Windows: Three Microsoft Defender Exploits Now in Active Use by Hackers

The three zero-day security flaws in Microsoft Defender recently disclosed by a disgruntled security researcher are now being exploited by cybercriminals, according to Huntress Labs. Here's what we know.

Three Exploits in Microsoft Defender

In recent weeks, two vulnerabilities discovered in Microsoft Defender have made headlines: BlueHammer and RedSun. They were disclosed by Nightmare-Eclipse, a security researcher dissatisfied with the treatment he received from Microsoft's security team. He also published another zero-day security flaw: UnDefend, also located in Microsoft Defender.

He published proof-of-concept exploitation code for these three vulnerabilities on GitHub, and it clearly did not go unnoticed by cybercriminals. In fact, Huntress Labs' SOC says it has observed these three exploits being used in cyberattacks.

According to them, attackers began exploiting the BlueHammer vulnerability on April 10, 2026. Then, starting on April 16, cybercriminals followed up by using the RedSun and UnDefend PoC exploits.

What Actions Were Taken?

Huntress' analysis highlights a workflow based on a manual approach, with the execution of specific commands rather than automated actions. The observed case resembles a targeted attack.

Among the commands executed by the attackers, there were commands suited for enumeration and network mapping:

• whoami /priv
• cmdkey /list
• net group

"In the most obvious case, the activity included suspicious binaries placed in user-writable directories, manual keystroke-driven reconnaissance, a likely compromised FortiGate SSL VPN access point, and subsequent tunneling activity.", Huntress explains in a report published a few days ago.

For now, the cybercriminals do not seem to be making much effort to hide their tracks, as they used executable names identical to those published by Nightmare-Eclipse. "The file names were also notable because they matched those in the public PoC repositories. Huntress detected binaries named FunnyApp.exe, RedSun.exe, undef.exe, as well as a renamed variant, z.exe.", the report says.

The researchers also mention a file named agent.exe that appears to correspond to a Go-based tunneling tool. It has already been seen in previous cyberattacks. On your side, it may be worth monitoring these file names in your logs, even if the last one is relatively generic.

In terms of protection against these exploits, note that a security patch is available for the BlueHammer flaw (CVE-2026-33825). The fix was included in the April 2026 updates for the various Windows versions. The other two vulnerabilities are not patched at this time.

This trio is worth keeping an eye on.

Florian Burnel Co-founder of IT-Connect

Systems and network engineer, co-founder of IT-Connect and Microsoft MVP "Cloud and Datacenter Management". I'd like to share my experience and discoveries through my articles. I'm a generalist with a particular interest in Microsoft solutions and scripting. Enjoy your reading.

See Full Bio