BlueHammer is a publicly released Windows local privilege escalation exploit targeting Microsoft Defender/Windows Defender, tracked as CVE-2026-33825. It was released by Nightmare-Eclipse, also referred to as Chaotic Eclipse, in early April 2026 and was later patched by Microsoft in the April 2026 Patch Tuesday update; CISA added the vulnerability to the Known Exploited Vulnerabilities catalog on 2026-04-22. BlueHammer is described as exploiting a TOCTOU race condition in Defender’s signature update or threat remediation workflow rather than memory corruption or a kernel flaw. Reported techniques in the content include abuse of Defender’s update process, Volume Shadow Copy Service, Cloud Files callbacks, opportunistic locks, path confusion, and reparse-point or symbolic-link redirection to expose protected registry hives including SAM, SYSTEM, and SECURITY. The exploit can leak the SAM hive, extract NTLM password hashes for local accounts, temporarily change a local administrator password, authenticate, and attempt to create a service or shell running as NT AUTHORITY\SYSTEM; some reporting notes that on Windows Server it may yield elevated administrator privileges rather than full SYSTEM. The content also states BlueHammer restores the original password or hash quickly to reduce detection opportunities.
Behavioral artifacts directly mentioned in the content include downloading the Windows Defender signature update package mpam-fe directly via WinINet as a low-privileged user, with mpam-fe[1].exe appearing in INetCache as a characteristic artifact; extracting mpengine.dll and Defender signature database files such as mpasbase.vdm, mpasdlta.vdm, mpavbase.vdm, and mpavdlta.vdm into a UUID-named subdirectory of %TEMP%; temporary password changes of privileged local accounts including the built-in Administrator; and, in one technical description, use of the hardcoded password string $PWNed666!!!WDFAIL. Additional strings and artifacts mentioned include the Cloud Files provider name IHATEMICROSOFT, Defender detections Exploit:Win32/DfndrPEBluHmr.BB and Exploit:Win32/DfndrPEBluHmr.BZ, and monitoring opportunities around symbolic-link or reparse-point creation under Defender definition update paths, VSS snapshot access, and anomalous %TEMP% writes resembling SAM hive artifacts.
BlueHammer requires an attacker to already have code execution or a foothold on the target host and is therefore a post-compromise privilege-escalation tool. Huntress reported in-the-wild use of BlueHammer alongside RedSun and UnDefend in a live intrusion where initial access came from compromised FortiGate SSL VPN credentials, followed by reconnaissance and likely tunneling activity. In the observed case, BlueHammer binaries were staged from user-writable directories, including a sample named FunnyApp.exe in a victim user’s Pictures folder, although Huntress stated the observed BlueHammer privilege-escalation attempts did not appear to succeed in that intrusion.
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
1 CVE Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.
This is a common artifact of successful exploitation of the BlueHammer Windows Defender privilege escalation. The attacker's process momentarily changes the passwords of high-value local accounts including the built-in Administrator to spawn an authenticated shell session, then immediately reverts the passwords to avoid detection.
1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
BlueHammer is a Windows local privilege escalation (LPE) exploit that allows a threat actor who already has a foothold on a system to elevate from a low-privileged user account to full SYSTEM-level control.
23 distinct techniques documented for this family, organized by ATT&CK tactic.
This enables an attacker to read the SAM database, decrypt NTLM password hashes, take over a local administrator account, and spawn a SYSTEM-level shell, while restoring the original hash to avoid detection.
Description Detects DNS queries to definitionupdates.microsoft.com or the go.microsoft.com fwlink redirect used for WD update downloads, when the querying process is not a Windows system component. BlueHammer utilizes these definition updates as part of its exploit chain.
Threat actors were observed deploying the tools under disguised filenames such as FunnyApp.exe, gaining initial access through compromised FortiGate VPN credentials before pivoting to Defender exploits for privilege escalation.
These admin sessions are ultimately levied to elevate to SYSTEM level by copying the SYSTEM token and creating processes as this user.
в Windows Server код сработал не так, как было задумано... повышает права не до уровня SYSTEM, а с уровня обычного пользователя до администратора с повышенными привилегиями (то есть обходит механизм, который обычно требует от пользователя вручную подтвердить операцию, запрашивающую полный доступ).
Threat actors were observed deploying the tools under disguised filenames such as FunnyApp.exe, gaining initial access through compromised FortiGate VPN credentials before pivoting to Defender exploits for privilege escalation.
Threat actors were observed deploying the tools under disguised filenames such as FunnyApp.exe, gaining initial access through compromised FortiGate VPN credentials before pivoting to Defender exploits for privilege escalation.
These admin sessions are ultimately levied to elevate to SYSTEM level by copying the SYSTEM token and creating processes as this user.
в случае успеха атакующий получает доступ к базе Security Account Manager (SAM), где хранятся хеши паролей локальных учетных записей.
This enables an attacker to read the SAM database, decrypt NTLM password hashes, take over a local administrator account, and spawn a SYSTEM-level shell, while restoring the original hash to avoid detection.
4 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
12 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A Windows Defender exploit tool that abuses a TOCTOU race condition in Defender’s threat remediation engine to achieve SYSTEM-level privilege escalation.
A Windows local privilege escalation exploit that abuses the Windows Defender update process via Volume Shadow Copy, Cloud Files callbacks, and oplocks to expose SAM, SYSTEM, and SECURITY registry hives, enabling NTLM hash extraction, local administrator takeover, and spawning a SYSTEM-level shell while restoring the original hash to reduce detection.
A Windows Defender privilege-escalation tool/exploit that temporarily changes high-value local account passwords, including the built-in Administrator, to spawn an authenticated shell session and then reverts the passwords to reduce detection.
A tool/malware referenced in the detection as downloading Windows Defender signature update packages directly via WinINet as a low-privileged user, leaving mpam-fe[1].exe artifacts in INetCache. The behavior is associated with exploitation for privilege escalation and ingress tool transfer.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.