UnDefend is a Microsoft Defender-focused denial-of-service and defense-evasion tool released publicly by the researcher cluster known as Nightmare-Eclipse, also referenced as Chaotic Eclipse. It is part of the same toolkit family as BlueHammer and RedSun and has been described as a modern Windows Defender "killer" that can be used without administrative rights by abusing logic flaws in Defender’s privileged operations. Its primary purpose is to disrupt Defender’s protection rather than provide initial access.
Based on the provided content, UnDefend can silently freeze Defender’s signature update pipeline, suppress Defender telemetry when used early in an intrusion chain, and degrade endpoint protection over time without triggering health alerts. The content also states it can falsely report Defender as healthy and current to EDR management consoles. In a more aggressive mode, it can fully disable Defender when a major platform update is pushed. Multiple sources in the content characterize it as a Defender capability bypass and specifically as a DoS tool against Microsoft Defender.
UnDefend is associated with real-world intrusion activity. Huntress reported in-the-wild use of Nightmare-Eclipse tooling including BlueHammer, RedSun, and UnDefend in live attacks following initial access via compromised FortiGate SSL VPN credentials. In the observed intrusion, UnDefend binaries were executed from user-writable directories under Downloads using names such as undef.exe and z.exe, including command lines such as "undef.exe -h" and "undef.exe -agressive". Huntress assessed the operator appeared inexperienced with the tool, and in that case the process was terminated during response; the report states UnDefend may have partially executed. The content also notes that BlueHammer, RedSun, and UnDefend were all confirmed active in the wild.
Patch status in the provided material is inconsistent across sources. Some content states UnDefend had no CVE and no patch at the time of writing, while later reporting states it was assigned CVE-2026-45498, patched out-of-band on May 21, 2026, and added to CISA KEV. High-confidence indicators directly mentioned for observed use include filenames such as undef.exe and z.exe and executions from paths like C:\Users[REDACTED]\Downloads\ks\undef.exe, C:\Users[REDACTED]\Downloads\kk\undef.exe -agressive, and C:\Users[REDACTED]\Downloads\ks\z.exe.
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
1 CVE Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.
Huntress researchers documented real-world intrusion chains using BlueHammer, RedSun, and UnDefend in live attack sequences.
4 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
Huntress researchers documented real-world intrusion chains using BlueHammer, RedSun, and UnDefend in live attack sequences.
UnDefend provides a Defender capability bypass. Used early, it suppresses the telemetry the rest of the chain would otherwise generate.
Huntress researchers documented real-world intrusion chains using BlueHammer, RedSun, and UnDefend in live attack sequences.
Huntress researchers documented real-world intrusion chains using BlueHammer, RedSun, and UnDefend in live attack sequences.
15 distinct techniques documented for this family, organized by ATT&CK tactic.
Threat actors were observed deploying the tools under disguised filenames such as FunnyApp.exe, gaining initial access through compromised FortiGate VPN credentials before pivoting to Defender exploits for privilege escalation.
ReadDirectoryChangesW watches the Definition Updates staging dir, FILE_SHARE_WRITE but no FILE_SHARE_READ means Windows Update can keep writing but MsMpEng.exe gets STATUS_SHARING_VIOLATION on every load attempt. The backup files are exclusively locked before the main attack even starts.
UnDefend can be weaponized to trigger a denial-of-service condition and effectively block Defender definition updates... UnDefend allows a standard user to block Microsoft Defender from receiving signature updates or disable it entirely... causing Defender to stop responding entirely.
UnDefend handles defense evasion: it blocks Defender signature updates in passive mode, fully disables Defender in aggressive mode, and lies to the EDR console about its own health status.
4 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
9 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A Defender capability bypass used for defense evasion and telemetry suppression within the broader toolkit chain.
Another exploit from the same cluster, noted as having been used in real-world intrusion chains and later patched.
A Windows Defender exploit tool that disables or stalls Defender signature updates without raising health alerts, weakening endpoint protection over time.
Named as a companion tool released alongside BlueHammer and RedSun as part of a set of attacks abusing Windows Defender to disrupt systems or elevate privileges, but no further technical detail is provided in the content.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.