How attackers used Windows Defender itself to gain full system control, then hid the damage from every dashboard

The Context

Windows Defender is Microsoft's built-in security software, installed and enabled by default on virtually every Windows computer sold since 2013. It runs continuously in the background, scanning files, blocking malware, and removing threats. To do its job, it operates with SYSTEM-level privileges—the highest permission level on a Windows machine, higher than any administrator account. That privilege is not a flaw. It is a requirement. You cannot remove a deeply embedded threat without the authority to touch any file on the system.

That design assumption is what these three exploits break.

The Attack, Phase by Phase

Phase 1: Disclosure Breakdown and Public Drop

A security researcher operating under the pseudonym Chaotic Eclipse attempted to report a Windows Defender vulnerability to Microsoft's Security Response Center (MSRC) through the standard private disclosure process. The researcher alleges MSRC required a video demonstration as a condition of reviewing the report, then dismissed the case despite being told a public release was coming.

On April 3, 2026, with no patch in place, the researcher published the BlueHammer exploit on GitHub as protest. Seven days later, Huntress Labs observed BlueHammer being used in real attacks.

Microsoft patched BlueHammer on April 14 as CVE-2026-33825, without publicly connecting the fix to the exploit name. Two days later, the researcher published two more exploits: RedSun and UnDefend. As of April 24, neither has a patch, a CVE identifier, or a remediation timeline.

Phase 2: How Each Exploit Works

BlueHammer targets Defender's threat remediation engine. When Defender moves to remove a suspicious file, the exploit uses an oplock to freeze that operation at the exact moment Defender is about to write using its SYSTEM privileges. While frozen, the attacker places a junction point redirecting the write destination from a harmless temporary folder to C:\Windows\System32. When the freeze releases, Defender resumes and overwrites a legitimate system file with the attacker's payload. Defender has installed the malware itself, using its own highest-level permissions.

RedSun exploits the mechanism Defender uses to handle files tagged for cloud storage. A missing validation check in MpSvc.dll means Defender does not verify whether a file's path has been redirected before performing a privileged write during remediation. The attacker registers a fake cloud sync root, plants a file that attracts Defender's attention, and uses the same oplock-and-junction technique to redirect Defender's SYSTEM-privileged write to replace TieringEngineService.exe in System32. RedSun requires no administrator account, no kernel exploit, and no driver. It works on fully patched April 2026 systems at approximately 100% reliability.

UnDefend does not escalate privileges. It degrades protection. A standard user can run it to block Defender's entire signature update pipeline—the mechanism by which Defender learns to recognize new threats—while the endpoint continues to report as healthy to every management dashboard. In a more aggressive mode, UnDefend fully disables the Defender engine when Microsoft pushes a major platform update. The goal: freeze Defender's threat knowledge at a pre-attack baseline so everything deployed afterward is invisible to it.

Phase 3: Real-World Intrusion Chain

The attack Huntress documented on April 16 began with a compromised VPN account. The attacker authenticated through a hijacked FortiGate SSL VPN credential, bypassing any need to exploit a network-facing vulnerability. Once inside, they ran standard reconnaissance commands, then staged exploit binaries in user-accessible folders like Pictures and Downloads.

The operational sequence was deliberate: UnDefend first to degrade Defender's detection capability, then BlueHammer or RedSun to escalate to SYSTEM. With full system control and a blinded security tool, the attacker extracted password hashes from the Windows credential store, created persistent backdoors by modifying system services, and moved laterally using credentials Windows itself considers legitimate.

Phase 4: The Patch and Response Gap

One of the three exploits is patched. Two are not, and the structural mechanism that normally enforces federal patching mandates cannot reach them. CISA's Known Exploited Vulnerabilities (KEV) catalog is organized around CVE identifiers. RedSun and UnDefend have none. They cannot be added to the catalog. Federal agencies have a binding deadline to patch BlueHammer by May 6. For the two actively exploited unpatched flaws, no equivalent mandate exists.

The next scheduled Patch Tuesday is May 13, 2026. Every Windows endpoint with Defender enabled sits in that gap.

What Made This Possible

1. Security tools run with unconditional trust. Defender operates as SYSTEM because it must. That trust is never scoped or verified mid-operation. When an attacker can influence the inputs to a SYSTEM-privileged file write, the tool's authority becomes the exploit.

2. Dashboard health status is not independently verified. UnDefend works because management consoles report what the endpoint tells them. There is no out-of-band verification that reported protection matches actual protection. Compliance posture and actual security posture can diverge completely, invisibly.

3. The disclosure process created the weapon. BlueHammer, RedSun, and UnDefend existed as private knowledge before April 3. Friction in Microsoft's disclosure process converted that private knowledge into public, ready-to-use exploit code before any patch existed. Dustin Childs of Trend Micro's Zero Day Initiative noted publicly that frustration with MSRC's process is widespread, and that multiple researchers have stopped reporting Microsoft bugs entirely.

When the process for responsibly reporting a vulnerability is perceived as punitive, the vulnerability does not disappear. It gets published.

What Should Have Stopped This

No single control would have neutralized this chain. Every defense that would have reduced the blast radius shares one trait: it does not depend on Defender's own integrity to function.

• Independent version verification. Check the Defender Antimalware Platform version directly on endpoints (target: 4.18.26030.3011 or higher for the BlueHammer patch) rather than relying on dashboard reporting, which UnDefend can falsify.

• MFA on VPN and remote access. The documented intrusion began with a stolen VPN credential. Multi-factor authentication would have blocked initial entry before any exploit was needed.

• Monitor for Windows Update error 80070643. This error appears when UnDefend blocks Defender's signature update pipeline. Alerting on it fleet-wide provides early warning that does not depend on Defender's self-reporting.

• Baseline integrity monitoring for TieringEngineService.exe. RedSun replaces this specific file in C:\Windows\System32. Recording the legitimate file's hash and alerting on any modification is a direct RedSun detection method.

• Network segmentation. Limiting which systems a compromised endpoint can reach reduces lateral movement from a network-wide event to a contained one.

The Takeaway

This attack chain is the same class of failure as the Stryker Intune wipe: a privileged management tool weaponized against the organization it was built to protect. The pattern across both incidents is identical—systems fail when they extend unconditional trust to a component the attacker has learned to control.

UnDefend adds a dimension that prior incident did not have: the security tool actively misreports its own state. The dashboard says protected. The endpoint is not. The organization cannot tell the difference through normal channels.

Pattern to remember: When a security tool performs privileged operations on attacker-influenced inputs, the tool's authority is the attack surface, not a defense against it.

What changed: The attacker can now use the security tool itself to both execute the privilege escalation and suppress the evidence, leaving dashboards reporting full protection while the endpoint is fully compromised.

The Technical Mechanism

BlueHammer (CVE-2026-33825) exploits a time-of-check to time-of-use (TOCTOU) race condition in Windows Defender's threat remediation engine. The primary escalation path:

1. Attacker drops a file that triggers a Defender real-time protection detection.
2. A batch oplock is acquired on the target path, pausing Defender's SYSTEM-privileged file operation mid-execution.
3. During the pause, an NTFS junction point is created redirecting the target write path from an attacker-controlled temp directory to C:\Windows\System32.
4. The oplock is released; Defender resumes and follows the junction, overwriting a legitimate system binary with the attacker's payload under SYSTEM authority.

The secondary BlueHammer path (documented by Cyderes) abuses the Windows Update Agent COM interface triggered by a pending Defender signature update. An oplock on a VSS (Volume Shadow Copy Service) snapshot mount stalls Defender's SYSTEM thread, allowing offline access to the SAM, SYSTEM, and SECURITY registry hives from the mounted snapshot. Escalation proceeds via SamiChangePasswordUser, LogonUserEx, token duplication, and CreateService to spawn a SYSTEM-level shell.

RedSun exploits a missing reparse point validation in MpSvc.dll within Defender's cloud file rollback mechanism. The attack sequence:

1. Attacker registers a Cloud Files sync root via CfRegisterSyncRoot() (the same Windows API used by OneDrive and Dropbox).
2. A Cloud Files placeholder is created via CfCreatePlaceholders() with extended attributes that attract Defender's real-time scan.
3. A batch oplock is acquired on the placeholder file.
4. When Defender attempts to access the file during remediation, the working directory is substituted with a junction point targeting C:\Windows\System32.
5. Defender, running as SYSTEM, overwrites TieringEngineService.exe with the attacker-controlled binary.
6. A Windows COM object (Storage Tiers Management) is triggered to execute the replaced binary as SYSTEM.

RedSun requires no administrator account, no kernel exploit, and no signed driver. The cldapi.dll dependency is present on all Windows 10 version 1709 and later systems as a core OS component. Reliability is approximately 100% on fully patched April 2026 systems.

UnDefend targets the Defender signature update pipeline. In passive mode, it blocks all definition updates, causing Windows Update error code 80070643 on update attempts while the endpoint continues to report as healthy and current to EDR management consoles. In aggressive mode, it fully disables MsMpEng.exe and related Defender binaries when Microsoft pushes a major platform update. Neither mode requires administrator privileges.

CVE and Advisories

• CVE-2026-33825: Windows Defender Elevation of Privilege Vulnerability. CVSS 7.8 (High). Patched April 14, 2026. Affected Defender Antimalware Platform versions below 4.18.26030.3011. MSRC advisory.
• RedSun: No CVE assigned as of April 24, 2026. No patch available.
• UnDefend: No CVE assigned as of April 24, 2026. No patch available.
• CISA KEV entry for CVE-2026-33825: Added April 22, 2026. Federal Civilian Executive Branch agencies ordered to patch by May 6, 2026.

MITRE ATT&CK Mapping

Indicators of Compromise

File System Indicators

• Any modification to C:\Windows\System32\TieringEngineService.exe: baseline the SHA-256 hash on all endpoints; any change is a confirmed RedSun indicator.
• Exploit binaries staged in user-writable directories: C:\Users\[username]\Downloads\RedSun.exe, C:\Users\[username]\Pictures\ with renamed variants.
• Unexpected files in C:\Windows\System32 with recent modification timestamps inconsistent with patch activity.

Process and API Indicators

• NtQueryDirectoryObject calls targeting HarddiskVolumeShadowCopy from user-space processes: high-confidence RedSun pre-exploitation indicator (per Cyderes analysis).
• Calls to CfRegisterSyncRoot() and CfCreatePlaceholders() from non-OneDrive, non-Dropbox processes.
• CreateService calls immediately following LogonUserEx and token duplication sequences.

Update Pipeline Indicators

• Windows Update error code 80070643 appearing during Defender signature update attempts: detectable symptom of UnDefend passive mode.
• Defender platform version not advancing despite Windows Update reporting success: indicates UnDefend may be falsifying update status.

Enumeration Commands

• Sequential execution of whoami /priv, cmdkey /list, and net group from the same session: consistent with the hands-on-keyboard enumeration pattern observed by Huntress prior to exploit deployment.

Attribution

The exploit author is an anonymous security researcher operating under the pseudonyms Chaotic Eclipse and Nightmare-Eclipse, who created their GitHub account on March 27, 2026, and published all three tools within 13 days. The stated motivation is a grievance against MSRC's disclosure handling process. The threat actors observed exploiting these tools in the wild by Huntress are separate from the researcher and remain unidentified. No nation-state attribution has been made by any threat intelligence firm as of April 24, 2026. The researcher has publicly threatened to release remote code execution exploits following future Microsoft patch cycles.

Primary Sources