On April 16, 2026, the exploit developer operating under the alias Nightmare-Eclipse, also known as Chaotic Eclipse, dropped a second fully functional Windows local privilege escalation exploit on GitHub. The same developer published BlueHammer thirteen days earlier.
No coordinated disclosure. No CVE. No patch. Just working exploit code.
The new exploit is named RedSun. Howler Cell investigated and confirmed it achieves local privilege escalation from a standard user account to SYSTEM on Windows 10, Windows 11, and Windows Server 2019 and later. Like BlueHammer, RedSun abuses Microsoft Defender running with SYSTEM privileges and chains legitimate Windows features, including Volume Shadow Copy, batch oplocks, Cloud Files API placeholders, and NTFS junctions, to exploit a race condition. The difference is what each exploit does once it wins the race.
BlueHammer turned the race into a privileged file read and used it to access the SAM hive. RedSun turns the race into a privileged file write and uses it to drop an attacker-controlled binary into C:\Windows\System32. From there, Windows launches it as SYSTEM.
This research is about more than RedSun as a standalone exploit. Nightmare-Eclipse has now published three tools in eighteen days, all targeting the same attack surface:
BlueHammer escalates privileges via a privileged file read
RedSun escalates via a privileged file write
UnDefend silently blinds Defender to anything running afterward.
Chained together, they form a complete offensive toolkit: escalate to SYSTEM, execute arbitrary code, and prevent Defender from detecting any of it. The kill chain is functional today, with no patch available for RedSun or UnDefend. All three tools are confirmed active in the wild.
Figure 1: Nightmare-Eclipse GitHub profile showing all three public tools:
BlueHammer, RedSun, and UnDefend.
Nightmare-Eclipse joined GitHub on March 27, 2026, and has published three tools in under three weeks. All three target Microsoft Defender directly.
The developer's own notes on UnDefend are direct: paired with BlueHammer or RedSun, a machine has no administrative privilege barriers and Defender cannot respond. That is not a research observation. It is a documented weaponization chain.
The pace and technical depth of these releases indicate a developer who has invested significant time mapping Defender's internal architecture. Three coordinated tools targeting the same attack surface, released over eighteen days, is a meaningful signal. Additional releases targeting this same primitive set should be treated as probable.
RedSun is a race condition rooted in how Microsoft Defender's real-time scanning path interacts with Volume Shadow Copy, Cloud Files callbacks, opportunistic locks, and NTFS mount points. Each component behaves exactly as designed. The vulnerability only materializes when they are chained together in the right sequence.
The core mechanic: Defender runs with SYSTEM privileges. When it scans a file and that file triggers remediation activity, Defender performs file operations under that privilege level. RedSun intercepts one of those operations, specifically a file write, and redirects it into a protected directory the attacker could never reach directly.
Four Windows features make this possible:
Once the attacker's binary lands in System32, the Storage Tiers Management COM object handles the rest. It launches TieringEngineService.exe as SYSTEM by design. Windows then executes the attacker's code with full SYSTEM privileges.
RedSun does not operate in isolation. Nightmare-Eclipse has built a layered toolkit in which each tool addresses a different phase of an attack. Understanding RedSun requires understanding where it sits in that chain.
The three tools cover distinct attack phases.
BlueHammer handles privilege escalation via credential access: it reads the SAM hive, dumps NTLM hashes, and uses pass-the-hash to reach SYSTEM.
RedSun handles privilege escalation via binary execution: it writes directly into System32 and lets Windows launch the payload as SYSTEM with no credential access required.
UnDefend handles defense evasion: it blocks Defender signature updates in passive mode, fully disables Defender in aggressive mode, and lies to the EDR console about its own health status.
Either escalation path, BlueHammer or RedSun, can be combined with UnDefend. Once SYSTEM is achieved and Defender is neutralized, the attacker’s options are unrestricted. The diagram below maps a realistic kill chain showing how initial access, the RedSun exploit, and post-exploitation outcomes connect. The initial access vector and post-exploitation outcomes are illustrative: the kill chain is not ransomware-specific. The same SYSTEM shell can deliver any payload, establish persistence, move laterally, or exfiltrate data. The technique is payload-agnostic.
Figure 2: RedSun full attack chain. Initial access and post-exploitation phases are illustrative scenarios. The exploit chain itself (Phases 1 and 2) is confirmed. Any payload or outcome is possible once SYSTEM is achieved.
Both exploits originate from the same developer and share the same foundational primitives: EICAR-triggered Defender activity, VSS snapshot abuse, batch oplocks for timing control, Cloud Files placeholders, and NTFS junction redirection. The divergence is in what each exploit gains from winning the race.
Abuses Defender's signature update path (RPC via ServerMpUpdateEngineSignature) to redirect a SYSTEM-privileged file read toward the SAM hive on a VSS snapshot.
Leaks NTLM hashes, takes over a local admin account via pass-the-hash, and escalates to SYSTEM.
No file is written to disk in a protected location.
Flow: Arbitrary privileged read → dump SAM and credentials → elevate to SYSTEM
Status: CVE-2026-33825 assigned. Patched in April 2026 Patch Tuesday.
Abuses Defender's real-time scan remediation path to redirect a SYSTEM-privileged file write into C:\Windows\System32.
Replaces TieringEngineService.exe with an attacker-controlled binary, then triggers Storage Tiers Management via COM activation to execute it as SYSTEM.
No credentials are stolen. The escalation is direct: binary hijack, then execution.
No internet connection required.
Flow: Arbitrary privileged write → drop EXE in System32 → execute as SYSTEM
Status: No CVE assigned. No patch available. Active in the wild.
The exploit operates in two stages. Phase 1 runs as a standard user and focuses on redirecting a SYSTEM-privileged file write into a protected directory. Phase 2 executes after the attacker's binary has landed in System32.
The exploit creates a temporary working directory under %TEMP% and drops a file named TieringEngineService.exe containing the EICAR antivirus test string. The string is stored reversed in the binary and flipped at runtime, keeping it from standing out in a quick code scan.
The file is opened with FILE_EXECUTE access. That is sufficient to prompt Microsoft Defender to inspect it.
While Defender scans, a second thread watches the \Device object directory for the Volume Shadow Copy snapshot that Defender creates as part of its remediation workflow. Once that snapshot appears, the thread opens the target file through the shadow copy path and places a batch oplock on it. The oplock pauses access at a precise moment and opens a short timing window.
Inside that window, the original file is deleted. The exploit registers the temporary directory as a Cloud Files sync root and creates a placeholder file with the same name. The placeholder keeps the filename valid even though the original file is gone.
The exploit then renames the working directory, creates a new directory with the same name, and converts it into an NTFS mount point targeting C:\Windows\System32. From this point forward, any write sent through the original temporary path is silently redirected into System32.
The exploit loops NtCreateFile calls with GENERIC_WRITE and FILE_SUPERSEDE against TieringEngineService.exe until one succeeds during the race window. On a successful handle, it copies its own executable into:
C:\Windows\System32\TieringEngineService.exe
With the file in place, the exploit activates the Storage Tiers Management COM object using CoCreateInstance and CLSID {50d185b9-fff3-4656-92c7-e4018da4361d}. That COM object's normal behavior is to launch TieringEngineService.exe from System32 as SYSTEM. Since the exploit has replaced that binary, Windows launches the attacker's code instead.
On its second execution, the binary checks whether it is running as LOCAL_SYSTEM. If confirmed, it connects to the named pipe \\.\pipe\REDSUN created during Phase 1. The exploit uses the pipe to recover the original user's session ID, duplicates the SYSTEM token into that session, and launches conhost.exe on the user's desktop as a visible confirmation that SYSTEM-level code is running in the interactive session.
The exploit never touches credentials. It reaches SYSTEM entirely through a file write and a COM service invocation.
BlueHammer was patched in April 2026 Patch Tuesday and assigned CVE-2026-33825. Apply that update immediately if not already deployed. RedSun and UnDefend have no available patch. Behavioral detection and attack surface hardening are the primary controls.
Because the vulnerability lives in how Windows components interact rather than in any particular file, static signature detection alone is insufficient. An attacker can recompile from modified source and bypass sample-based detection. The behaviors below remain consistent regardless of implementation.
Monitor for VSS enumeration from non-system processes. NtQueryDirectoryObject calls targeting HarddiskVolumeShadowCopy* from user-space processes have no legitimate use case outside of system and backup tooling. This is a high-confidence indicator of RedSun-style reconnaissance.
Watch for Cloud Files sync root registration by untrusted processes. CfRegisterSyncRoot calls originating outside of known cloud sync software (OneDrive, Dropbox, Box) should be investigated. This API is central to how RedSun creates its timing trap and is uncommon in general-purpose applications.
Alert on writes to System32 originating from paths under %TEMP% or user-writable directories. Legitimate software does not route System32 writes through temporary directories via mount points.
Monitor for TieringEngineService.exe execution outside of expected service start conditions, particularly when preceded by file activity in a user's %TEMP% directory.
Alert on COM activation of the Storage Tiers Management object (CLSID 50d185b9-fff3-4656-92c7-e4018da4361d) from non-administrative user sessions.
For UnDefend: monitor for processes blocking or intercepting Defender update requests, and alert on discrepancies between Defender status reported to the EDR console and actual local service state.
Enforce least privilege. RedSun begins from a standard user context. Limiting what standard accounts can interact with, particularly Cloud Files APIs and VSS interfaces, reduces the attack surface.
Cyderes Detection Engineering and Threat Hunting teams have built coverage for RedSun targeting these TTPs. Cyderes clients are protected.
RedSun and BlueHammer were written by the same developer, use the same set of Windows primitives, and exploit the same class of architectural interaction. Microsoft Defender runs with SYSTEM privileges. Legitimate Windows features give an attacker precise, reproducible control over timing. The vulnerability emerges from the chain, not from any individual component.
BlueHammer showed the read path. RedSun shows the write path. UnDefend shows the blind path. Together, the three tools form a complete offensive package: escalate to SYSTEM, execute arbitrary code, and prevent Defender from detecting any of it, while reporting a clean health status to the management console. That is not a coincidence of timing. That is a developed toolkit.
BlueHammer has been patched. RedSun and UnDefend have not. All three are active in the wild. Huntress Labs observed BlueHammer exploitation beginning April 10. Ransomware operators and APT groups routinely integrate public LPE code within days of release. That window has already closed.
Neither LPE exploit requires a traditional vulnerability. No memory corruption. No kernel flaw. That also makes remediation harder: blocking any single component risks disrupting legitimate Defender, Cloud Files, or VSS behavior. Until Microsoft addresses the underlying architectural interaction, detection of the behavioral chain is the primary defensive control.
Howler Cell is tracking Nightmare-Eclipse's ongoing activity and any additional releases targeting this primitive set. Findings will be updated as the situation develops.
\\.\pipe\REDSUN
C:\Windows\System32\TieringEngineService.exe
{50d185b9-fff3-4656-92c7-e4018da4361d}
CVE-2026-33825 (BlueHammer only — RedSun and UnDefend unassigned at time of writing)