Nightmare Eclipse.
Reportedly a former Microsoft security employee.
The story: they found critical vulnerabilities inside Microsoft. reported them internally. Microsoft ignored the reports, deleted their accounts, and refused to pay the bug bounties.
so they went public.
Timing every release to drop within hours of Microsoft's monthly Patch Tuesday, the day Microsoft fixes other vulnerabilities, so the new ones land before defenders have time to breathe.
here's what they've dropped since April:
BlueHammer, CVE-2026-33825. exploits Microsoft Defender to redirect SYSTEM-level file writes into System32. patched. then actively exploited by real attackers within days.
RedSun — SYSTEM-level privilege escalation via Defender. now in live attacks.
UnDefend — blocks Defender from receiving definition updates entirely. observed in live intrusions. your antivirus stops updating. silently.
YellowKey — bypasses BitLocker on TPM-only configurations. fixed June Patch Tuesday.
GreenPlasma — SYSTEM-level privilege escalation via CTFMON. fixed June Patch Tuesday.
MiniPlasma — resurrected a patched 2020 flaw that Microsoft let regress.
RoguePlanet — the latest. no CVE. no patch. dropped June 9, hours after Patch Tuesday.
now let's talk about RoguePlanet specifically because it's the most alarming.
it exploits a race condition in Microsoft Defender itself. the component designed to protect your system runs as SYSTEM — the highest privilege level on Windows. it has to, so it can quarantine and delete malware anywhere on disk.
RoguePlanet tricks Defender into performing a SYSTEM-level file write into a location the attacker controls. The result: a standard user gets a command prompt running as NT AUTHORITY\SYSTEM on a fully patched Windows 10 or 11 machine.
Microsoft hardened Defender in May to block this class of attack. Nightmare Eclipse rewrote it to bypass the hardening and released it the same day as Patch Tuesday.
ThreatLocker independently confirmed it works on fully patched Windows 11.
BlueHammer, RedSun, and UnDefend the earlier releases were already picked up by real threat actors and used in live intrusions. Huntress documented this. a researcher dropping PoC exploits to punish a corporation is one thing. those exploits getting weaponized by ransomware groups is something else entirely.
Microsoft's response:
they flagged the researcher's blogs. took down their GitHub. threatened legal action. called it potential criminal activity.
the cybersecurity community responded with fury. researchers don't work for Microsoft. if a company ignores internal reports and refuses to pay bounties, public disclosure is the entire point of responsible disclosure culture.
Microsoft backed down. said they had no intention of pursuing legal action against security researchers.
Nightmare Eclipse released RoguePlanet the same week.
Microsoft built a bug bounty program to stop exactly this.
they ignored the reports.
now every Windows machine on earth is waiting for a patch that doesn't exist yet.
@AudeJavel79 Eux ils ont eu une glace dans certains endroits les employés n'ont droits à rien.... C'est plus marche ou crève, c'est devenue travail et crève et surtout en silence
🚨 ESPORT MANAGER EST ENFIN DISPONIBLE ! 😍
Pour célébrer la sortie de @esportsmanager, avec la présence de nos casters intégrée dans le jeu, on vous fait gagner une clé Steam ! 🥰
👥 Follow @CroissantStrike & @esportsmanager
🔃 RT ce tweet
🗓️ Tirage au sort le 11 juillet
@malekCSGO@YouTube Ils ont detruis un jeu, et la masse continue d'ouvrir des caisses et d'acheter des skins comme si le jeu était fini et avec un bon anti triche.... Valve a simplement ruiné ce jeu et se moque ouvertement des joueurs