmare-Eclipse after allegedly failing to receive a proper response from Microsoft during disclosure. Two of the exploits enable SYSTEM-level privilege escalation on vulnerable systems, while the third quietly degrades Defender's ability to detect new threats over time.
BlueHammer exploits CVE-2026-33825, a time-of-check to time-of-use (TOCTOU) race condition in Windows Defender's signature update workflow. According to security vendor Vectra.ai, when Defender detects a suspicious file and decides to rewrite it, an attacker can win a race condition that redirects that rewrite to a location of their choosing. This grants SYSTEM-level access without requiring a kernel exploit or memory corruption—simply by abusing how Defender interacts with the file system during remediation. Microsoft patched this flaw in its April 2026 security update.
RedSun operates similarly but targets TieringEngineService.exe, a Defender background process responsible for classifying and prioritizing detected files and threats. To trigger the vulnerability, an attacker only needs to use an embedded EICAR test string—a standard tool many security teams use to safely verify antivirus detection. When Defender detects the test string, it initiates a remediation cycle, and RedSun wins the race to redirect the resulting file rewrite. The Cloud Files Infrastructure then executes the attacker-planted binary as SYSTEM. RedSun works against fully patched Windows 10, Windows 11, Windows Server 2019, and later systems, including those with the latest Patch Tuesday updates.
UnDefend is a post-exploitation tool that attackers deploy after gaining SYSTEM access via BlueHammer or RedSun. By spawning it as a child of cmd.exe under Explorer and running it with the `-aggressive` flag, attackers can starve Defender of current threat intelligence without triggering the kind of hard failure that would generate an obvious alert. This allows the exploit to progressively degrade Defender's ability to detect new threats while remaining under the radar.
Researchers at Huntress Labs have observed what appears to be targeted attack activity involving all three exploits. Their analysis suggests attackers are using the exploits in deliberate, hands-on intrusions, manually running privilege enumeration commands before attempting exploitation. Huntress found attackers staging binaries in low-noise user directories such as Pictures folders and two-letter subfolders inside Downloads, using both original filenames and renamed variants designed to evade detection. The renamed binaries significantly reduced detection rates on VirusTotal.
"Recent activity shows BlueHammer, RedSun, and UnDefend are now being used with minimal modification," says Hüseyin Can Yüceel, security research lead at Picus Security. "Binaries are being staged in low-privilege user directories such as Downloads and Pictures, often reusing original proof-of-concept filenames or lightly obfuscated variants like renamed executables." The attacks reflect low complexity but effective tradecraft, where moderately skilled adversaries are leveraging public exploit code in post-compromise scenarios to escalate privileges or weaken endpoint defenses. While all three PoCs target Defender, the patch for CVE-2026-33825 does not protect the broader attack surface exposed by the other two techniques.
Justin Howe, senior solutions architect at Vectra, describes RedSun and UnDefend as exploiting separate, independent flaws in Defender for which there are no CVEs yet. Each of Nightmare-Eclipse's exploits abuses different aspects of how Microsoft Defender performs privileged file operations without validating its own I/O paths at the moment of execution. "Together, they highlight systemic issues around path validation, race conditions, and over-trust in privileged file handling," Yüceel notes. The exploits require an attacker to have local access, but once that is achieved, even a moderately skilled adversary can reliably achieve privilege escalation or weaken defenses—turning Microsoft's own security tool into a weapon against its users.