Nightmare-Eclipse: The Six Windows Zero-Days From the Researcher GitHub Banned

Over the last several weeks an anonymous security researcher who goes by Nightmare-Eclipse — and previously by Chaotic Eclipse and Dead Eclipse — published a string of working exploits for unpatched Windows vulnerabilities. Six of them, in roughly six weeks, starting in early April 2026. It culminated last week in GitHub banning the account, and GitLab suspending a mirror a few days later, on or around May 23–26.

If you only read the headlines, this looks like inside-baseball drama between a researcher and Microsoft. But several of these bugs affect ordinary Windows laptops and the security software that ships with them, a few are already being used in real attacks, and the researcher has promised a bigger release on July 14. So it is worth understanding, in plain language, what was actually released and what a normal small business should do about it.

What happened, briefly

By the researcher's own account, this was a protest. They say they reported vulnerabilities to Microsoft's Security Response Center (MSRC), were unhappy with how the reports were handled, and received no bug-bounty payment for the work. So instead of quiet, coordinated disclosure, they started publishing full proof-of-concept (PoC) exploits for unpatched flaws — the kind of code that lets anyone reproduce the attack.

That is the part worth being clear-eyed about: dropping working exploits for unpatched bugs does pressure the vendor, but it also hands a ready-made weapon to every criminal crew watching. Defenders and attackers got the same code at the same time. GitHub and GitLab both ultimately removed the accounts, but PoCs spread the moment they are posted, and these did.

The six zero-days, in plain language

The six fall into two natural groups: three that attack Windows Defender itself, and three that are Windows privilege-escalation or encryption bypass issues. Here is the short version of each.

The three that target Windows Defender

• BlueHammer — CVE-2026-33825 (patched, April 2026). The clever one. It drops a file that Defender wants to quarantine, then uses a file-locking trick (an opportunistic lock) to freeze Defender mid-operation and swaps in an NTFS junction that redirects Defender's own write into C:\Windows\System32. Because Defender runs as SYSTEM, the attacker effectively borrows its privileges to write where a normal user cannot — a path to full control of the machine. Fixed in the April Patch Tuesday.
• RedSun — CVE-2026-41091 (patched out-of-band, May 21). A different route to the same goal: it abuses Defender's cloud-file rollback, the feature that restores a file Defender removed, without properly checking the destination. That lets an attacker redirect the restore into a privileged location. A local privilege-escalation bug.
• UnDefend — CVE-2026-45498 (patched out-of-band, May 21). This one does not grab privileges directly. It quietly sabotages Defender's definition updates so the endpoint's detection slowly goes blind over time. It is the "turn off the smoke detector" step that makes the others stealthier.

Read together, the three are a chain, not three separate curiosities: use BlueHammer or RedSun to become SYSTEM, then UnDefend to degrade Defender so the intrusion is harder to spot. Incident-response teams have confirmed all three in real-world attacks, with BlueHammer seen in use since around April 10, and RedSun and UnDefend found on a host that was first broken into through a hijacked SSL VPN account. That detail matters: the entry point was a stolen login, which is exactly the kind of thing identity hardening and phishing-resistant MFA are meant to stop.

The three Windows privilege-escalation and bypass bugs

• YellowKey — a BitLocker bypass (still being remediated). The researcher called this "one of the most insane discoveries I ever found" and described it as functioning like a backdoor into BitLocker-encrypted drives. In practice that means the disk encryption you rely on to protect a lost or stolen laptop may not protect it the way you assume. We covered this one in detail when it dropped — see YellowKey & GreenPlasma: Two Windows Bypasses Explained.
• GreenPlasma — a CTFMON privilege escalation (still being remediated). A local privilege-escalation flaw the researcher describes as a "Windows CTFMON Arbitrary Section Creation Elevation of Privileges Vulnerability." Translation: a normal user can abuse it to get a SYSTEM-level shell. Same write-up linked above.
• MiniPlasma — a Cloud Filter driver privilege escalation (still being remediated). The most uncomfortable of the set, because it reportedly takes a standard user to SYSTEM on a fully patched Windows 11 machine with the May 2026 updates installed. We wrote that one up separately: Windows MiniPlasma SYSTEM Privilege Escalation: No Patch, Public PoC.

Why this matters to a small business

It is tempting to file "Windows Defender zero-day" under enterprise problems. It is not. Every item here affects the software on ordinary Windows 10 and 11 laptops and desktops: Defender, BitLocker, and core Windows drivers. There is nothing exotic required.

The privilege-escalation bugs are the ones to internalize. On their own, a "normal user to SYSTEM" bug does not break into your network — an attacker needs a foothold first. But footholds are cheap in 2026: a phished password, a talked-out MFA code, a hijacked VPN login, a malicious attachment. Once any one of those lands a low-privilege foothold, an escalation bug like GreenPlasma or MiniPlasma turns it into total control of the device — and from there, the rest of the environment. This is the same point we made in the 22-seconds / MDR post: the gap between "someone got in" and "someone owns everything" is now tiny, and it closes automatically when these exploits are in play.

And the BitLocker bypass changes a quiet assumption a lot of businesses make: that a lost or stolen encrypted laptop is "fine, it's encrypted." With YellowKey-class techniques, that confidence needs a second look — which is why device encryption should be paired with a PIN and with the ability to remotely wipe a missing machine, not treated as a single magic checkbox.

What to do this week

1. Patch the three that are fixed — all of them

The most important and most boring step. Confirm every Windows machine has both the April 2026 Patch Tuesday updates (BlueHammer / CVE-2026-33825) and the May 21, 2026 out-of-band updates (RedSun / CVE-2026-41091 and UnDefend / CVE-2026-45498). Two of those three are being actively exploited, so an unpatched machine is not a theoretical risk. If you are not certain every endpoint is current — including the laptop that never comes into the office — that uncertainty is the finding. This is exactly the gap that managed IT with enforced patching is supposed to remove, and it is the lesson of every Patch Tuesday post we write.

2. Assume the three open bugs exist, and build around them

You cannot patch YellowKey, GreenPlasma, or MiniPlasma yet, so reduce what they can do for an attacker:

• No everyday local admins. Privilege-escalation bugs matter most when the starting point is weak. Standard users, separated admin accounts, and no persistent local administrators shrink the blast radius. (See identity hardening.)
• EDR plus 24/7 monitoring. Since one of these bugs is literally designed to blind Defender over time, you want detection that does not rely solely on the endpoint's own health — a managed detection and response layer with a human watching, as argued in the MDR post.
• Network and identity controls that work even if a device is compromised. Conditional access, VPN MFA, and alerting on anomalous logins catch the entry that precedes the escalation. The real intrusion above started with a hijacked VPN account.

3. Harden BitLocker

Require TPM-plus-PIN on laptops so the drive does not silently unlock on boot, keep recovery keys escrowed in your management tenant (not on a sticky note), and make sure you can remotely wipe a lost device. Full walkthrough in the YellowKey write-up.

4. Get ready for July 14

Nightmare-Eclipse has announced a larger disclosure event for July 14, 2026, saying the date will matter regardless of what gets patched first. Do not panic about it, but do prepare: a tight patch cadence, monitoring already in place, and a one-page incident-response plan that says who decides, who calls whom, and where the backups and recovery keys live. Preparation before the date beats improvisation on it.

A note on the bigger picture

It is genuinely debatable whether Microsoft's bug-bounty handling was fair here, and reasonable people disagree about whether banning the accounts helped or just escalated things. But from where a small business sits, the ethics debate does not change the to-do list. Working exploit code for Windows is public; some of it is being used; the defense is the same fundamentals we keep coming back to — patch quickly, harden identity, monitor continuously, and assume any single control can fail.

That last idea, defense in depth, is the whole point of this episode. BlueHammer turned Defender's own privileges against it. UnDefend was built to switch Defender's eyesight off slowly. If your entire security posture is "Windows Defender is on," a campaign like this is exactly what gets through. Layers are what hold when one layer is the thing under attack.

Frequently asked questions

Who is Nightmare-Eclipse?

An anonymous security researcher, also seen using the names Chaotic Eclipse and Dead Eclipse, who released six Windows zero-day exploits over roughly six weeks starting in early April 2026 as a public protest against how Microsoft's MSRC handled their reports, including unpaid bounties. GitHub banned the account around May 23, 2026, and GitLab suspended a mirror days later.

Which of the six zero-days are patched?

BlueHammer (CVE-2026-33825) was fixed in the April 2026 Patch Tuesday. RedSun (CVE-2026-41091) and UnDefend (CVE-2026-45498) were fixed in a May 21, 2026 out-of-band update after active exploitation was reported. YellowKey (the BitLocker bypass), GreenPlasma (CTFMON privilege escalation), and MiniPlasma (Cloud Filter privilege escalation) were still being remediated as of late May 2026, so treat them as open and rely on mitigations.

Are these being used in real attacks?

Yes. Incident responders confirmed BlueHammer, RedSun, and UnDefend in real intrusions. BlueHammer has been seen in use since around April 10, 2026, and RedSun and UnDefend were found on a host first compromised through a hijacked SSL VPN account. Once a public proof-of-concept exists, attackers adopt it quickly, which is why patch speed matters.

We are a small business, not an enterprise. Does this affect us?

Yes. These are flaws in Windows, Windows Defender, BitLocker, and core Windows drivers — the software on ordinary Windows 10 and 11 machines. Several are privilege-escalation bugs that turn a single phished login or normal user into full SYSTEM control of a device. A small business running standard Windows laptops is squarely in scope and is less likely to have the fast patching and monitoring that limit the damage.

What is the single most important thing to do right now?

Confirm every Windows machine has the April 2026 and May 21, 2026 updates installed, which close the three patched bugs (including the two being exploited). Then assume the open bugs exist and add layers that do not depend on one endpoint staying healthy: phishing-resistant MFA, 24/7 monitoring and EDR, least privilege, and a BitLocker PIN. Patch fast, then defend in depth.

What is the July 14, 2026 threat?

Nightmare-Eclipse has announced a larger disclosure event for July 14, 2026, warning the date will be significant regardless of earlier patches. Treat it as a likely batch of new proof-of-concept exploits. The defensive posture is the same either way: keep patching on a tight cadence, keep monitoring in place, and have an incident-response plan ready before the date.

Prefer to talk first? Email sales@ghosxt.com or call (831) 204-0501.