Your Antivirus Just Became the Weapon: BlueHammer, RedSun, and UnDefend

Over thirteen days in April 2026, a security researcher known as 'Chaotic Eclipse' or 'Nightmare Eclipse' published three working exploit tools targeting Microsoft Defender on GitHub. The researcher stated publicly that a prior attempt to report the vulnerabilities to Microsoft's Security Response Center had gone nowhere, so they published the code directly. That move simultaneously accelerated public awareness and handed attackers a working blueprint.

The three vulnerabilities are named BlueHammer, RedSun, and UnDefend. Each targets a different aspect of how Defender operates, and together they compose into a coherent attack chain that is actively being used against real organizations right now.

BlueHammer exploits a race condition in Defender's signature update mechanism. When Defender detects a suspicious file and begins its remediation process, the exploit pauses that process at a critical moment using filesystem manipulation techniques, then redirects Defender's privileged file write to the Windows SAM database, a file that stores local account credentials. Defender, operating with SYSTEM-level privileges, reads the SAM hive and hands the attacker its contents: NTLM hashes, which can be used to take over local administrator accounts and spawn a SYSTEM-level shell.

In plain terms: Defender goes to clean up a threat, and the attacker tricks it into handing over the keys to the entire machine.

Microsoft patched BlueHammer on April 14 as part of Patch Tuesday, under CVE-2026-33825 with a CVSS score of 7.8. If your systems have received the April 2026 updates, this specific vector is closed.

RedSun takes a different path but arrives at the same destination: SYSTEM-level access from a standard unprivileged user account. It abuses Defender's cloud file rollback mechanism, the process Defender uses to restore files it has quarantined. By crafting a file that triggers a Defender detection and then replacing it with a cloud placeholder, the attacker can redirect where Defender writes the restored file. With the right filesystem manipulation, that write goes to a critical system path instead of where it was supposed to go, allowing a malicious payload to be dropped with SYSTEM privileges.

RedSun has no CVE number, no patch, and no official timeline from Microsoft. It works on fully patched Windows 10, Windows 11, and Windows Server 2019 and later, on any system where the Windows Cloud Files API (cldapi.dll) is present, which is essentially every modern Windows installation. Security researcher Will Dormann confirmed the exploit works reliably. Every Windows endpoint with Defender enabled and no supplementary protection is currently exposed.

UnDefend is the most insidious of the three because it requires no elevated privileges and triggers no obvious alerts. A standard, non-administrative user can run it to block Defender's signature update pipeline. Over time, this silently degrades the antivirus protection on the machine: definition files grow stale, new malware goes unrecognized, and the system appears healthy on management dashboards while becoming increasingly blind to active threats.

In an attack chain, UnDefend is typically deployed first. Degrade the defenses, then escalate via RedSun on a system that can no longer see what is happening.

Huntress, the security firm that monitors endpoint activity for thousands of small and medium businesses, confirmed all three exploits have been observed in real-world attacks. The attacker behavior they documented is telling: these were not automated scripts. These were human attackers, sitting at a keyboard, manually exploring compromised environments.

The sequence Huntress observed: after gaining initial access through a hijacked VPN user account, the attacker dropped the exploit files into the victim's Pictures and Downloads folders, renamed them to look innocuous, then ran standard reconnaissance commands (whoami /priv, cmdkey /list, net group) before escalating using the Defender exploits.

CISA added CVE-2026-33825 (BlueHammer) to its Known Exploited Vulnerabilities catalog on April 22, 2026, with a remediation deadline of May 6 for federal agencies. Two vulnerabilities remain unpatched with no official Microsoft timeline for an out-of-band fix.

Organizations in Latin America are being targeted at a rate 35-39% above the global average. According to Check Point Research, organizations in the region face an average of 2,640 cyberattacks per week. In the first half of 2025 alone, reported incidents increased 108% year-over-year. Ransomware breaches in the region surged 78% in 2025 according to Intel 471.

Government, military, healthcare, and communications are the most targeted sectors, but that framing creates a false sense of security for small and medium businesses. Attackers target SMBs precisely because they lack the defenses of large institutions while still holding data that has value.

According to Acronis telemetry from H2 2025, the global median time to install Microsoft patches is 185 hours, just under eight days. At the 90th percentile, it reaches 926 hours, or nearly 39 days. Those are global figures for organizations that are actively managed. For businesses without dedicated IT staff, the reality is considerably worse.

The OAS and Inter-American Development Bank's 2025 Cybersecurity Report found that most countries in Latin America remain at or below the second stage of five in cybersecurity maturity. Investment in research and innovation remains nascent, and cyber insurance adoption is limited. Both factors directly affect how businesses in the region respond when an incident actually occurs.

In 2025, the average time-to-exploit for a high-severity CVE dropped to under five days. For critical vulnerabilities affecting major operating systems, that window is often under 24 hours. The traditional 'patch it next maintenance window' approach is not a strategy. It is a waiting room for a breach.

Seventy-four percent of attacks exploit known vulnerabilities. That is not a zero-day problem. That is a patching problem. The vulnerabilities being exploited were known, had patches available, and organizations simply had not applied them.

For BlueHammer specifically: the exploit was observed in the wild on April 10. The patch shipped April 14. That is a four-day exploitation window before any official fix existed. For RedSun and UnDefend, that window is open indefinitely.

A significant percentage of businesses in Latin America rely on Windows Defender as their sole endpoint security layer. It is built in, it is free, and it requires no additional procurement. That is understandable. Right now, it is also an unmitigated risk.

The Cloud Security Alliance described it clearly: any organization relying exclusively on Defender for endpoint protection is currently operating with a significant, unmitigated gap. The three vulnerabilities compose into a coherent attack chain where UnDefend silently degrades Defender's threat intelligence while reporting the endpoint as healthy, and RedSun then escalates an unprivileged user to SYSTEM on a system that can no longer see the attack happening.

1. Verify the April 2026 Patch Tuesday update is installed on every endpoint. The BlueHammer patch was distributed as Antimalware Platform version 4.18.26050.3011. Do not rely on your management dashboard's compliance status. UnDefend's silent degradation capability means dashboard health reporting cannot be trusted on potentially compromised systems. Check the actual platform version on each endpoint directly.

2. Do not wait for RedSun and UnDefend patches. Implement compensating controls now. The most durable compensating control is supplementing Microsoft Defender with a third-party EDR product capable of detecting Defender bypass techniques. A third-party EDR that does not share the same trust boundary as Defender can detect the behavioral indicators of these exploits even when Defender cannot.

3. Enable Attack Surface Reduction rules in Microsoft Defender. Even partially configured ASR rules significantly raise the cost of exploitation. Restrict execution from user-writable directories, specifically Downloads, Pictures, and Temp. The observed attack pattern stages exploit binaries in exactly these locations.

4. Monitor for Defender tamper indicators. If UnDefend has been deployed in your environment, signature updates will stall. Set up out-of-band monitoring: check the actual signature timestamp and version on each endpoint against Microsoft's published update feed, rather than trusting the health status Defender reports. A stale signature combined with unusual process activity warrants immediate investigation.

5. Treat any hijacked VPN or remote access credential as a critical incident. The observed intrusion entered through a hijacked SSL VPN user account. Compromised credentials are the most common initial access method for attackers targeting LATAM organizations. Multi-factor authentication on all remote access is not negotiable.

6. Conduct a patching audit. If you do not know how long your average patch cycle takes, you do not know your exposure window. Audit your current patch status across all endpoints, including laptops that are off the network during maintenance windows.

The BlueHammer, RedSun, and UnDefend situation illustrates something security teams have understood for years but that rarely lands clearly with business owners: the tools defending you are also part of your attack surface.

A determined attacker does not need to find a novel exploit. They need to understand how your defenses work and find the gap in the logic. Defender's remediation mechanisms, its cloud file handling, its update pipeline are complex, privileged processes. Complexity at privilege boundaries is where vulnerabilities live.

The answer is not to stop using Microsoft Defender. It is to not rely on any single layer of defense, especially not one whose own mechanisms are actively being weaponized. Defense in depth is not a budget conversation. It is the minimum viable posture for any business that cannot afford a significant incident.