Georgios Kormpos

This is a developing story and the follow-up to our earlier coverage of Chaotic Eclipse’s Windows zero-day campaign. We’ll update as the situation evolves.

Six weeks ago, a pseudonymous researcher dropped three unpatched Windows zero-days on the internet and dared Microsoft to do something about it. Microsoft patched some. Didn’t patch others. And the researcher kept going.

Now there are six zero-days with public exploit code. Microsoft has gone nuclear – wiping the researcher’s GitHub account, publishing a blog post that reads like a legal threat, and invoking its Digital Crimes Unit. The researcher, now operating from a personal blog after being banned from both GitHub and GitLab, has promised something “bone shattering” for July 14, 2026 – the next Patch Tuesday.

What started as a frustrated security researcher’s protest has become the most consequential disclosure feud in recent memory. And it’s nowhere near over.

Where we left off

In our first article, we covered the initial wave: a researcher using the handles Chaotic Eclipse, Nightmare Eclipse, and Dead Eclipse had publicly released three zero-days – YellowKey (BitLocker bypass), GreenPlasma (privilege escalation via ctfmon.exe), and MiniPlasma (a ghost from CVE-2020-17103 that still works on fully patched Windows 11). All came with proof-of-concept code. All were dropped right after Microsoft’s monthly Patch Tuesday, like clockwork.

At the time, these were on top of three earlier exploits – BlueHammer, RedSun, and UnDefend – bringing the total to six zero-days released in about six weeks. We knew the motivation: frustration with Microsoft’s Security Response Center (MSRC). We didn’t yet know how far both sides were willing to go.

Now we do.

The patch scoreboard: 3 down, 3 to go

Let’s start with where things actually stand on the patches, because the picture has shifted significantly since our last article:

Patched (with CVEs)

• BlueHammer (CVE-2026-33825): Patched in the April 14 Patch Tuesday. This was the earliest drop and the first to get a fix.
• RedSun (CVE-2026-41091): Patched via an out-of-band Microsoft Defender update on May 21. This is a privilege escalation in the Microsoft Defender Malware Protection Engine that lets a low-privileged local attacker gain SYSTEM access via a link-following issue. Fixed in Defender engine version 1.1.26040.8. Critically, RedSun was confirmed actively exploited in the wild and has been added to CISA’s Known Exploited Vulnerabilities catalog.
• UnDefend (CVE-2026-45498): Also patched out-of-band on May 21 in the same Defender update (platform version 4.18.26040.7). UnDefend is a denial-of-service attack that locks Defender’s signature and definition files, effectively degrading or disabling protection. Also confirmed actively exploited. Also in CISA’s KEV catalog. Federal agencies have until June 3 to patch both.

Still unpatched

• YellowKey (CVE-2026-45585): The BitLocker bypass. Microsoft has assigned a CVE and issued mitigation guidance (remove autofstx.exe from WinRE’s BootExecute and switch to TPM+PIN), but a full patch is still not available. Microsoft labels it “exploitation more likely” with a working public PoC. Default BitLocker configurations remain vulnerable.
• GreenPlasma: The privilege escalation via ctfmon.exe. No CVE assigned. No patch. No mitigation. The public PoC currently triggers a UAC prompt, but a fully silent version is considered trivially achievable by security researchers.
• MiniPlasma: The ghost of CVE-2020-17103 via the Cloud Filter driver (cldflt.sys). Microsoft has assigned CVE-2026-33835 and CVE-2026-34337 for related Cloud Filter driver vulnerabilities and issued fixes around May 9-12. However, the specific MiniPlasma exploit variant and its implications continue to be discussed in the security community, with researchers noting that similar attack techniques may still have residual exposure paths. Appears mitigated in Insider Canary builds.

So: three patched, three still causing headaches. And the three that are patched? They were already being exploited in real attacks before the fixes shipped. BlueHammer, RedSun, and UnDefend have all been spotted in confirmed network intrusions by Huntress and other security firms. The PoCs were public. The threat actors moved fast.

Microsoft breaks its silence and points at the lawyer

For weeks, Microsoft’s only response to the escalating zero-day campaign was the standard “aware and investigating.” That changed on May 28, when MSRC published a blog post titled “A Shared Responsibility: Protecting Customers Through Coordinated Vulnerability Disclosure.”

The title sounds reasonable. The content is anything but.

Microsoft’s core argument: none of the six vulnerabilities were reported through official channels before being made public. Therefore, the disclosures were irresponsible. Therefore, the researcher put customers at risk. The post reaffirms Microsoft’s commitment to Coordinated Vulnerability Disclosure (CVD) and claims the process “ensures researchers are compensated for their responsible disclosures and publicly acknowledged for their expertise.”

And then comes the paragraph that made the entire security community sit up straight:

“Our Digital Crimes Unit will continue bringing cases against these actors and those that enable their criminal activity — coordinating as needed with law enforcement around the world.”

That’s not a blog post about disclosure policy. That’s a threat. Microsoft is explicitly equating public vulnerability disclosure with criminal activity and signalling that its legal apparatus – the Digital Crimes Unit, which normally goes after botnet operators and ransomware gangs – is now pointed at a security researcher.

Microsoft declined to answer specific questions from The Register about whether it plans to sue the researcher, whether the researcher is a current or former employee, or whether it deleted the researcher’s MSRC reporting account as alleged.

GitHub, GitLab, and the de-platforming of a researcher

Before the legal threats came the platform bans.

On approximately May 23, GitHub – which is owned by Microsoft – flagged and wiped the researcher’s repositories and banned the account entirely. The exploit code for all six zero-days, previously hosted on GitHub, was removed.

The researcher quickly migrated to GitLab, reposting the PoCs on a new account. That lasted about three days. GitLab suspended the account on May 26-27 for hosting weaponized zero-day exploit code, citing platform policy violations.

With both major code-hosting platforms closed, Nightmare Eclipse is now publishing exclusively from a personal blog – deadeclipse666.blogspot.com – and signing posts with PGP keys to verify authenticity.

Here’s the uncomfortable reality: de-platforming the code doesn’t de-platform the vulnerability. The PoCs were already public. They’d been downloaded, mirrored, and incorporated into attack toolkits. Removing them from GitHub is a symbolic gesture at this point and a heavy-handed one that has drawn sharp criticism from parts of the security community.

Nightmare Eclipse responds: “I’m done begging you”

The researcher’s response came on May 24, in a PGP-signed blog post that directly addresses Microsoft. It is angry, personal, and worth reading in full. Key excerpts:

“When I actively asked you to communicate with me, you refused, humiliated me and made sure to insult me in front of people.”

“You defame me in public with your CVE-2026-45585 advisory even though you literally deleted the Microsoft account I used to report bugs to you with and I got zero pennies from doing so and I still happily did like an idiot.”

“Now you take the courtesy to flag my GitHub account and wipe it out of the public, just like that? You are proving to everyone that you actively escalating this conflict but I’m done begging you.”

The researcher claims to have documentation – “proof for every single word I said” – but says Microsoft “still has chains in my hands” preventing release. The language suggests the researcher may be a current or former Microsoft employee or contractor, bound by legal agreements. This would explain both the deep Windows knowledge and the acrimony.

And then, the line that made headlines everywhere:

“Mark this date July 14th, I will make sure your bones are shattered that day.”

July 14, 2026 is Patch Tuesday. The researcher has indicated no new releases are planned for June, though they “reserved the right to change course.” Previous posts warned of an escalation to remote code execution vulnerabilities.

Let me be clear: every single prior warning from this researcher was followed by an actual disclosure. The track record is 6-for-6.

The security community reacts

The response from the broader security community has been nuanced critical of both sides, but particularly pointed at Microsoft’s handling of the situation.

Katie Moussouris (Luta Security CEO, pioneered Microsoft’s bug bounty program)

Moussouris, who literally created Microsoft’s bug bounty program and coined the term “Coordinated Vulnerability Disclosure” to replace the loaded phrase “responsible disclosure,” didn’t mince words. She called Microsoft’s blog post “confusing” and “vaguely threatening,” noting:

“It confusingly claims their program ‘ensures researchers are compensated and publicly acknowledged’ in a statement answering a researcher who says he got neither.”

She also pointed out that Microsoft’s own post uses the outdated and subjective term “responsible disclosure” — the very term she retired at Microsoft years ago because “it got in the way of coordination when the two sides disagreed.”

On the deeper dynamic:

“The researcher’s grievances are serious and specific… It is the sound of someone who believes every legitimate channel was closed to them: GitHub account deleted, payments withheld, credit stripped, then publicly accused of violating CVD after Microsoft cut off their ability to coordinate.”

“The bugs are Microsoft’s. They wrote the code and they own the risk to customers. This is a David and Goliath dynamic we don’t like to see play out, especially since it’s users who lose when coordination negotiations fail.”

Dustin Childs (Zero Day Initiative, former Microsoft security)

Childs, who spent seven years on Microsoft’s security team and has decades of CVD experience on both sides, questioned Microsoft’s narrative:

“CVD is a two-way street. The vendor has some responsibility as well, so to go out publicly stating this person violated CVD without showing any of the correspondence seems bold.”

He also criticized Microsoft’s failure to provide clear defensive guidance, noting that “clear direction seems to be missing” for customers trying to protect themselves.

On Microsoft’s broader reputation:

“If anything, they are seen as difficult to work with, especially if your bug is Moderate instead of Critical. I’ve had researchers tell me that they stopped looking at Microsoft altogether because they were too difficult to work with.”

Kevin Beaumont (security researcher, former Microsoft employee)

Beaumont called the situation a “dumpster fire of Microsoft’s own making” and pointed out a delicious irony: Microsoft previously hired a hacker known as SandboxEscaper after she published zero-day PoCs for Microsoft products. The same behavior that Microsoft now characterizes as criminal was once a resume booster.

“If Microsoft’s tactic is to try to criminalise not following often arbitrary ‘responsible disclosure’ frameworks, good luck defending that in court — because there’s a whole clown car of prior decision making within Microsoft and facts which would emerge in that process.”

Muhammad Qasim Shahzad (systems engineer, LinkedIn)

“One person caused more enterprise-level damage in six weeks than most APT groups cause in a year. The gap between disclosure and weaponization is now measured in hours, not days. Your patching window is shrinking fast.”

Active exploitation is confirmed. This is not theoretical.

Let’s be crystal clear about something: this is no longer a disclosure debate happening in academic circles. These exploits are being used in real attacks against real organizations.

Huntress has confirmed that BlueHammer, RedSun, and UnDefend have all been seen in active network intrusions. Barracuda Networks reports that the exploit chain – combining privilege escalation via BlueHammer, RedSun, or MiniPlasma with Defender suppression via UnDefend – has been incorporated into confirmed attack campaigns.

CISA has added BlueHammer (CVE-2026-33825), RedSun (CVE-2026-41091), and UnDefend (CVE-2026-45498) to its Known Exploited Vulnerabilities catalog. US federal agencies are required to patch CVE-2026-41091 and CVE-2026-45498 by June 3, 2026.

The time between PoC publication and active exploitation was measured in hours, not days. The “patch window” that security teams rely on to close vulnerabilities before attackers exploit them? Gone. Vaporized. The moment the code went public, the clock was already at zero.

The bigger picture: when disclosure goes nuclear

Strip away the personalities and the drama for a moment, because there’s something fundamentally important happening here that goes beyond one researcher and one company.

Coordinated Vulnerability Disclosure is a social contract. The researcher agrees to give the vendor time to fix the bug before going public. The vendor agrees to communicate in good faith, acknowledge the report, credit the researcher, and – crucially – pay a fair bounty. Both sides have obligations. When one side fails, the contract breaks down.

What we’re watching is what happens when that contract collapses completely.

The researcher says Microsoft ignored their reports, refused to communicate, paid nothing, deleted their reporting account, and then publicly shamed them in a CVE advisory. Microsoft says the researcher never used official channels, published weaponized code recklessly, and put customers at risk. Both narratives could be simultaneously true – and in this case, the truth probably involves generous helpings of failure on both sides.

But here’s what’s genuinely new and genuinely dangerous: Microsoft is weaponizing its legal infrastructure against a vulnerability researcher. The Digital Crimes Unit exists to fight botnets, ransomware, and organized cybercrime. Pointing it at someone who found bugs in your product – bugs that exist in your code – is an escalation that the security community is watching very, very closely.

Moussouris warned of a “chilling effect on other researchers.” Childs noted that researchers are already avoiding Microsoft because they’re “too difficult to work with.” If the consequence of a dispute with MSRC is a visit from the Digital Crimes Unit, how many researchers will simply stop looking at Microsoft products entirely? How many bugs will go unreported?

The bugs don’t disappear when researchers stop looking. They just get found by people who don’t report them at all.

What you should do right now

While Microsoft and Nightmare Eclipse wage war, Windows users are caught in the crossfire. Here’s the practical guidance:

Immediate Actions

• Update Microsoft Defender NOW. Ensure your Defender engine is at least 1.1.26040.8 and platform version 4.18.26040.7. This covers RedSun and UnDefend. Check with "C:\Program Files\Windows Defender\MpCmdRun.exe" -signatureinfo or via Windows Security settings.
• Apply May 2026 Patch Tuesday updates. These include fixes for the Cloud Filter driver vulnerabilities (CVE-2026-33835, CVE-2026-34337) related to MiniPlasma.
• Enable TPM+PIN for BitLocker. Not TPM-only. This is still the most effective mitigation against YellowKey. Yes, it’s inconvenient. Do it anyway.
• Check CISA KEV compliance. If you’re a US federal agency (or follow KEV for prioritization), BlueHammer, RedSun, and UnDefend are on the list. The deadline for RedSun and UnDefend is June 3.
• Assume YellowKey and GreenPlasma are live threats. Public PoCs exist. No patches exist. Treat any machine using default BitLocker settings as potentially compromised if physically accessed.

Defensive Posture

• Monitor for lateral movement. The confirmed attack chains combine privilege escalation with Defender suppression. Watch for unexpected SYSTEM-level activity, Defender being disabled or having its signatures locked, and privilege escalation from standard user contexts.
• Layer your defenses. With three zero-days still unpatched, no single control is sufficient. Combine endpoint detection, network segmentation, application allowlisting, and physical security controls.
• Watch for July 14. Whatever Nightmare Eclipse is planning, it’s coming. Have your incident response plans ready and your patch processes as fast as they can be. The researcher’s track record is 100% on following through on threats.
• Check your Defender isn’t silently degraded. UnDefend works by locking Defender’s signature files. Verify that Defender is actually updating and scanning — not just running with stale or locked definitions.

The Bottom Line

Six zero-days. A researcher banned from every major code-hosting platform. Microsoft’s Digital Crimes Unit being pointed at the person who found the bugs instead of the bugs themselves. Active exploitation confirmed in the wild. And a countdown to July 14 that nobody in the security community is dismissing as bluster.

Chaotic Eclipse may have started this fight. But Microsoft’s response — the de-platforming, the legal threats, the public shaming while refusing to answer basic questions about its own conduct — has turned a disclosure dispute into something much bigger. The security community’s reaction isn’t sympathy for reckless disclosure. It’s alarm at a multitrillion-dollar company treating vulnerability researchers as criminals.

The bugs in Windows are Microsoft’s. They wrote the code. They own the risk. And right now, three of those bugs still have public exploit code and no patch, while Microsoft and the researcher who found them are busy destroying each other.

July 14 is 47 days away. The clock is ticking.

---

Sources

• Microsoft MSRC — A Shared Responsibility: Protecting Customers Through Coordinated Vulnerability Disclosure
• The Register — Microsoft 0-day feud escalates as researcher threatens another Windows exploit dump
• The Hacker News — Microsoft Slams Public Zero-Day Disclosures Amid GitHub Researcher Account Removal
• Tom’s Hardware — Microsoft’s GitHub bans security researcher who posted zero-day Windows exploits
• Notebookcheck — Nightmare Eclipse banned from GitHub and GitLab, vows July 14 attack
• Windows Central — Security researcher’s GitHub and Microsoft accounts deleted
• Cybernews — GitHub bans researcher releasing Windows zero-days
• Nightmare Eclipse — July 14th (PGP-signed blog post)
• Huntress — Nightmare Eclipse intrusion analysis
• Kevin Beaumont — Microsoft’s stance on zero-day exploits is a dumpster fire of their own making
• StudioGlobal — Chaotic Eclipse zero-day timeline and analysis