RoguePlanet: Windows Zero-Day That Weaponizes Defender's Own Quarantine Pipeline

Key Findings

• Local privilege escalation from a standard unprivileged user to NT AUTHORITY\SYSTEM, confirmed by Howler Cell on Windows 11 Pro. No kernel bug, no memory corruption, no admin rights required.
• PoC published on GitHub on June 10, 2026, under the MSNightmare handle, with mirrors on a self-hosted Git server. No coordinated disclosure, no CVE, no patch.
• The chain abuses Defender’s real-time scan and quarantine pipeline, NTFS directory junctions, opportunistic locks, Volume Shadow Copy, and the WER QueueReporting scheduled task. Each component is a legitimate Windows feature. The vulnerability exists only in the sequence.
• RoguePlanet forces Defender to create a SYSTEM-owned quarantine artifact inside attacker-controlled space, overwrites it with the payload, then triggers WER QueueReporting (running as SYSTEM) to execute it. A three-stage junction swap makes the payload resolve at a path structurally identical to C:\Windows\System32\wermgr.exe.
• The binary is self-referential. One IsRunningAsLocalSystem check at entry switches between unprivileged orchestrator and SYSTEM payload. An embedded ISO supplies the EICAR source without ever dropping it as a standalone file, which also blocks the chain on Windows Server, where standard users cannot mount ISOs.
• A Poseidon I/O subsystem (generator plus one worker thread per logical core) makes the oplock race windows deterministic in lab conditions. Production system variability, including differing scheduler behavior, background load, and hardware configurations, reintroduces timing uncertainty in the field. The researcher reports 100% success on some test machines and failure on others.
• Defender signature Exploit:Win32/DfndrRugPlnt.BB flags the compiled sample only. Minor source changes defeat it. The behavioral chain remains undetected by static means.

Summary

Hours after Microsoft shipped the June 2026 Patch Tuesday fixes, the researcher known as Nightmare-Eclipse resurfaced on GitHub under a new alias: MSNightmare. The repository contained RoguePlanet, a seventh Windows local privilege escalation exploit targeting Microsoft Defender.

The pattern is a systematic campaign against a single attack surface, executed at a pace and technical depth that signals sustained, deliberate investment in mapping Defender's internal architecture.

Howler Cell Threat Research Team reproduced RoguePlanet on a fully patched Windows 11 host. No patch addressing the root cause has been released. Howler Cell confirmed the behavioral chain survives recompilation with minor source modifications and remains undetected by static means. Cyderes has built detection coverage for the behavioral chain described in this report.

This is the third in a series of Howler Cell research reports tracking the Nightmare-Eclipse exploit cluster. For background on the earlier tools in this series, see our analysis of BlueHammer (CVE-2026-33825) and RedSun (CVE-2026-41091).

In the RedSun analysis, we noted that the pace and technical depth of these releases made additional tools targeting the same primitive set probable. RoguePlanet confirms that assessment.

The Nightmare-Eclipse Cluster

One researcher. Three aliases: Nightmare-Eclipse, Chaotic Eclipse, Dead Eclipse. Real identity unknown. Seven Windows zero-days in ten weeks, all targeting Microsoft Defender or adjacent Windows security components.

The first release dropped on April 3, 2026. None went through coordinated disclosure.

Earlier tools from this cluster have moved beyond proof-of-concept. Huntress researchers documented real-world intrusion chains using BlueHammer, RedSun, and UnDefend in live attack sequences. Active exploitation of prior releases is confirmed.

The releases are framed as a protest. In cryptographically signed posts on their blog, the researcher accuses MSRC of revoking their portal access, dismissing submitted reports, refusing to pay bounties on confirmed findings, and defamation.

Platform Bans

• May 23, 2026: GitHub terminated the Nightmare-Eclipse account and wiped all six prior exploit repositories.
• May 26, 2026: GitLab suspended the mirrored account and removed repositories. Within hours, copies spread to forums, paste sites, and alternative Git hosts. The takedowns accelerated the spread rather than slowing it.

Patch Status 

• BlueHammer: CVE-2026-33825, CVSS 7.8. Patched April 14, 2026 (Patch Tuesday). Added to CISA KEV.
• RedSun: CVE-2026-41091. Patched out-of-band May 21, 2026. Added to CISA KEV.
• UnDefend: CVE-2026-45498. Patched out-of-band May 21, 2026. Added to CISA KEV.
• YellowKey: CVE-2026-45585. Patched June 09, 2026 (Patch Tuesday).
• GreenPlasma: CVE-2026-45586. Patched June 09, 2026 (Patch Tuesday).
• MiniPlasma: CVE-2020-17103 (per researcher attribution, an incomplete 2020 fix comprehensively addressed). Patched June 09, 2026 (Patch Tuesday).
• RoguePlanet: No CVE assigned. No patch available.

Return of the Eclipse: MSNightmare and RoguePlanet

On June 10, 2026, hours after Microsoft shipped the June Patch Tuesday fixes for GreenPlasma, YellowKey, and MiniPlasma, the researcher resurfaced on GitHub as MSNightmare.

The repository held RoguePlanet, the seventh exploit. On their blog, the researcher wrote that further bans no longer matter, because once code is public, "Microsoft cannot unwrite my code." Mirrors went up in parallel on a self-hosted Git instance at git.projectnightcrawler[.]dev/NightmareEclipse. The MSNightmare GitHub profile lists affiliation as ‘Microsoft’.

Key Facts on RoguePlanet:

• Per the researcher’s PoC documentation, RoguePlanet was originally built as a remote code execution, abusing Defender’s handling of files on remote SMB shares served from attacker-controlled .vhd(x) images.
• Per the researcher’s PoC documentation, a mid-May Defender engine update changed the mpengine!SysIO* APIs and broke that path, along with many junction-based techniques used in earlier exploits.
• The researcher rewrote RoguePlanet into a local privilege escalation race condition.
• The researcher describes the current PoC as a hit or miss, with 100% success on some test machines and failure on others.
• It does not work on Windows Server, because standard users on Server SKUs cannot mount an ISO.
• Cyderes Howler Cell Threat Research Team reproduced it on a fully patched Windows 11 host.

Microsoft Defender signature updates detect the compiled proof-of-concept as Exploit:Win32/DfndrRugPlnt.BB. That detection targets the specific compiled sample. It does not address the underlying technique. Howler Cell confirmed the behavioral chain survives recompilation with minimal source modification and remains undetected by static means. No patch addressing the root cause has been released.

Figure 1: Howler Cell Threat Research Team confirming the PoC on Windows 11 Pro

The seven-stage chain below shows how these components interact from initial execution through SYSTEM shell delivery. Each stage is a legitimate Windows operation. The vulnerability exists only in the sequence.

Figure 2: RoguePlanet attack chain: standard user to NT AUTHORITY\SYSTEM via Defender’s quarantine pipeline and WER scheduled task execution

The technical breakdown below traces each stage in detail.

What Is the Vulnerability?

RoguePlanet is a design-level race condition in how Windows Defender’s scan and quarantine pipeline interacts with NTFS reparse points, opportunistic locks, and the Volume Shadow Copy service. It does not exploit a memory safety bug. It does not require elevated privileges to initiate. It requires only that Windows Defender’s real-time protection is active and that the Windows Error Reporting scheduled infrastructure is present.

Defender’s remediation workflow involves creating and accessing files through paths that can be redirected transparently by NTFS reparse points. Opportunistic locks allow a user-mode process to pause Defender’s file access at a precise and reproducible moment, converting a timing race into a deterministic controlled window. The WER QueueReporting scheduled task runs as SYSTEM and can be triggered by an unprivileged user via the Task Scheduler COM interface, and its execution path can be redirected by the junction chain the exploit has already built.

The vulnerability emerges from the gap between when Defender creates a quarantine artifact and when it validates where that artifact actually landed. During that gap, the exploit redirects the landing zone, overwrites the artifact with its own binary, and then redirects the execution path to match. When the WER task fires, it executes what it believes is a legitimate system binary at a legitimate system path. It is not.

Technical Analysis

The goal of the exploit chain is to get an unprivileged copy of the exploit binary executed by a SYSTEM-level scheduled task.

Stage 1: Dual-Mode Entry and Payload Delivery

The exploit checks its own token at startup. If it is already running as SYSTEM, it takes the payload path: connecting to the named pipe \\.\pipe\RoguePlanet, identifying the interactive session of the user who launched the unprivileged instance, and spawning conhost.exe inside that session under SYSTEM privileges (see Figure 3).

The named pipe RoguePlanet is a stable, observable artifact present on the system for the entire duration of the exploit run. Against the published PoC, it is a high-confidence detection indicator. Any actor adapting this technique would rename the pipe; this signal applies to the exploit as released.

If the binary is not running as SYSTEM, it proceeds into the orchestrator path, which constitutes the remainder of the exploit logic.

Figure 3: SYSTEM shell delivery via RoguePlanet named pipe

Stage 2: I/O Threads and IPC Channel Initialization

On machines with more than three logical cores, the exploit launches one generator thread continuously producing random data via the system cryptographic RNG, and one worker thread per core continuously writing that data to unique temp files in tight loops (Figure 4). These threads are held dormant on an event object until the right moment in the chain. Their purpose is to create sustained I/O and scheduler pressure that makes the oplock race windows predictable rather than probabilistic.

The named pipe RoguePlanet is created immediately after and kept open for the lifetime of the process. It serves as the success signal channel: a blocking ConnectNamedPipe at the very end of main waits until the elevated payload calls back through this pipe.

Figure 4: I/O thread initialization and RoguePlanet named pipe server creation

Stage 3: ISO Extraction, Working Directory, and Filesystem Preparation

The exploit extracts an ISO image embedded in its own data section, writes it to a UUID-named temp file, and mounts it as a read-only virtual disk with no drive letter. The device is then referenced by its raw NT kernel path (\Device\CdRom<N>), bypassing Win32 path restrictions. The ISO contains a wermgr.exe carrying the EICAR test signature (Figure 5).

A working directory named RP_<UUID> is created under %TEMP%. Two subdirectories are created inside it. One is named wdtest_temp and will serve as a quarantine artifact capture zone. The other is named System32, taking its name from the last path component of C:\Windows\System32 via an internal function called GetWERDir. This naming is deliberate: the scan path passed to Defender becomes %TEMP%\RP_<UUID>\System32\wermgr.exe, structurally identical to the legitimate system binary path C:\Windows\System32\wermgr.exe.

File artifacts created:

• %TEMP%\RP_<UUID>\wdtest_temp
• %TEMP%\RP_<UUID>\System32
• %TEMP%\RP_<UUID>\System32\wermgr.exe

Figure 5: Working directory setup and System32 mirror directory construction

Stage 4: EICAR Delivery, VSS Discovery, and Oplock Placement

The EICAR file is written to the System32 subdirectory with the filename wermgr.exe. An NTFS Alternate Data Stream (ADS) named :WDFOO is also created on this file using low-level NT file APIs, bypassing Win32 ADS creation restrictions (Figure 6). The Poseidon I/O threads, held dormant on their start event since initialization in Stage 2, are released simultaneously. A separate thread calls directly into MpClient.dll via runtime-resolved exports to trigger a Windows Defender scan of zippath through the Defender RPC interface, with scan flags configured to activate the full remediation pipeline.

A ShadowCopyFinderThread method polls the NT object manager directory \Device continuously, comparing against a baseline snapshot of pre-existing shadow copy devices. It waits specifically for Defender to create a new Volume Shadow Copy as part of its remediation workflow. Once a new HarddiskVolumeShadowCopy* device appears, the full path to the EICAR file’s :WDFOO ADS is constructed through that shadow copy volume. An oplock is placed on this VSS-accessed ADS path. When Defender’s internal processing reaches the point where it opens this file through the shadow copy, the oplock fires and WaitForSingleObject returns, leaving Defender paused mid-operation with a guaranteed window for the junction swaps that follow.

Figure 6: EICAR delivery with ADS creation

Stage 5: Junction Swap Chain and Quarantine Artifact Capture

While Defender is paused by the oplock, the System32 directory handle is converted to a reparse point junction targeting the mounted ISO. When Defender resumes, it follows the junction and observes the legitimate-looking wermgr.exe on the ISO rather than the EICAR.

The exploit then watches C:\Windows recursively for Defender creating an intermediate temporary file matching the pattern Temp\TMP with exactly sixteen trailing characters, which signals that Defender has advanced into its active quarantine workflow (Figure 7).

Figure 7: Watching for file creation

On that signal, the junction is swapped again so System32 now points to wdtest_temp. A second EICAR is written through the junction path, landing inside wdtest_temp. The ISO’s wermgr.exe is then byte-range locked, preventing Defender from removing it. Faced with a locked source file, Defender instead creates a quarantine placeholder, which lands inside wdtest_temp through the active junction. The exploit watches for size changes in wdtest_temp, indicating Defender is actively writing to the placeholder, and captures its full path. The result is a SYSTEM-owned file sitting in attacker-controlled territory.

Figure 8: Sequential junction swap chain

Stage 6: Payload Injection and Final Junction to C:\Windows

The reparse point is removed from hdir (the persistent open handle to the %TEMP%\RP_<UUID>\System32 subdirectory created at the start of the chain), reverting it to a plain directory. The captured quarantine file is opened with full write access and overwritten with the exploit binary read from the current process’s own image on disk. The quarantine file now contains the exploit binary but retains the SYSTEM-level ownership and metadata that Defender assigned to it (Figure 9).

Figure 9: Exploit binary injection into SYSTEM-owned quarantine artifact

All working artifacts are atomically renamed to random UUID-named paths using NtSetInformationFile with FileRenameInformationEx, preserving the open handles while freeing the original paths. The root working directory %TEMP%\RP_<UUID> is then converted into a reparse point junction targeting C:\Windows. After this operation, the path %TEMP%\RP_<UUID>\System32\wermgr.exe, which is where the moved exploit binary resolves, becomes transparently identical to C:\Windows\System32\wermgr.exe. Any path-based check examining the execution path will observe a legitimate system binary location.

Stage 7: WER Scheduled Task Execution and Shell Delivery

The Windows Task Scheduler COM interface is used to trigger the QueueReporting scheduled task inside the Windows Error Reporting task folder. This task is present on all standard Windows installations, runs under the SYSTEM account, and can be triggered programmatically by an unprivileged user through the Task Scheduler COM API. Its execution involves wermgr.exe at the System32 path. Because of the junction chain, that path now resolves to the exploit binary (Figure 10).

The exploit binary launches as SYSTEM, enters the IsRunningAsLocalSystem() branch at the top of main, connects back to the RoguePlanet pipe, identifies the interactive user’s session, and spawns conhost.exe into that session under SYSTEM privileges. ConnectNamedPipe in the orchestrator process unblocks on this connection, the success message is printed, and all COM resources are released cleanly.

Figure 10: WER QueueReporting scheduled task trigger via Task Scheduler COM and named pipe success confirmation

What Should Defenders Do?

No patch addressing the root cause has been released. The proof-of-concept is publicly available. Cyderes is publishing this analysis to accelerate defensive coverage. Signature-based detections targeting the compiled proof-of-concept binary provide minimal protection because the technique survives recompilation with minor source modifications. The behavioral chain remains undetected by static means. Defenders should prioritize behavioral detection and targeted hardening against the specific TTPs the exploit depends on.

• Monitor for the named pipe \\.\pipe\RoguePlanet being created by non-system processes. No legitimate system software uses this pipe name.
• Monitor for the following file system artifacts created in close succession by the same process. The RP_ prefix with a UUID suffix combined with this subdirectory structure is a consistent artifact across all runs:
  • %TEMP%\RP_<UUID>\wdtest_temp
  • %TEMP%\RP_<UUID>\System32
  • %TEMP%\RP_<UUID>\System32\wermgr.exe
• Hunt for wermgr.exe being written to or executed from any path outside of common Windows system directories.
• Hunt for conhost.exe spawned from a SYSTEM-integrity parent process into an interactive user session with no associated cmd.exe or terminal host in the process tree.
• Hunt for the Poseidon I/O saturation pattern: one generator thread plus per-core worker threads executing high-frequency writes to UUID-named temp files under %TEMP%. This behavioral signal has no equivalent outside of disk benchmarking and storage stress tooling. Combined with the other indicators in this chain, it is a strong composite detection signal.
• Monitor for VSS enumeration from non-system processes. NtQueryDirectoryObject calls targeting HarddiskVolumeShadowCopy* from user-space processes are rare outside of system and backup tooling. Tune this detection against known backup agent process names before operationalizing to reduce false positives.

Cyderes Detection Engineering and Threat Hunting have built behavioral coverage for RoguePlanet targeting these TTPs. Cyderes clients are protected against the behavioral chain described above.

Conclusion

RoguePlanet is a precise exploitation of the gap between when Windows Defender creates a quarantine artifact and when it validates the integrity of the path where that artifact landed. The junction swap chain converts that gap into a reliable payload delivery mechanism. The WER scheduled task converts that delivered payload into SYSTEM execution.

No kernel exploit is required. No memory corruption is involved. The attack succeeds because Defender’s remediation pipeline, NTFS reparse points, opportunistic locks, and the WER task infrastructure can be combined in a sequence that produces a result none of them were designed to permit.

The Poseidon I/O saturation system, the embedded ISO, the NTFS ADS oplock technique, and the self-referential binary design place this well above opportunistic tooling. This is a purpose-built exploit, not a repackaged proof of concept. The behavioral chain is stable. The core technique survives binary-level detection.

This is the seventh tool from this researcher in ten weeks. In the RedSun analysis, we assessed additional releases as probable. That assessment holds. Howler Cell is tracking MSNightmare’s ongoing activity and any additional releases targeting this primitive set. Findings will be updated as the situation develops. Until a patch addressing the root interaction between Defender’s quarantine workflow and NTFS junction resolution is available, behavioral detection against the TTPs described above is the primary defensive control. 

Appendix

• Zero-Day PoC: hxxps[://]github[.]com/MSNightmare/RoguePlanet

• Mirror: hxxps[://]git.projectnightcrawler[.]dev/NightmareEclipse

• Blog: hxxps[://]deadeclipse666.blogspot[.]com/

• Named pipe: \\.\pipe\RoguePlanet

• Working directory pattern: %TEMP%\RP_<UUID>

• Defender signature: Exploit:Win32/DfndrRugPlnt.BB

Related Howler Cell research:

• BlueHammer (CVE-2026-33825)
• RedSun (CVE-2026-41091)