NEWS
Nightmare Eclipse Forced Microsoft’s Zero-Day Policy Retreat
Nightmare Eclipse’s six Windows zero-days forced Microsoft to drop legal threats and retire the ‘responsible disclosure’ term in a June 1 reversal.
Microsoft walked back legal threats against Nightmare Eclipse, a pseudonymous researcher who released six Windows zero-day exploits targeting Defender and BitLocker between April and May 2026, after alleging that Microsoft deleted his vulnerability-reporting account and withheld earned bounty payments. The reversal, formalized in a June 1 statement from the Microsoft Security Response Center (MSRC), dropped the term “responsible disclosure” and clarified that Redmond has “no intention to pursue action against individuals conducting or publishing their security research.” Three of the six exploits had already been weaponized in active enterprise intrusions before any patch arrived.
A Grievance Made Public
The campaign started with a message. On April 3, 2026, a researcher going by Chaotic Eclipse dropped a fully functional Windows local privilege escalation exploit on GitHub with no CVE, no prior vendor notification, and a pointed note to Microsoft’s Security Response Center: “I was not bluffing Microsoft, and I’m doing it again.” The exploit, later dubbed BlueHammer, abused a race condition in Defender’s signature update workflow to deliver SYSTEM privileges to any authenticated user on fully patched Windows 10 and 11 machines. Security researchers confirmed reliable escalation within days of release.
The backstory the researcher offered, spread across blog posts on their Dead Eclipse site, accused Microsoft of deleting the MSRC account used to file vulnerability reports, refusing to communicate when follow-up contact was attempted, and paying nothing for disclosures submitted through official channels. “I got zero pennies from doing so and I still happily did like an idiot,” Eclipse wrote in one post, adding that Microsoft had publicly defamed them in a subsequent CVE advisory. A Microsoft spokesperson said, after the dispute broke publicly, that the company “does not remove MSRC researcher portal accounts” and could not identify which account the researcher claimed was deactivated; the bounty allegations were not addressed.
Nightmare Eclipse, also operating under the aliases Chaotic Eclipse and Dead Eclipse, claims to be a former Microsoft employee with deep familiarity with Windows internals. That claim has not been independently verified. The technical quality of the published exploits was confirmed by multiple independent research teams within days of each release; in several cases, those researchers fixed bugs in Eclipse’s original proof-of-concept (PoC) code and published working versions themselves.
Five additional exploits followed in waves through April and into May. YellowKey and GreenPlasma, targeting BitLocker, arrived in late April. MiniPlasma came last: security analysis described it as capable of achieving SYSTEM access on fully patched Windows 11 systems with May 2026 updates applied, through the Windows Cloud Filter driver rather than Defender.
The Six-Tool Attack Chain
BlueHammer was only the opening move. Over roughly six weeks, Eclipse released five more tools, each hitting a different seam in Windows’ defensive architecture. BlueHammer and RedSun both deliver local privilege escalation (LPE) by manipulating how Defender handles privileged file operations during remediation, from different code paths. The technique, as Cyderes’s Howler Cell team documented in their BlueHammer zero-day analysis, turns “Defender’s own update workflow into a credential theft mechanism by chaining five legitimate Windows features in a sequence their designers never intended.” UnDefend takes a separate direction: it locks Defender’s signature files to prevent definition updates, leaving the endpoint falsely reporting as healthy to management consoles while protection silently degrades.
| Tool | CVE | Technical Function | Patch Status (June 2026) |
|---|---|---|---|
| BlueHammer | CVE-2026-33825 | LPE via TOCTOU race in Defender signature update workflow | Patched, April 14 |
| RedSun | CVE-2026-41091 | LPE via unvalidated write in Defender cloud-file remediation | Out-of-band patch, May 21 |
| UnDefend | CVE-2026-45498 | Defender DoS; signature reload blocked, endpoint reports healthy | Out-of-band patch, May 21 |
| YellowKey | CVE-2026-45585 | BitLocker bypass on physically seized devices | Unpatched |
| GreenPlasma | (none assigned) | Privilege escalation via BitLocker subsystem | Unpatched |
| MiniPlasma | (none assigned) | LPE via Windows Cloud Filter driver on patched Win 11 | Unpatched |
CISA, the U.S. Cybersecurity and Infrastructure Security Agency, added CVE-2026-33825 to its Known Exploited Vulnerabilities (KEV) catalog on April 22, requiring federal civilian agencies to apply the fix by May 6. BlueHammer, RedSun, and UnDefend had all been confirmed in active exploitation across enterprise environments by May 29, per threat detection firm Huntress.
Microsoft’s Legal Overcorrection
In Microsoft’s May 27 MSRC post on shared responsibility for coordinated vulnerability disclosure, the company cataloged the six exploits by name and condemned the disclosures as creating “unnecessary risk” for customers. The post invoked the phrase “responsible disclosure” four times, using language the company had officially retired in 2010 after criticism that it framed any researcher who disagreed with vendor patching timelines as acting irresponsibly. More pointedly, the same post had Microsoft’s Digital Crimes Unit (DCU) pledging to “continue bringing cases against these actors and those that enable their criminal activity,” language the security community read as a broad threat against independent vulnerability research. Nightmare Eclipse’s GitHub account was removed on May 23; a GitLab account created the same week was blocked May 26-27.
Kevin Beaumont, a security researcher and former Microsoft employee who tracks Redmond’s security posture publicly, called the response “a dumpster fire of their own making” in his blog. He pointed out that Microsoft had previously hired a researcher named SandboxEscaper after she published working zero-day PoC exploits for Windows products, behavior the new MSRC post characterized as criminal conduct.
Multiple enterprise security researchers pointed to a structural problem with the legal framing. If the DCU can threaten criminal action against researchers who bypass official reporting channels, those researchers’ incentive to use official channels diminishes. John Carberry, a solutions director at security firm Xcape, put the operational reality plainly in analysis following the disclosures: once working PoC code for a core Windows component like Defender is public, “the time-to-exploit window for threat actors drops to zero.” The DCU threat left that code in circulation and widened the conflict.
The Retreat and the Word That Gave It Away
By June 1, five days after the original post, Microsoft’s position had shifted. A new MSRC statement clarified that Redmond has “no intention to pursue action against individuals conducting or publishing their security research” and narrowed its legal posture to cases where someone “breaks the law and engages in malicious activity causing real harm.” The statement also acknowledged, without specifics, that some past MSRC interactions with researchers “have fallen short” of the professionalism Redmond holds itself to.
The giveaway was a single phrase. The follow-up statement dropped “responsible disclosure” entirely and used only Coordinated Vulnerability Disclosure (CVD), the framework Microsoft formally adopted in 2010 to avoid the implication that researchers who disagreed with vendor timelines were behaving irresponsibly. Four appearances in the May 27 post. Zero in the follow-up.
Katie Moussouris, the founder and CEO of Luta Security and the Microsoft employee who originally pioneered the company’s bug bounty program, had flagged the term’s reappearance immediately after the original post went live. Writing on Bluesky, she said the phrase was “loaded” and added:
No vendor uses that term unless they want to call someone irresponsible.
Moussouris, in the same Bluesky thread, also identified a direct contradiction in the May 27 post: it claimed Microsoft’s CVD program “ensures researchers are compensated and publicly acknowledged” in a statement that was itself a response to a researcher who said they received no compensation and had their reporting account deleted.
Real Intrusions While Redmond Argued
While the policy dispute played out in public, attackers were using the tools in real enterprise networks. Huntress confirmed all three first-wave Defender exploits in active attacks on May 29. Vectra described the combination in operational terms: SYSTEM access via the LPE tools, then UnDefend deployed to degrade Defender’s detection capability over time while the endpoint continued reporting clean. “It is a layered degradation strategy, not a one-shot exploit,” Vectra said.
- April 3: Proof-of-concept code published to GitHub, no prior vendor notification
- April 10: First confirmed in-the-wild exploitation of CVE-2026-33825, per Huntress
- April 22: CISA added CVE-2026-33825 to its KEV catalog; federal agencies required to patch by May 6
- 51 days: Public availability window before GitHub account termination on May 23
Even with the GitHub account down, security analysts note that archived copies of the code circulate in private channels. Field Effect’s April 2026 Patch Tuesday analysis of the BlueHammer vulnerability documented the architectural nature of the underlying flaw: the race condition lives in how Windows components interact with each other during remediation, meaning Defender’s binary detection can be defeated with a basic recompile.
Organizations running Defender in managed environments with test-then-deploy cycles routinely take two to three weeks to roll out Patch Tuesday fixes to production. The Defender update addressing the first exploit arrived April 14; with the four days between Huntress’s first confirmed exploitation and that patch, administrators on a standard enterprise schedule were exposed well into late April. Out-of-band patches, which lack the same deployment automation as Patch Tuesday releases, carry a longer practical lag.
The Pipeline Redirected
The response Microsoft least wanted arrived in Eclipse’s blog shortly after the June 1 reversal. In a post following the clarification, the researcher confirmed that other vulnerability researchers had approached them since the legal threats went public, providing unpatched bugs directly rather than submitting through MSRC channels. Other researchers were now routing around the corporate reporting pipeline entirely.
Eclipse announced a Secure Boot vulnerability would drop in June, describing the bug as one that “fully bypasses BitLocker” and may allow compromise of confidential virtual machines. A separate deadline hangs over July 14, which falls on Patch Tuesday. Eclipse posted a warning that the July drop would be “bone shattering” for Microsoft, and the date appears calibrated: a zero-day release timed to coincide with Patch Tuesday forces administrators into a simultaneous decision about monthly patching and emergency response.
Underlying all of this is a structural strain the disclosure campaign didn’t create but ran directly through. Microsoft has patched over 500 CVEs in the first five months of 2026. Critics including Josh Bressers, VP of security at open-source security firm Anchore, have argued the traditional 90-day disclosure embargo was designed for a research pace that no longer holds, particularly as AI accelerates vulnerability discovery. The Nightmare Eclipse campaign added public weaponized PoC code to that pressure.
Three of the six original tools still have no official patch guidance. A Secure Boot bypass is in development. The researchers who have begun routing unpatched bugs directly to Eclipse rather than through MSRC have no incentive, based on anything in the June 1 statement, to stop.
July 14 is when organizations will find out whether the retreat changed anything that matters.
The Blood of Dawnwalker Arrives on Xbox September 3 at $69.99
UBS Stays Bullish on Cloud Giants Despite $673 Billion in Capex
Xbox Games Showcase 2026: Start Time, Expected Games, What to Watch
Microsoft IQ Gives Enterprise AI Agents a Shared Memory
Modern Warfare 4 DMZ Returns with What the 2022 Beta Was Missing
RuneScape: Dragonwilds Hits Xbox With Play Anywhere Support
Silent Ransom Group Targets 100+ Law Firms Using Fake IT Calls
Satya Nadella Rebukes Scout VP Over ‘Make People Addicted’ Memo
Google and Microsoft Take Opposite Paths on Speech AI
Asha Sharma’s First Xbox Bet Pulls Gears of War: E-Day from PS5
Microsoft’s Copilot Super App Chases Its Own 450M Base
Windows 11 Low Latency Profile Lands in KB5089573 Update
Microsoft Build 2026 Skips Windows 12 for the AI Bet That Counts
Anthropic Hits $965B, and Microsoft Profits Either Way
Microsoft 365 Copilot Redesign Bets Big on In-App Adoption
Bevaya Lands Insurance AI Agents Inside Teams and Outlook
MicrosoftSystem64 Malware Hides Stolen Data Inside HuggingFace
GTA 6’s Xbox Title ID Surfaces in Microsoft’s Backend
Call of Duty Warzone Delisted on Xbox One and PS4 June 4
Microsoft’s MAI Models Signal a Five-Year Bet on AI Independence
-
MICROSOFT 3651 week agoMicrosoft’s Copilot Super App Chases Its Own 450M Base
-
NEWS1 week agoWindows 11 Low Latency Profile Lands in KB5089573 Update
-
NEWS1 week agoMicrosoft Build 2026 Skips Windows 12 for the AI Bet That Counts
-
AZURE1 week agoAnthropic Hits $965B, and Microsoft Profits Either Way
-
MICROSOFT 3651 week agoMicrosoft 365 Copilot Redesign Bets Big on In-App Adoption
-
NEWS1 week agoBevaya Lands Insurance AI Agents Inside Teams and Outlook
-
NEWS1 week agoMicrosoftSystem64 Malware Hides Stolen Data Inside HuggingFace
-
NEWS1 week agoGTA 6’s Xbox Title ID Surfaces in Microsoft’s Backend