A security researcher using the aliases Chaotic Eclipse and Nightmare-Eclipse publicly released working GitHub exploit code for BlueHammer, an unpatched Windows local privilege escalation flaw tied to Microsoft Defender’s signature update process. Independent testing by Will Dormann and others found the exploit worked, though reliability varied by platform and configuration. The attack abuses a TOCTOU race condition and path confusion in Defender’s update workflow, chaining components such as VSS, the Cloud Files API, and opportunistic locks to expose protected registry hives including SAM, SYSTEM, and SECURITY, extract NTLM password hashes, and potentially elevate a low-privileged user to NT AUTHORITY\SYSTEM.
Microsoft initially responded with a Defender detection signature for the published proof of concept, but researchers warned that signature-based blocking did not address the underlying logic flaw. The issue was later tracked as CVE-2026-33825 and patched by Microsoft on April 14, after which CISA ordered U.S. federal civilian agencies to remediate it within two weeks and added it to the Known Exploited Vulnerabilities catalog. Huntress reported the vulnerability was being used in zero-day intrusions involving hands-on-keyboard activity, and follow-on tooling such as BlueSAM showed how quickly the public disclosure was adapted for offensive use.

Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
9 events from the most recent confirmed update back to the earliest known activity.
CISA confirmed that ransomware gangs are exploiting CVE-2026-33825 (BlueHammer), marking an escalation from earlier reports of zero-day abuse to ransomware-linked activity. The update was reflected in CISA's KEV entry for the Microsoft Defender local privilege escalation flaw.
On 2026-04-23, CISA added CVE-2026-33825 to its Known Exploited Vulnerabilities catalog and ordered U.S. federal civilian agencies to patch the BlueHammer flaw within two weeks. The directive set a remediation deadline of 2026-05-07 for FCEB agencies after CISA confirmed exploitation in zero-day attacks.
Huntress Labs reported that attackers were actively exploiting BlueHammer and related Defender zero-days in broader intrusions involving hands-on-keyboard activity, suspicious FortiGate SSL VPN access, and infrastructure including a source IP geolocated to Russia. This established that the flaw had moved from public proof of concept to observed zero-day exploitation.
On 2026-04-17, a GitHub repository called BlueSAM was referenced as a Cobalt Strike Beacon Object File for exploiting BlueHammer to obtain a copy of the Windows SAM database. The posting indicated follow-on offensive tooling had emerged around the vulnerability.
Microsoft patched the BlueHammer vulnerability, tracked as CVE-2026-33825, on 2026-04-14 during Patch Tuesday. The fix addressed the Microsoft Defender privilege escalation flaw that allowed a low-privileged local attacker to gain SYSTEM privileges on unpatched Windows devices.
Microsoft responded by releasing a Defender detection signature, Exploit:Win32/DfndrPEBluHmr.BB, aimed at the original compiled BlueHammer proof of concept. Reporting said this was detection for a specific binary and did not remediate the underlying privilege escalation flaw.
Subsequent reporting revealed that BlueHammer abuses Windows Defender's signature update workflow by chaining components such as VSS, the Cloud Files API, opportunistic locks, and filesystem redirection to expose protected registry hives including SAM, SYSTEM, and SECURITY. These details clarified that the attack relied on Windows logic flaws rather than memory corruption or a kernel bug.
Independent testing by Will Dormann confirmed that BlueHammer works as a local privilege escalation technique, though multiple reports noted reliability issues and inconsistent behavior on some platforms. His validation established that the flaw could expose the SAM database and enable escalation to elevated privileges or SYSTEM.
On 2026-04-03, a researcher using the aliases Chaotic Eclipse and Nightmare-Eclipse publicly released working BlueHammer exploit code for an unpatched Windows local privilege escalation flaw. Reports say the issue had been privately disclosed to Microsoft beforehand, but was published without a patch after the researcher criticized MSRC's handling of the report.
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
21 references tracked. Mallory keeps watching after this page renders.
securityaffairs.com
Open sourcetomshardware.com
Open sourcesecurityweek.com
Open sourcebleepingcomputer.com
Open sourcecyderes.com
Open sourcehoploninfosec.com
Open sourceinfosec.exchange
Open sourcebleepingcomputer.com
Open sourceMap indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.