Hours after Microsoft shipped the June 2026 Patch Tuesday fixes, the researcher known as Nightmare-Eclipse resurfaced on GitHub under a new alias: MSNightmare. The repository contained RoguePlanet, a seventh Windows local privilege escalation exploit targeting Microsoft Defender.
The pattern is a systematic campaign against a single attack surface, executed at a pace and technical depth that signals sustained, deliberate investment in mapping Defender's internal architecture.
Howler Cell Threat Research Team reproduced RoguePlanet on a fully patched Windows 11 host. No patch addressing the root cause has been released. Howler Cell confirmed the behavioral chain survives recompilation with minor source modifications and remains undetected by static means. Cyderes has built detection coverage for the behavioral chain described in this report.
This is the third in a series of Howler Cell research reports tracking the Nightmare-Eclipse exploit cluster. For background on the earlier tools in this series, see our analysis of BlueHammer (CVE-2026-33825) and RedSun (CVE-2026-41091).
In the RedSun analysis, we noted that the pace and technical depth of these releases made additional tools targeting the same primitive set probable. RoguePlanet confirms that assessment.
One researcher. Three aliases: Nightmare-Eclipse, Chaotic Eclipse, Dead Eclipse. Real identity unknown. Seven Windows zero-days in ten weeks, all targeting Microsoft Defender or adjacent Windows security components.
The first release dropped on April 3, 2026. None went through coordinated disclosure.
Earlier tools from this cluster have moved beyond proof-of-concept. Huntress researchers documented real-world intrusion chains using BlueHammer, RedSun, and UnDefend in live attack sequences. Active exploitation of prior releases is confirmed.
The releases are framed as a protest. In cryptographically signed posts on their blog, the researcher accuses MSRC of revoking their portal access, dismissing submitted reports, refusing to pay bounties on confirmed findings, and defamation.
On June 10, 2026, hours after Microsoft shipped the June Patch Tuesday fixes for GreenPlasma, YellowKey, and MiniPlasma, the researcher resurfaced on GitHub as MSNightmare.
The repository held RoguePlanet, the seventh exploit. On their blog, the researcher wrote that further bans no longer matter, because once code is public, "Microsoft cannot unwrite my code." Mirrors went up in parallel on a self-hosted Git instance at git.projectnightcrawler[.]dev/NightmareEclipse. The MSNightmare GitHub profile lists affiliation as ‘Microsoft’.
Microsoft Defender signature updates detect the compiled proof-of-concept as Exploit:Win32/DfndrRugPlnt.BB. That detection targets the specific compiled sample. It does not address the underlying technique. Howler Cell confirmed the behavioral chain survives recompilation with minimal source modification and remains undetected by static means. No patch addressing the root cause has been released.
Figure 1: Howler Cell Threat Research Team confirming the PoC on Windows 11 Pro
The seven-stage chain below shows how these components interact from initial execution through SYSTEM shell delivery. Each stage is a legitimate Windows operation. The vulnerability exists only in the sequence.
Figure 2: RoguePlanet attack chain: standard user to NT AUTHORITY\SYSTEM via Defender’s quarantine pipeline and WER scheduled task execution
The technical breakdown below traces each stage in detail.
RoguePlanet is a design-level race condition in how Windows Defender’s scan and quarantine pipeline interacts with NTFS reparse points, opportunistic locks, and the Volume Shadow Copy service. It does not exploit a memory safety bug. It does not require elevated privileges to initiate. It requires only that Windows Defender’s real-time protection is active and that the Windows Error Reporting scheduled infrastructure is present.
Defender’s remediation workflow involves creating and accessing files through paths that can be redirected transparently by NTFS reparse points. Opportunistic locks allow a user-mode process to pause Defender’s file access at a precise and reproducible moment, converting a timing race into a deterministic controlled window. The WER QueueReporting scheduled task runs as SYSTEM and can be triggered by an unprivileged user via the Task Scheduler COM interface, and its execution path can be redirected by the junction chain the exploit has already built.
The vulnerability emerges from the gap between when Defender creates a quarantine artifact and when it validates where that artifact actually landed. During that gap, the exploit redirects the landing zone, overwrites the artifact with its own binary, and then redirects the execution path to match. When the WER task fires, it executes what it believes is a legitimate system binary at a legitimate system path. It is not.
The goal of the exploit chain is to get an unprivileged copy of the exploit binary executed by a SYSTEM-level scheduled task.
The exploit checks its own token at startup. If it is already running as SYSTEM, it takes the payload path: connecting to the named pipe \\.\pipe\RoguePlanet, identifying the interactive session of the user who launched the unprivileged instance, and spawning conhost.exe inside that session under SYSTEM privileges (see Figure 3).
The named pipe RoguePlanet is a stable, observable artifact present on the system for the entire duration of the exploit run. Against the published PoC, it is a high-confidence detection indicator. Any actor adapting this technique would rename the pipe; this signal applies to the exploit as released.
If the binary is not running as SYSTEM, it proceeds into the orchestrator path, which constitutes the remainder of the exploit logic.
Figure 3: SYSTEM shell delivery via RoguePlanet named pipe
On machines with more than three logical cores, the exploit launches one generator thread continuously producing random data via the system cryptographic RNG, and one worker thread per core continuously writing that data to unique temp files in tight loops (Figure 4). These threads are held dormant on an event object until the right moment in the chain. Their purpose is to create sustained I/O and scheduler pressure that makes the oplock race windows predictable rather than probabilistic.
The named pipe RoguePlanet is created immediately after and kept open for the lifetime of the process. It serves as the success signal channel: a blocking ConnectNamedPipe at the very end of main waits until the elevated payload calls back through this pipe.
Figure 4: I/O thread initialization and RoguePlanet named pipe server creation
The exploit extracts an ISO image embedded in its own data section, writes it to a UUID-named temp file, and mounts it as a read-only virtual disk with no drive letter. The device is then referenced by its raw NT kernel path (\Device\CdRom<N>), bypassing Win32 path restrictions. The ISO contains a wermgr.exe carrying the EICAR test signature (Figure 5).
A working directory named RP_<UUID> is created under %TEMP%. Two subdirectories are created inside it. One is named wdtest_temp and will serve as a quarantine artifact capture zone. The other is named System32, taking its name from the last path component of C:\Windows\System32 via an internal function called GetWERDir. This naming is deliberate: the scan path passed to Defender becomes %TEMP%\RP_<UUID>\System32\wermgr.exe, structurally identical to the legitimate system binary path C:\Windows\System32\wermgr.exe.
File artifacts created:
Figure 5: Working directory setup and System32 mirror directory construction
The EICAR file is written to the System32 subdirectory with the filename wermgr.exe. An NTFS Alternate Data Stream (ADS) named :WDFOO is also created on this file using low-level NT file APIs, bypassing Win32 ADS creation restrictions (Figure 6). The Poseidon I/O threads, held dormant on their start event since initialization in Stage 2, are released simultaneously. A separate thread calls directly into MpClient.dll via runtime-resolved exports to trigger a Windows Defender scan of zippath through the Defender RPC interface, with scan flags configured to activate the full remediation pipeline.
A ShadowCopyFinderThread method polls the NT object manager directory \Device continuously, comparing against a baseline snapshot of pre-existing shadow copy devices. It waits specifically for Defender to create a new Volume Shadow Copy as part of its remediation workflow. Once a new HarddiskVolumeShadowCopy* device appears, the full path to the EICAR file’s :WDFOO ADS is constructed through that shadow copy volume. An oplock is placed on this VSS-accessed ADS path. When Defender’s internal processing reaches the point where it opens this file through the shadow copy, the oplock fires and WaitForSingleObject returns, leaving Defender paused mid-operation with a guaranteed window for the junction swaps that follow.
Figure 6: EICAR delivery with ADS creation
While Defender is paused by the oplock, the System32 directory handle is converted to a reparse point junction targeting the mounted ISO. When Defender resumes, it follows the junction and observes the legitimate-looking wermgr.exe on the ISO rather than the EICAR.
The exploit then watches C:\Windows recursively for Defender creating an intermediate temporary file matching the pattern Temp\TMP with exactly sixteen trailing characters, which signals that Defender has advanced into its active quarantine workflow (Figure 7).
Figure 7: Watching for file creation
On that signal, the junction is swapped again so System32 now points to wdtest_temp. A second EICAR is written through the junction path, landing inside wdtest_temp. The ISO’s wermgr.exe is then byte-range locked, preventing Defender from removing it. Faced with a locked source file, Defender instead creates a quarantine placeholder, which lands inside wdtest_temp through the active junction. The exploit watches for size changes in wdtest_temp, indicating Defender is actively writing to the placeholder, and captures its full path. The result is a SYSTEM-owned file sitting in attacker-controlled territory.
Figure 8: Sequential junction swap chain
The reparse point is removed from hdir (the persistent open handle to the %TEMP%\RP_<UUID>\System32 subdirectory created at the start of the chain), reverting it to a plain directory. The captured quarantine file is opened with full write access and overwritten with the exploit binary read from the current process’s own image on disk. The quarantine file now contains the exploit binary but retains the SYSTEM-level ownership and metadata that Defender assigned to it (Figure 9).
Figure 9: Exploit binary injection into SYSTEM-owned quarantine artifact
All working artifacts are atomically renamed to random UUID-named paths using NtSetInformationFile with FileRenameInformationEx, preserving the open handles while freeing the original paths. The root working directory %TEMP%\RP_<UUID> is then converted into a reparse point junction targeting C:\Windows. After this operation, the path %TEMP%\RP_<UUID>\System32\wermgr.exe, which is where the moved exploit binary resolves, becomes transparently identical to C:\Windows\System32\wermgr.exe. Any path-based check examining the execution path will observe a legitimate system binary location.
The Windows Task Scheduler COM interface is used to trigger the QueueReporting scheduled task inside the Windows Error Reporting task folder. This task is present on all standard Windows installations, runs under the SYSTEM account, and can be triggered programmatically by an unprivileged user through the Task Scheduler COM API. Its execution involves wermgr.exe at the System32 path. Because of the junction chain, that path now resolves to the exploit binary (Figure 10).
The exploit binary launches as SYSTEM, enters the IsRunningAsLocalSystem() branch at the top of main, connects back to the RoguePlanet pipe, identifies the interactive user’s session, and spawns conhost.exe into that session under SYSTEM privileges. ConnectNamedPipe in the orchestrator process unblocks on this connection, the success message is printed, and all COM resources are released cleanly.
Figure 10: WER QueueReporting scheduled task trigger via Task Scheduler COM and named pipe success confirmation
No patch addressing the root cause has been released. The proof-of-concept is publicly available. Cyderes is publishing this analysis to accelerate defensive coverage. Signature-based detections targeting the compiled proof-of-concept binary provide minimal protection because the technique survives recompilation with minor source modifications. The behavioral chain remains undetected by static means. Defenders should prioritize behavioral detection and targeted hardening against the specific TTPs the exploit depends on.
Cyderes Detection Engineering and Threat Hunting have built behavioral coverage for RoguePlanet targeting these TTPs. Cyderes clients are protected against the behavioral chain described above.
RoguePlanet is a precise exploitation of the gap between when Windows Defender creates a quarantine artifact and when it validates the integrity of the path where that artifact landed. The junction swap chain converts that gap into a reliable payload delivery mechanism. The WER scheduled task converts that delivered payload into SYSTEM execution.
No kernel exploit is required. No memory corruption is involved. The attack succeeds because Defender’s remediation pipeline, NTFS reparse points, opportunistic locks, and the WER task infrastructure can be combined in a sequence that produces a result none of them were designed to permit.
The Poseidon I/O saturation system, the embedded ISO, the NTFS ADS oplock technique, and the self-referential binary design place this well above opportunistic tooling. This is a purpose-built exploit, not a repackaged proof of concept. The behavioral chain is stable. The core technique survives binary-level detection.
This is the seventh tool from this researcher in ten weeks. In the RedSun analysis, we assessed additional releases as probable. That assessment holds. Howler Cell is tracking MSNightmare’s ongoing activity and any additional releases targeting this primitive set. Findings will be updated as the situation develops. Until a patch addressing the root interaction between Defender’s quarantine workflow and NTFS junction resolution is available, behavioral detection against the TTPs described above is the primary defensive control.
Zero-Day PoC: hxxps[://]github[.]com/MSNightmare/RoguePlanet
Mirror: hxxps[://]git.projectnightcrawler[.]dev/NightmareEclipse
Blog: hxxps[://]deadeclipse666.blogspot[.]com/
Named pipe: \\.\pipe\RoguePlanet
Working directory pattern: %TEMP%\RP_<UUID>
Defender signature: Exploit:Win32/DfndrRugPlnt.BB
Related Howler Cell research: