A researcher going by "Nightmare Eclipse" tried to disclose a privilege escalation bug in Windows Defender to Microsoft. According to them, the process went badly. They claim Microsoft threatened them and dismissed the report. So, on April 3, they published the BlueHammer exploit on GitHub. Then, on April 16, they dropped two more: RedSun and UnDefend.

By April 17, Huntress confirmed all three are being used by real attackers against real targets.

The attack chain they observed: stolen VPN credentials for initial access, then UnDefend to block Defender's signature updates, then RedSun for SYSTEM-level privilege escalation. After that, the attacker moves laterally through the network while Defender is essentially blind.

Microsoft patched BlueHammer on Patch Tuesday as CVE-2026–33825.

RedSun and UnDefend have no CVEs, no patches, and no public timeline.

It is sad to see the disclosure process break down in a way that pushes someone to post exploits out of frustration. But I get the frustration: this pattern happens because researchers keep hitting the wall when they try to do the right thing.

Reminds me of the well-known #FuckResponsibleDisclosure reports in Ukraine. When a government organization or a company simply ignores the risk, saying 'it is not a vulnerability'.

Ukraine has been through that for some time.

This week brought a massive Patch Tuesday (see first comment). 👇

What do you think of such exploit disclosures? Would you have done the same?

Follow me on Telegram for weekly CVE alerts.

Also, follow me on LinkedIn.