Microsoft Defender Under Siege

Microsoft Defender Under Siege

No Comments

Overview

Three zero-day exploits targeting Microsoft Defender — BlueHammer, RedSun, and UnDefend — have been confirmed exploited in the wild by threat actors. All three were publicly released on GitHub by a researcher operating under the alias Chaotic Eclipse (also known as Nightmare Eclipse), following a disputed disclosure attempt with the Microsoft Security Response Center. Huntress Labs researchers confirmed active exploitation of all three techniques, with BlueHammer observed being used since April 10 and RedSun and UnDefend observed in the wild on April 16.

BlueHammer and RedSun are local privilege escalation (LPE) flaws in Microsoft Defender, while UnDefend can be weaponized to trigger a denial-of-service condition and effectively block Defender definition updates.

The Three Exploits — Technical Breakdown

BlueHammer — CVE-2026-33825 (PATCHED)

BlueHammer uses the Windows Update Agent COM interface as its entry point, triggered by a pending Defender signature update. It steers execution via an oplock on a VSS snapshot mount that stalls Defender’s SYSTEM thread — achieving local privilege escalation to SYSTEM level without requiring kernel exploitation, driver abuse, or administrator interaction.

Microsoft patched BlueHammer on April 14, 2026, assigning it CVE-2026-33825. The researchers credited with the official report — Zen Dodd and Yuanpei Xu — are distinct from the anonymous Chaotic Eclipse persona.

RedSun — UNPATCHED

RedSun exploits how Microsoft Defender handles certain files linked to cloud storage providers such as OneDrive or Dropbox. It uses a separate exploitation method not mitigated by the BlueHammer patch, achieving SYSTEM privileges through this alternate path. No patch is currently available.

The direct write target of RedSun is C:\Windows\System32\TieringEngineService.exe — an unexpected SHA-256 hash change on this binary is a confirmed indicator of compromise.

UnDefend — UNPATCHED

UnDefend allows a standard user to block Microsoft Defender from receiving signature updates or disable it entirely — the aggressive mode triggers when Microsoft pushes a major Defender platform update affecting MsMpEng.exe and related binaries, causing Defender to stop responding entirely.

Affected Platforms

Windows 10, Windows 11, and Windows Server 2019 and later — with approximately 100% reliability even against the latest April 2026 updates.

Attack Chain Observed in the Wild

The attacker dropped exploit files into the user’s Pictures and Downloads folders, renaming them to avoid suspicion. Prior to launching the exploits, they ran commands to map user privileges, discover stored credentials, and enumerate the Active Directory structure. The initial access vector was a compromised SSLVPN user account, showing evidence of hands-on-keyboard threat actor activity.

Detection Guidance

Hunt for binaries named UnDefend.exe, FunnyApp.exe, or RedSun.exe staged in low-privilege user folders such as Downloads or Pictures. Alert on instances where the Windows Defender service (MsMpEng.exe) stops responding or fails to load its engine, particularly during scheduled platform updates. Baseline the SHA-256 hash of C:\Windows\System32\TieringEngineService.exe on all endpoints — any modification should trigger an immediate alert.

Patch Status

BlueHammer CVE-2026-33825 LPE → SYSTEM ✅ Patched — April 14, 2026

RedSun Pending LPE → SYSTEM ❌ Unpatched

UnDefend Pending DoS / Defense Evasion ❌ Unpatched

With the next Patch Tuesday many weeks away, an out-of-band emergency patch from Microsoft appears to be the most likely path forward for RedSun and UnDefend.

Immediate Recommended Actions

  1. Apply the April 14, 2026 cumulative update immediately to patch BlueHammer (CVE-2026-33825)
  2. Audit SSLVPN credentials for compromise — this was the initial access vector in confirmed attacks
  3. Enable behavioral detections for SYSTEM thread stalling and unexpected Defender service termination
  4. Hash-baseline TieringEngineService.exe across all Windows endpoints now
  5. Hunt for renamed exploit binaries staged in user-writable directories
  6. Isolate any system where MsMpEng.exe has stopped responding unexpectedly
  7. Block IOCs via the VirusTotal collection: bdd3b2c3954988e3456d7788080bc42d595ed73f598edeca5568e95fbf7fdaef

IOC Reference

Huntress Labs VirusTotal IOC Collection: https://www.virustotal.com/gui/collection/bdd3b2c3954988e3456d7788080bc42d595ed73f598edeca5568e95fbf7fdaef/iocs

Tags:

Comments

No comments yet. Why don’t you start the discussion?

    Leave a Reply

    This site uses Akismet to reduce spam. Learn how your comment data is processed.