A threat actor operating as Nightmare-Eclipse has released six working exploit code drops targeting unpatched Windows vulnerabilities since early April 2026. Three — BlueHammer, RedSun, and UnDefend — are now confirmed active in attacks linked to Russian-geolocated infrastructure, according to Huntress SOC telemetry. The remaining three (YellowKey, GreenPlasma, MiniPlasma) have been independently verified as effective against fully patched Windows 11 systems.
The Exploit Suite
The six exploits cover two distinct attack surfaces.
Defender bypass and weaponisation: BlueHammer and RedSun exploit vulnerabilities in Microsoft Malware Protection Engine to turn Defender into an instrument of attack rather than defence — abusing its privileged kernel access against the user it is meant to protect. UnDefend takes a subtler approach, progressively corrupting Defender’s scan engine state to degrade its detection accuracy over time, creating a reliable window for secondary payloads to operate without triggering alerts.
Privilege escalation: YellowKey targets Windows BitLocker’s recovery environment. GreenPlasma abuses a kernel-level flaw for SYSTEM access on standard user sessions. MiniPlasma — published to GitHub on 13 May 2026 — exploits a vulnerability the actor claims Microsoft patched and then silently rolled back. Independent researchers have confirmed the proof-of-concept produces SYSTEM-level access on current Windows 11 builds.
Who Is Exploiting These
Nightmare-Eclipse is assessed as an individual researcher, not a state actor. The motivation is explicit: a personal grievance over what they describe as Microsoft’s inadequate handling of a prior vulnerability report. By releasing fully functional exploit code publicly, they have effectively handed the toolkit to criminal groups — a deliberate choice, not an oversight.
The active exploitation observed via Huntress telemetry is linked to Russian-geolocated infrastructure. This reflects criminal actors (likely ransomware affiliates or initial access brokers) incorporating the public exploits into their tooling, not Russian state direction. The geography of hosting is common across Eastern European cybercriminal infrastructure and does not imply government involvement.
The Escalation Risk
The actor’s stated intentions represent a meaningful step up in severity. Posts on their blog and GitHub include explicit threats to release remote code execution exploits next, alongside a specific promise of “a big surprise” for June 2026 Patch Tuesday. If that promise is kept, organisations face a period of unpatched pre-authentication RCE exposure on Windows endpoints — a qualitatively worse position than the current privilege escalation risk.
Sector Exposure
Every organisation running Windows endpoints faces privilege escalation exposure. Organisations relying on Microsoft Defender as primary endpoint protection face compounded risk from BlueHammer, RedSun, and UnDefend. Sectors with high concentrations of Windows-based operational interfaces — finance, healthcare, and industrial control system terminals — should treat this situation as elevated risk until June Patch Tuesday passes.
Recommended Actions
This week:
- Confirm Defender is fully updated with all May patches applied across the estate, including any out-of-band updates for CVE-2026-41091
- Check EDR telemetry for BlueHammer, RedSun, and UnDefend indicators. Huntress and multiple threat intelligence providers have published detection logic
- Enable Defender Tamper Protection on all endpoints to resist UnDefend-style degradation
Before June Patch Tuesday:
- Avoid sole reliance on Defender for endpoint detection. Add a behavioural EDR with an independent scanning engine if not already deployed
- Restrict standard user accounts from executing unsigned binaries in user-writable paths — this limits the privilege escalation surface
- Follow Nightmare-Eclipse’s GitHub directly. The actor has consistently published code before attacks begin, giving a short but real warning window
The broader pattern here matters beyond this specific campaign. A single motivated individual generating confirmed zero-days faster than a major vendor can patch them is a structural problem with no clean near-term fix. For June, expect a difficult Patch Tuesday.