BlueHammer and the disgruntled-researcher zero-day class
Author: Thomas Malinowski Published: 2026-05-17 Status: OSINT synthesis, primary sources cited inline Tags: Windows, Defender, MsMpEng, TOCTOU, VSS, SAM, CVE-2026-32201, disclosure-ethics
Bottom line up front
On 3 April 2026, a researcher publishing under the aliases Chaotic Eclipse and Nightmare-Eclipse dropped a working proof-of-concept on GitHub for an unpatched Windows local privilege escalation now tracked as BlueHammer (later assigned CVE-2026-32201, CVSS 6.5, patched by Microsoft in the April 2026 Patch Tuesday). The chain abuses the Windows Defender service (MsMpEng / WinDefend) to read the Security Account Manager hive from a Volume Shadow Copy that Defender itself creates and briefly exposes without exclusive control.
That, on its own, would be a routine LPE. What makes BlueHammer worth a brief instead of a one-line catalog entry is what came after. After Microsoft patched BlueHammer, the same researcher released two more Defender zero-days on 13 May 2026 — RedSun (privilege escalation) and UnDefend (denial of service) — and followed up the same day with two further drops, YellowKey and GreenPlasma. All four remain unpatched at the time of writing.
The actor here is not a state, not a criminal crew, not a hacktivist. It is one frustrated person with an alleged grievance against MSRC. That is a category this site does not currently track — and arguably should not — but the operational impact on defenders is identical to a state-aligned 0day drop, and the pattern is a small but growing class worth naming.
What the drops actually are
| Name | Date dropped | Affected component | Impact | CVE / patch status |
|---|---|---|---|---|
| BlueHammer | 2026-04-03 | Windows Defender (MsMpEng) | LPE to NT AUTHORITY\SYSTEM via SAM hive theft | CVE-2026-32201, patched April 2026 |
| RedSun | 2026-05-13 | Windows Defender | Privilege escalation | Unpatched |
| UnDefend | 2026-05-13 | Windows Defender | Denial of service against the AV engine | Unpatched |
| YellowKey | 2026-05-13 | Windows Defender (per The Register) | Disclosed without technical writeup | Unpatched |
| GreenPlasma | 2026-05-13 | Windows Defender (per The Register) | Disclosed without technical writeup | Unpatched |
Per The Register, 13 May 2026, the researcher wrote: "someone violated our agreement and left me homeless with nothing. They knew this will happen and they still stabbed me in the back anyways." And: "I never wanted to reopen a blog and a new GitHub account to drop code."
The BlueHammer chain, end to end
The most coherent public technical writeup is Cyderes' Howler Cell analysis. It describes the chain as:
- Bait Defender into a signature-update flow. The exploit triggers the WinDefend service's update path, in which the service routinely creates a Volume Shadow Copy of the system volume to operate against a consistent point-in-time snapshot.
- Win a TOCTOU race against Defender's snapshot control. Per Cyderes: "Defender creates and exposes a VSS snapshot before it has finished the operation and before it holds exclusive control over the snapshot." The shadow copy is readable from a low-privilege context for a brief window.
- Path-confuse via NTFS junctions and a Cloud Files sync
root. The exploit redirects the Defender-touched update path
into an attacker-controlled directory and registers the current
directory as a Cloud Files sync root, dropping a randomly-named
.lockplaceholder that Defender discovers during enumeration. This is what flips a low-priv VSS read primitive into a usable attacker-controlled file path. - Steal the SAM hive from the shadow copy. The attacker reads
\Device\HarddiskVolumeShadowCopyN\Windows\System32\config\SAMdirectly, lifting the local NTLM password hashes. - Pivot to local Administrator. Call
SamiChangePasswordUseron the Administrator account, supplying the lifted NTLM hash, to force-reset the password to attacker-known plaintext. - Authenticate, duplicate token, raise integrity to SYSTEM.
LogonUserExas the local Administrator, duplicate the token, set System integrity, thenCreateServiceto spawncmd.exerunning asNT AUTHORITY\SYSTEM.
The chain is novel in its abuse of Defender's own privileged operations as the primitive — not a kernel bug, not a userland heap corruption, just MsMpEng leaving a SAM-bearing snapshot briefly readable. That generalises: any service running as SYSTEM that touches VSS without locking the resulting snapshot is a candidate for the same chain.
What defenders should actually do
The patch is the patch. For BlueHammer specifically, install April
2026 cumulative updates and confirm MpSigStub.exe /
MsMpEng.exe are at the patched build. For RedSun, UnDefend,
YellowKey, GreenPlasma — unpatched as of this writing — the
realistic posture is detection, not prevention.
Cyderes' detection guidance, restated and tightened:
- Process reads of
\Device\HarddiskVolumeShadowCopy*\…\config\SAMfrom anything other thanlsass.exe,services.exe, or a signed Microsoft binary. This is the heart of BlueHammer-class exploitation regardless of the bug chain. The Sigma rule shipped with this brief —detections/sigma/t1003.002_sam_via_shadow_copy.yml— covers exactly this. CfRegisterSyncRootcalls from non-trusted processes. The Cloud Files sync-root registration is a load-bearing step in the BlueHammer path-confusion stage and an unusual call for most enterprise endpoints. Telemetry-source-dependent; ETW providersMicrosoft-Windows-CloudFiltersare the right place to look.- Security event 4724 (password reset by another user) targeting
the local
AdministratorSID where the subject account is not a member of an admin group. This catches theSamiChangePasswordUserpivot regardless of which 0day fed into it. - A newly-created Windows service spawning
cmd.exeorpowershell.exewithin seconds ofCreateServicefrom a non-admin parent. The post-escalation handoff.
Why this isn't an actor in the catalog
Quick note for anyone wondering why "Chaotic Eclipse" is not in
/actors. The site's curation rule favors named clusters with
multiple-vendor public attribution and stable published reporting
(see /methodology). A single pseudonymous individual
self-publishing zero-days does not fit any of the actor kinds —
state-sponsored, ransomware, cybercrime, or hacktivist — and
elevating individuals to actor-page status would erode what makes
the catalog useful: that an actor page summarises a body of
multi-source reporting, not a single Twitter persona.
The TTP is what matters. The detection rule is the deliverable.
Sources
- BleepingComputer, 6 Apr 2026: Disgruntled researcher leaks "BlueHammer" Windows zero-day exploit
- CyberInsider, 7 Apr 2026: Disgruntled researcher drops "BlueHammer" Windows zero-day LPE exploit
- RH-ISAC, 8 Apr 2026: BlueHammer Windows Local Privilege Escalation Zero-Day Publicly Released
- Security Affairs, Apr 2026: Experts published unpatched Windows zero-day BlueHammer
- Cyderes Howler Cell, Apr 2026: BlueHammer: Inside the Windows Zero-Day
- The Register, 13 May 2026: Disgruntled researcher releases two more Microsoft zero-days
- The Hacker News, Apr 2026: Three Microsoft Defender Zero-Days Actively Exploited; Two Still Unpatched