'Nightmare-Eclipse' Threat Actor Leaks Six Windows Zero-Days in Retaliation Against Microsoft

Executive Summary

A threat actor known as Nightmare-Eclipse has been actively releasing a series of six zero-day exploits targeting Microsoft Windows. This campaign, described by researchers as a retaliatory act against Microsoft, poses a severe threat to users globally. The exploits include privilege escalation vulnerabilities in components like Windows Defender and the Windows Cloud Files Mini Filter Driver. One patched vulnerability, CVE-2026-33825 ("BlueHammer"), and several unpatched ones, including "MiniPlasma," have been demonstrated to grant SYSTEM-level access on fully patched Windows 11 systems. This deliberate leak of powerful exploit code dramatically lowers the barrier for other malicious actors to compromise Windows systems, increasing the urgency for users to apply all available patches and for Microsoft to address the unpatched flaws.

Vulnerability Details

The campaign involves a collection of six exploits, some patched and some reportedly still zero-days:

• BlueHammer (CVE-2026-33825): A patched privilege escalation vulnerability in Windows Defender. It allows an attacker who has already gained standard user access to escalate their privileges to SYSTEM, giving them full control over the machine.
• RedSun: An unpatched vulnerability that also reportedly allows for privilege escalation to SYSTEM.
• UnDefend: A tool designed specifically to disrupt or disable Microsoft Defender, likely to allow other malware to run without being detected.
• MiniPlasma: A local privilege escalation (LPE) vulnerability targeting the Windows Cloud Files Mini Filter Driver (cldflt.sys). This flaw was supposedly fixed in 2020, but the actor's proof-of-concept allegedly works on fully patched Windows 11 systems as of May 2026, indicating a failed patch or a new variant of the bug.
• YellowKey & GreenPlasma: Other exploits released by the actor, details of which are less clear but are part of the same campaign.

Affected Systems

• Microsoft Windows: All modern versions are potentially at risk.
• Windows 11: Specifically confirmed to be vulnerable to the 'MiniPlasma' exploit even when fully patched.
• Windows Defender: Directly targeted by the 'BlueHammer' vulnerability and the 'UnDefend' tool.

Exploitation Status

The threat actor 'Nightmare-Eclipse' is actively releasing these exploits to the public. While the actor's motivation seems to be notoriety and retaliation, the public release of functional exploit code means that other, more financially motivated threat actors (such as ransomware groups) can quickly weaponize these tools and incorporate them into their own attacks. The risk of in-the-wild exploitation by third parties is therefore extremely high.

Impact Assessment

The release of multiple privilege escalation zero-days is a critical security event. Privilege escalation is a key stage in most successful cyberattacks. It allows an attacker who gained an initial foothold with low privileges (e.g., through a phishing email) to become the all-powerful SYSTEM administrator. With SYSTEM access, an attacker can:

• Deploy ransomware across the entire system and network.
• Steal all data, including sensitive credentials from memory.
• Disable security software.
• Establish persistent access that survives reboots.
• Move laterally to other machines on the network. This leak effectively provides a 'master key' for a crucial part of the attack chain to any attacker who can download it.

Cyber Observables — Hunting Hints

The following patterns may help identify systems where these exploits are being used:

• Suspicious child processes of MsMpEng.exe (Windows Defender): The Defender service should not be spawning unusual processes like cmd.exe or powershell.exe.
• Anomalous activity related to cldflt.sys: Monitor for crashes or unexpected behavior from the Cloud Files Mini Filter Driver.
• Disabling of Security Services: Any logs indicating that Windows Defender services (WinDefend) have been stopped or tampered with should be investigated immediately.
• Process Injection: Monitor for processes injecting code into high-privilege processes like lsass.exe.

Detection Methods

• EDR/XDR Solutions: Modern EDR platforms are designed to detect suspicious behaviors indicative of privilege escalation, such as a low-privilege process attempting to write to a system directory or modify the registry. Enable all behavioral detection rules.
• Windows Event Logs: Monitor Windows Security Event Log ID 4688 (Process Creation) for suspicious parent-child process relationships. Monitor Event ID 4672 (Special Privileges Assigned to New Logon) for unexpected privilege assignments.
• Vulnerability Scanning: While scanners won't detect the zero-days, they can confirm that the patch for CVE-2026-33825 has been applied.

Remediation Steps

1. Patch Immediately: Apply the April 2026 Patch Tuesday update from Microsoft to mitigate the CVE-2026-33825 (BlueHammer) vulnerability. This is the single most important immediate action.
2. Monitor for Updates: Keep a close watch on advisories from Microsoft for patches for the other unpatched vulnerabilities like 'RedSun' and 'MiniPlasma'.
3. Harden Endpoints: Implement application control policies (like Windows Defender Application Control) to restrict the execution of unauthorized code. This can prevent the initial malware that would use these exploits from running in the first place.
4. Least Privilege Access: Ensure users do not run with administrative privileges for daily tasks. This forces an attacker to use a privilege escalation exploit, which provides an opportunity for detection.