Chaotic Eclipse is an anonymous actor publicly associated with a series of Microsoft Windows zero-day disclosures tracked since April 2026. The content states the actor has operated under the names Chaotic Eclipse and Nightmare Eclipse. Reported disclosures attributed to this actor include YellowKey, GreenPlasma, MiniPlasma, and UnDefend. YellowKey was disclosed on May 12, 2026 as a BitLocker security feature bypass affecting Windows 11, Windows Server 2022, and Windows Server 2025. According to the cited reporting, it allows an attacker with roughly 60 seconds of physical access and a USB device to obtain a SYSTEM-level shell in WinRE on TPM-only BitLocker systems without a password or recovery key. Microsoft assigned CVE-2026-45585 to this issue and confirmed it relies on autofstx.exe execution via the BootExecute value in WinRE. The described technique uses crafted TxF and CLFS artifacts to overwrite WinRE's winpeshl.ini so WinRE falls back to cmd.exe after the BitLocker-protected volume has been unlocked by the TPM. The content notes the payload contained no executables, scripts, or compiled binaries and could be staged from removable media or the EFI system partition. GreenPlasma is described as a privilege-escalation technique abusing Windows object manager behavior by creating an arbitrary memory section object in a directory object writable by SYSTEM, using object manager symbolic links and CTF-related namespaces to redirect trusted paths. MiniPlasma is described as a local privilege-escalation technique targeting a race condition in cldflt.sys, linked to the code path previously associated with CVE-2020-17103. The published MiniPlasma proof of concept reportedly used CfAbortOperation from cldapi.dll, manipulated CloudFiles-related registry paths, triggered the Windows Error Reporting QueueReporting scheduled task, and exposed the named pipe MiniPlasmaWERPipe as an artifact. Separately, a Reddit post cited in the content attributes UnDefend to Chaotic Eclipse and claims it is the actor's third Microsoft Defender zero-day. The post claims UnDefend can block Defender signature updates from a standard user account without administrator privileges using multiple locking and monitoring mechanisms, while still allowing Windows Update to write files. It further claims protections against engine restart, separate targeting of the Malicious Software Removal Tool, and a withheld mechanism involving MSFT_MpComputerStatus. These UnDefend details are presented as claims from the Reddit post, and the content states no CVE had been assigned. The provided content does not attribute Chaotic Eclipse to any nation-state sponsor or country.
Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.
42 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.
7 malware families attributed to this actor across reporting.
2 additional families tracked in Mallory.
3 CVEs this actor has used in observed campaigns. 3 of them exploited in the wild.
For background on the earlier tools in this series, see our analysis of BlueHammer (CVE-2026-33825) and RedSun (CVE-2026-41091).
For background on the earlier tools in this series, see our analysis of BlueHammer (CVE-2026-33825) and RedSun (CVE-2026-41091).
UnDefend: CVE-2026-45498. Patched out-of-band May 21, 2026. Added to CISA KEV.
5 indicators attributed to this actor: domains, IPs, hashes, and other artifacts pulled from reporting. View more in app.
2 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Publicly disclosing and releasing proof-of-concept exploit techniques targeting Microsoft Windows, including YellowKey for BitLocker/WinRE bypass, GreenPlasma for privilege escalation through Windows internals, and MiniPlasma for local privilege escalation via the Cloud Files filter driver.
Presented as the actor or researcher behind 'UnDefend,' described here as releasing a third Microsoft Defender zero-day that blocks signature updates without requiring administrator privileges.
Match sector + geo + tech-stack targeting against your real footprint.
Every observed MITRE ATT&CK technique, grouped by tactic.
Families this actor is known to deploy, with IOCs and behavior.
CVEs this actor has used in known campaigns.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Domains, IPs, and hashes tied to this actor, refreshed continuously.