Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
1 CVE Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.
YellowKey: CVE-2026-45585. Patched June 09, 2026 (Patch Tuesday).
4 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
This is the eighth tool from this researcher in roughly ten weeks, and the second BitLocker bypass in the cluster after YellowKey.
18 distinct techniques documented for this family, organized by ATT&CK tactic.
Only of interest is perhaps: \??\C:\Windows\win.ini and \??\X:\Windows\System32\winpeshl.ini Where X:\Windows\System32\winpeshl.ini is what controls what WinRE does when it fires up.
A malicious binary — autofstx.exe — is injected into this value, executing before the operating system fully loads and bypassing BitLocker’s pre-boot authentication entirely.
YellowKey is a Windows login bypass for an attacker with physical access... with physical access, you can access the filesystem with root privileges... Transactional NTFS bits on a USB Drive are able to delete the winpeshl.ini file on ANOTHER DRIVE ( X: ). And we get a cmd.exe prompt, with bitlocker unlocked instead of the expected Windows Recovery environment.
The vulnerability originates in WinRE’s handling of the BootExecute registry value under HKLM\ControlSet001\Control\Session Manager. A malicious binary — autofstx.exe — is injected into this value, executing before the operating system fully loads...
Only of interest is perhaps: \??\C:\Windows\win.ini and \??\X:\Windows\System32\winpeshl.ini Where X:\Windows\System32\winpeshl.ini is what controls what WinRE does when it fires up.
A malicious binary — autofstx.exe — is injected into this value, executing before the operating system fully loads and bypassing BitLocker’s pre-boot authentication entirely.
YellowKey is a Windows login bypass for an attacker with physical access... with physical access, you can access the filesystem with root privileges... Transactional NTFS bits on a USB Drive are able to delete the winpeshl.ini file on ANOTHER DRIVE ( X: ). And we get a cmd.exe prompt, with bitlocker unlocked instead of the expected Windows Recovery environment.
we tested this ourselves, and sure enough, not only does it work, it bears all the hallmarks of a backdoor, down to the exploit's files disappearing from the USB stick after it's used once.
Microsoft has also released patches to address CVE-2026-45585, a Windows BitLocker security feature bypass vulnerability for which a proof-of-concept (PoC) exploit called YellowKey was released ... "A successful attacker could bypass the BitLocker Device Encryption feature on the system storage device," Microsoft said.
The exploit, named YellowKey, was published earlier this week by a researcher who goes by the alias Nightmare-Eclipse. It reliably bypasses default Windows 11 deployments of BitLocker... to make disk contents off-limits to anyone without the decryption key, which is stored in a secured piece of hardware known as a trusted platform module (TPM).
The result is a shell with unrestricted access to the BitLocker-protected volume, exposing all encrypted data without requiring the recovery key, PIN, or any credential.
On May 12, 2026, Chaotic Eclipse published a working proof of concept demonstrating a zero-day BitLocker bypass affecting Windows 11, Windows Server 2022, and Windows Server 2025. The technique requires approximately 60 seconds of physical access and a standard USB device, enabling a SYSTEM-level command shell with full access to a BitLocker-protected volume, without the need for a password, recovery key, or specialized tooling.
2 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Other indicator types observed in public reporting.
4 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Named item tied to CVE-2026-45585 in the Chaotic Eclipse disclosures; Sophos lists detection as Troj/YellowKy-A. The related vulnerability is already known to be exploited in the wild.
Another BitLocker bypass in the same Nightmare-Eclipse tool cluster, referenced as a prior related capability.
A prior exploit in the same researcher cluster targeting Microsoft Defender or adjacent Windows security components, patched in June 2026.
A proof-of-concept payload that abuses WinRE early-boot transaction replay via TxF/CLFS artifacts to overwrite winpeshl.ini, causing WinRE to fall back to cmd.exe and yielding a SYSTEM-level shell with access to a TPM-only BitLocker-unlocked volume.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.