How a security tool's own cleanup routine became a zero-day path to full system control

The Context

Microsoft Defender is the built-in security software included with every copy of Windows 10 and Windows 11. It runs continuously in the background, scanning files, quarantining threats, and cleaning up malicious content. Because it needs to delete and move files that a normal user cannot touch, Defender operates with the highest possible system privilege: SYSTEM, the same level as the Windows operating system itself.

That privilege is what makes RoguePlanet dangerous. The exploit does not attack Defender's defenses. It attacks Defender's cleanup routine and redirects it to write attacker-controlled content into the most sensitive folder on the machine.

The Attack, Phase by Phase

Phase 1: The Dispute That Built the Weapon

RoguePlanet is the seventh entry in a series of zero-day exploits targeting Microsoft Defender, all published by an anonymous researcher operating under the aliases Nightmare Eclipse, Chaotic Eclipse, and most recently MSNightmare.

The campaign began in April 2026 with BlueHammer (CVE-2026-33825, CVSS 7.8), a Defender flaw Microsoft patched on April 14. The researcher alleges Microsoft deleted their bug-reporting account, withheld bounty payments, and misrepresented their work in public advisories. Microsoft's position is that no vulnerability details were submitted through proper channels before public release.

What is not disputed: three of the six earlier exploits were picked up by real-world attackers within days of publication. Huntress researchers documented live intrusion chains using BlueHammer, RedSun, and UnDefend. CISA added RedSun and UnDefend to its Known Exploited Vulnerabilities catalog before patches existed for either.

When GitHub and GitLab removed the researcher's repositories in late May 2026 and Microsoft's Digital Crimes Unit threatened criminal prosecution, the researcher promised a "bone shattering" zero-day drop on the next Patch Tuesday. Microsoft walked back the legal threat on June 1. The researcher did not walk back the promise.

Phase 2: The Hardening That Forced a Rewrite

In mid-May 2026, Microsoft quietly patched a family of internal Defender APIs (the mpengine!SysIO* group) to block the junction-based attack path that RoguePlanet originally used. That original version was a remote code execution exploit: an attacker could serve a crafted virtual disk image from a network share, Defender would automatically scan it, and the flaw would trigger remotely.

The silent patch closed that path. It did not close the underlying vulnerability class. The researcher rewrote the exploit to target a different internal path in Defender's quarantine pipeline, converting it from a remote attack to a local one. Microsoft patched one door; the researcher found another in the same building.

Phase 3: How the Exploit Works

RoguePlanet's mechanism is counterintuitive: it uses Defender's threat-removal behavior as the attack itself.

The exploit creates a fake copy of wermgr.exe (a legitimate Windows system file) and writes an EICAR signature into it — a standard string every antivirus product treats as a test threat. Defender sees it, flags the file, and prepares to clean it up.

Here is where the race condition begins. Defender checks the file path, confirms what it is going to do, then starts the privileged write operation. In the gap between that check and the actual write, the attacker needs to swap the destination. That gap is normally microseconds — too fast to win reliably.

RoguePlanet solves this with two techniques. First, it mounts a specially crafted virtual disk image and watches for Windows to register a new shadow copy device, which signals exactly when Defender's remediation clock starts. Second, it requests an oplock on the file's alternate data stream, freezing Defender's write mid-operation and turning a microsecond gamble into a controlled, deterministic window.

During that window, the exploit flips a staged directory into an NTFS junction point — a redirect that makes one folder path silently point to another location. Defender's SYSTEM-level write, aimed at a safe location, now lands in C:\Windows\System32, overwriting the real wermgr.exe with the RoguePlanet payload.

The final step: the attacker triggers the Windows Error Reporting scheduled task (QueueReporting), a built-in maintenance job that runs wermgr.exe by name. Because the real binary has been replaced, the task executes the payload instead, spawning a command prompt running as NT AUTHORITY\SYSTEM. Full system control, no kernel exploit required.

Phase 4: Disclosure Timing and the Patch Gap

RoguePlanet was published hours after Microsoft's June 10, 2026 Patch Tuesday, which addressed 206 vulnerabilities including patches for two earlier Nightmare Eclipse exploits. The timing was deliberate: defenders were already processing a record patch load when the new zero-day landed.

As of June 13, 2026, no patch, no CVE, and no Microsoft advisory exist for RoguePlanet. The researcher has threatened another release on July 14, 2026.

What Made This Possible

1. Defender's privilege is its own attack surface. Because Defender must operate as SYSTEM to remove threats normal users cannot touch, any flaw in its file-handling logic is automatically a SYSTEM-level flaw.

2. Race conditions are not fixed by patching one path. Microsoft's mid-May hardening closed the specific API family the original exploit used but did not change the underlying architecture: an always-on, SYSTEM-privileged engine that processes attacker-influenced files without holding an exclusive lock on path validation. The researcher found a different path through the same structural gap in under a month.

3. The disclosure breakdown created a production pipeline for working exploits. Three of the six earlier exploits from this campaign were adopted by real-world attackers before patches existed. The dispute did not stay between two parties; it became everyone's problem.

What Should Have Stopped This

No single control stops RoguePlanet while the underlying race condition remains unpatched. Every effective defense shares one trait: it does not depend on Defender's own integrity to function.

• Application allowlisting that validates a file's cryptographic hash before execution would block the payload from running even after wermgr.exe is replaced, regardless of what Defender did or did not catch.
• Scheduled task monitoring that alerts on manual invocations of QueueReporting outside its normal maintenance window would flag the final trigger step before the SYSTEM shell opens.
• Process lineage alerting configured to fire when any interactive shell traces back to MsMpEng.exe (Defender's main process) would catch the exploit's output. This parent-child relationship should never occur in a healthy environment.
• Restricting ISO and VHDX mounting for standard users removes the delivery mechanism this exploit chain requires. Windows 11 allows standard users to mount disk images by default; a Group Policy setting can revoke that permission.

None of these controls require a patch that does not yet exist.

The Takeaway

RoguePlanet illustrates a failure class that has appeared across multiple incidents covered in this publication. The Stryker Intune wipe showed that a privileged management tool can be turned against the organization it was built to protect. The Axios supply chain attack showed that a trusted build-time process can be redirected to deliver malicious output. RoguePlanet is the same failure at the endpoint level: the security tool itself, running with the highest privilege on the machine, becomes the delivery mechanism for full system compromise. The meta-pattern across all three: systems fail when an attacker controls the input to a process the system unconditionally trusts.

The second lesson is structural. Microsoft patched one TOCTOU path in May; the researcher found another in the same engine within weeks. Until Defender's remediation pipeline holds an exclusive, validated lock on file paths for the entire duration of a privileged write — not just at check time — the underlying race condition class remains open.

Pattern to remember: When a SYSTEM-privileged process performs file operations on attacker-influenced content without holding an exclusive path lock, the process's authority becomes the attacker's tool.

What changed: A security engine's remediation pipeline can now be redirected to overwrite trusted system binaries using only the permissions the engine already holds, with no kernel exploit required.

The Technical Mechanism

RoguePlanet exploits a Time-of-Check to Time-of-Use (TOCTOU) race condition in Microsoft Defender's quarantine and remediation pipeline. The flaw is classified under CWE-367 (Time-of-check Time-of-use Race Condition). The privileged actor is MsMpEng.exe, Defender's main scanning engine, which runs as NT AUTHORITY\SYSTEM.

Attack path:

1. The attacker writes an EICAR test string to a file named wermgr.exe in a user-writable staging directory. This triggers MsMpEng.exe to initiate remediation.
2. The exploit mounts a crafted VHDX or ISO image (locally or from a remote SMB share). Defender automatically scans the mounted volume, which feeds the remediation path.
3. The exploit monitors for a new HardDiskVolumeShadowCopy device object to time Defender's internal state, then requests an oplock on the target file's alternate data stream (ADS). The oplock suspends Defender's write operation at the point between path validation (check) and the privileged file operation (use).
4. During the oplock-held window, the exploit calls NtSetInformationFile to rename a staged directory, then uses reparse point manipulation to convert it into an NTFS mount point junction targeting \??\C:\Windows\System32. This is the TOCTOU flip: the path Defender validated now resolves to a different physical location.
5. The oplock is released. Defender's SYSTEM-level write completes, but the resolved destination is now C:\Windows\System32\wermgr.exe. The legitimate binary is overwritten with the RoguePlanet payload.
6. The attacker manually invokes the \Microsoft\Windows\Windows Error Reporting\QueueReporting scheduled task via schtasks /run. The task executes wermgr.exe by filename. The replaced binary runs as NT AUTHORITY\SYSTEM, spawning cmd.exe with full SYSTEM integrity.

The exploit resolves the following ntdll.dll APIs directly, bypassing Win32 file API wrappers to reduce static detection surface: NtSetInformationFile, NtDeleteFile, NtOpenDirectoryObject, NtQueryDirectoryObject, NtQueryInformationFile.

Reliability is hardware-dependent. The researcher reported 100% success on some configurations and near-zero on others. Because the exploit requires only standard user credentials and can be retried indefinitely, per-attempt unreliability is not a meaningful mitigation.

Defender's own signature Exploit:Win32/DfndrRugPlnt.BB detects the compiled sample. CYDERES Howler Cell confirmed the behavioral chain survives recompilation with minor source changes, defeating static detection. The highest-fidelity behavioral signal is an interactive shell with SYSTEM integrity whose parent process ancestry traces to MsMpEng.exe.

CVE and Advisories

No CVE has been assigned to RoguePlanet as of June 13, 2026. Microsoft has not issued a public advisory. The vulnerability is unpatched.

Related, previously patched CVEs from the same researcher and vulnerability class:

• CVE-2026-33825 (BlueHammer, CVSS 7.8) — patched April 14, 2026
• CVE-2026-41091 (RedSun) — patched May 21, 2026 (out-of-band)
• CVE-2026-45498 (UnDefend) — patched May 21, 2026 (out-of-band)
• CVE-2026-45585 (YellowKey) — patched June 10, 2026
• CVE-2026-45586 (GreenPlasma) — patched June 10, 2026

MITRE ATT&CK Mapping

Indicators of Compromise

Static detection of the compiled RoguePlanet binary is possible via Defender's own signature Exploit:Win32/DfndrRugPlnt.BB. This signature is defeated by minor source-level changes and recompilation, as confirmed by CYDERES Howler Cell.

Behavioral indicators are more durable:

Behavioral Indicators

• An interactive shell (cmd.exe or powershell.exe) with SYSTEM integrity level whose parent process chain includes MsMpEng.exe. This parent-child relationship does not occur in normal operation.
• Manual invocation of \Microsoft\Windows\Windows Error Reporting\QueueReporting outside its scheduled maintenance window, particularly via schtasks /run.
• File write events to C:\Windows\System32\wermgr.exe originating from a process other than a Windows Update or trusted installer context.
• Creation of NTFS reparse points (junction points) in user-writable staging directories immediately preceding Defender remediation activity.
• Mounting of ISO or VHDX images by a standard user account, particularly from a network path.

Network Indicators

The self-hosted Git mirror at git.projectnightcrawler[.]dev/NightmareEclipse has hosted exploit code. Treat connections to this host as high-confidence indicators of exploit staging activity.

Attribution

RoguePlanet was authored and published by an anonymous researcher operating under the aliases Nightmare Eclipse, Chaotic Eclipse, Dead Eclipse, and MSNightmare. No real-world identity has been publicly confirmed. No threat intelligence firm has linked Nightmare Eclipse to a nation-state sponsor, a known criminal organization, or a commercial exploit broker as of June 13, 2026.

The campaign is assessed by Dark Reading, CyberScoop, and Picus Security as a retaliatory effort stemming from a breakdown in the researcher's relationship with Microsoft's Security Response Center. The researcher alleges account deletion, withheld bounty payments, and misrepresentation in public CVE advisories. Microsoft states no vulnerability details were submitted through proper channels prior to public release.

Three earlier tools from the same series (BlueHammer, RedSun, UnDefend) were adopted by unidentified threat actors in live intrusions within days of public release. No attribution for those intrusion actors has been made public.

Primary Sources