High

The exploitation campaign centers on three Windows Defender privilege escalation tools, BlueHammer, RedSun, and UnDefend, publicly released by the researcher on GitHub in early April 2026. The initial exploit, tracked as CVE-2026-33825, leverages a time-of-check to time-of-use (TOCTOU) race condition combined with path confusion in Defender’s signature update mechanism. This flaw allows a low-privileged user to escalate privileges to SYSTEM level on fully patched Windows 10 and Windows 11 systems without requiring kernel-level exploitation or memory corruption. The attack specifically abuses Defender’s file remediation process, NTFS junctions, the Windows Cloud Files API, and opportunistic locks (oplocks), making it both reliable and stealthy.

Following the release of BlueHammer, two additional tools RedSun and UnDefend were introduced to expand the attack surface. RedSun enables similar privilege escalation across Windows 10, Windows 11, and Windows Server 2019, even persisting effectiveness after April Patch Tuesday updates, while UnDefend targets Defender’s update mechanism to gradually weaken its protection capabilities. These tools demonstrate a progression from a single exploit to a broader exploitation toolkit, increasing the risk to enterprise environments by enabling both privilege escalation and security control degradation.

Researcher confirms active in-the-wild exploitation of all three techniques against real enterprise targets. Attackers have been observed staging payloads in low-privilege directories such as user Pictures folders and nested Downloads subdirectories, using filenames identical to those in public PoC repositories, including FunnyApp.exe, RedSun.exe, and occasionally renamed variants like z.exe. Detection events show that BlueHammer executions were identified and quarantined by Defender as Exploit:Win32/DfndrPEBluHmrBZ, while RedSun intentionally drops an EICAR test file to manipulate Defender’s detection and remediation cycle. Additionally, the presence of Undef.exe with the “-agressive” argument, spawned via cmd.exe under Explorer.exe, indicates coordinated multi-stage execution.

The observed attack chains also include clear signs of hands-on-keyboard activity, with adversaries executing reconnaissance commands such as “whoami /priv,” “cmdkey /list,” and “net group” to enumerate privileges, stored credentials, and Active Directory group memberships. This behavior strongly suggests targeted intrusions by skilled operators rather than automated attacks. Although Microsoft has patched CVE-2026-33825 in the April 2026 updates, RedSun and UnDefend remain unpatched, leaving systems exposed. Organizations are advised to immediately apply available updates, monitor execution of unsigned binaries in user-writable paths, detect suspicious EICAR file usage, track privilege enumeration commands, and enforce strict least-privilege access controls to reduce exploitation risk.