Nightmare Eclipse Windows Zero-Day Trilogy

The Nightmare Eclipse Windows zero-day trilogy has moved from proof-of-concept code on GitHub to a confirmed, real-world intrusion: Huntress found BlueHammer, RedSun, and UnDefend deployed together in one attack chain that started with a compromised FortiGate VPN appliance.
What Happened
A researcher operating under the handle “Nightmare Eclipse” (also seen as “Chaotic Eclipse”) has published six Windows zero-day exploits since April 2026 after what they describe as a breakdown in their relationship with Microsoft’s MSRC — the researcher says reports went unpaid and unacknowledged. The six are BlueHammer (CVE-2026-33825), RedSun (CVE-2026-41091), UnDefend (CVE-2026-45498), YellowKey, GreenPlasma, and MiniPlasma.
Huntress now confirms the first three — BlueHammer, RedSun, and UnDefend — were used together in a single live intrusion. BlueHammer and RedSun are two independent code paths to the same result: escalating an unprivileged local foothold to SYSTEM, one via a race condition during Defender’s real-time scanning, the other via a direct write into System32. UnDefend runs alongside them, silently blocking Microsoft Defender signature updates and falsifying the endpoint’s reported health status to EDR consoles, so the compromised machine looks clean on the dashboard. The intrusion’s initial access point was a compromised FortiGate VPN appliance, tying this incident directly to the ongoing 2026 edge-device exploitation arc.
RedSun and UnDefend were patched in an out-of-band update on May 21, 2026. BlueHammer’s patch has been available since April 14 — meaning the oldest of the three fixes is now roughly three months old, yet tens of thousands of Windows endpoints remain unpatched according to researcher estimates. The same researcher had promised a further “bone shattering” mass disclosure of new exploits for July 14, 2026, but walked the threat back on July 12, citing exhaustion from the process of finding and weaponizing bugs.
Why It Matters
This is not only a patching story — it is a governance case study. A single independent researcher, operating outside any coordinated disclosure process, produced more exploitable Windows endpoint-security bypasses in three months than most organized threat-actor groups publish in a year. For DACH Mittelstand security teams, the practical risk is that “we have Microsoft Defender” is treated as a control rather than a product that can itself become the attack surface. Combined with a compromised edge device as the entry point, this attack chain shows that patch management assumptions built around predictable vendor disclosure timelines do not hold when the disclosure path itself has broken down.
What You Should Do Now
- Confirm all three patches are installed: BlueHammer (April 14, 2026 update), and RedSun plus UnDefend (May 21, 2026 out-of-band update) — check Windows Update history against these dates rather than assuming a general cumulative update covers all three.
- Verify whether your FortiGate or other VPN edge devices carry outstanding patches; this intrusion chain used a compromised VPN appliance as its entry point before pivoting to Defender-targeting tooling.
- Do not rely on Defender’s own dashboard status as proof of health — UnDefend specifically falsifies that signal. Cross-check endpoint health against a second, independent monitoring source (EDR telemetry from a different vendor, or centralized patch-compliance reporting).
- Monitor for unusual SYSTEM-level process creation immediately following VPN authentication events, and for any halt in Defender signature update timestamps across your fleet.
DIESEC Perspective
This is a pattern we see forming across 2026: individual researchers who feel mistreated by vendor disclosure programs are increasingly choosing public, weaponized disclosure over silence — and the resulting tools do not stay theoretical for long. Whatever one thinks of the researcher’s grievance, the operational reality for defenders is the same either way: a bypass exists, it is public, and it has now been observed in a live intrusion tied to edge-device compromise.
Not sure whether your Windows fleet still has an exposure window on any of these three patches, or whether your VPN edge devices are current? Contact DIESEC for a rapid patch-verification and endpoint health review.
Sources: Huntress | SOCRadar
Published: 2026-07-15 | Category: Vulnerabilities & Patches | ~5 min read

