Nightmare-Eclipse: six zero-days, six weeks and one big grudge

A closer look at the solo campaign systematically dismantling Microsoft's security stack

Key takeaways

• Nightmare-Eclipse (Chaotic Eclipse) is a malicious actor driven by a personal grievance against Microsoft.
• The exploits published by this threat actor have been observed in threat activity linked to Russian-geolocated infrastructure.
• Defenders should prioritize patching CVE-2026-33825, hardening BitLocker and layering network detection and identity controls that operate independently of the compromised endpoint.

Not all threat actors are ransomware groups or state-sponsored threats. Today we’re looking at one person with deep knowledge of Windows internals and an equally deep grudge against Microsoft.  

Nightmare-Eclipse (Dead Eclipse, Chaotic Eclipse, Eclipse) is a malicious actor who has released six Windows zero-day exploits since early April 2026 in what multiple researchers describe as an escalating retaliatory campaign against Microsoft. Eclipse doesn't fit neatly into traditional threat intelligence categories — they don’t appear to be seeking profit, advancing a social cause or pursuing geopolitical objectives. They appear to be a single security researcher driven by personal vengeance, deliberately unleashing dangerous exploits that others are now using in real-world attacks. Defenders and researchers should respond to Nightmare-Eclipse as seriously as any other threat actor, even though they operate alone and outside the usual ecosystem.

Here's your quick look at Nightmare-Eclipse:

The exploits published by Eclipse have already been weaponized in real-world intrusions, added to the Cybersecurity and Infrastructure Security Agency (CISA) Known Exploited Vulnerabilities catalog, and forced an emergency patch cycle, but they’re not stopping there. In earlier disclosures, the researcher promised more to come, including remote code execution vulnerabilities, and claimed to have deployed a 'dead man's switch' that would automatically release additional exploits. The most recent release, MiniPlasma, came with no new threats and no rhetoric — just working exploit code. It’s hard to say whether that restraint means anything.

What's in a name?

This malicious actor uses the name ‘Nightmare-Eclipse’ as a GitHub handle. Both ‘Chaotic Eclipse’ and ‘Dead Eclipse’ are attached to their blog. Chaotic Eclipse appears in the blog name, and Dead Eclipse is in the URL and listed in the ‘About Me’ section.

Here's the GitHub profile:

It’s hard to say whether the "eclipse" motif has any significance. It could be a metaphor for eclipsing/overtaking Microsoft security or darkening the Microsoft name. The blog URL includes ‘666’ and ‘deadeclipse,’ and the name includes ‘chaotic.’ We don’t have to dig deep to find meaning here.

As for the exploits, the first five are named with a color + noun:

• BlueHammer — Blue is Microsoft's brand color, and a hammer is a blunt-force tool. This is about hammering Microsoft's own branded product.
• RedSun — Red signals danger. This exploit sheds light on Microsoft Defender's flaws through a different code path than BlueHammer.
• UnDefend —A portmanteau that mocks Windows Defender directly: un-Defend, as in making Defender unable to defend.
• YellowKey — Yellow signals caution, and the key references unlocking BitLocker-protected drives.
• GreenPlasma — Green signals go/execution. Plasma suggests energized power — gaining elevated privileges.

MiniPlasma is the most recent release, and the first name to break the color + noun pattern. "Mini" references either the Cloud Files Mini Filter Driver it targets, or the fact that it's a smaller companion to GreenPlasma. Either way, the ‘Plasma’ link ties it to the broader privilege escalation theme.

The naming convention appears to be designed for memorability and anti-Microsoft sentiment.

Actor identity: unknown, possible insider

Nightmare-Eclipse's real identity remains unknown, but they appear to be a security researcher who may be a former Microsoft employee. This rumor has not been verified, but the depth of knowledge shown by Eclipse suggests insider-level familiarity with Microsoft's codebase and architecture. The Chaotic Eclipse blog seems to support this:

I never wanted to reopen a blog and a new github account to drop code...

But someone violated our agreement and left me homeless with nothing. They knew this will happen and they still stabbed me in the back anyways, this is their decision not mine.

The posts, promises and threats escalate from there.

They also allege that Microsoft Security Response Center (MSRC) personnel directly threatened them:

"I was told personally by them that they will ruin my life and they did."

Whether this person is a former employee, a former contractor, or an external researcher with a professional history tied to Microsoft remains an open question. What isn't in question is that Nightmare-Eclipse has demonstrated a sustained ability to identify and exploit zero-day vulnerabilities in core Windows components, and that they have chosen to weaponize that ability in a deliberate campaign. These are the actions of a malicious actor — not a whistleblower, not a responsible disclosure advocate and not a neutral researcher.

The six zero-days

As of this writing, Nightmare-Eclipse has released six exploit tools:

BlueHammer—CVE-2026-33825 | PATCHED

A Windows Defender privilege escalation flaw that lets an attacker who already has normal user‑level access escalate to SYSTEM‑level privileges. In practical terms, a limited foothold on a Windows machine can become a much deeper compromise, allowing access to sensitive local credentials and the ability to perform actions far beyond a standard user account.

The CVE credit went to researchers Zen Dodd and Yuanpei Xu — not Nightmare-Eclipse. This either indicates independent discovery or a deliberate decision by Microsoft not to credit the uncoordinated disclosure.

RedSun—No CVE

Another Windows Defender privilege escalation vulnerability that allows a standard user to gain SYSTEM‑level execution. RedSun differs from BlueHammer in how it achieves this, but the outcome is the same: Windows can be tricked into running attacker‑controlled code with the highest privileges. The result is that a small intrusion can rapidly become complete control of the affected device.

UnDefend—No CVE

A Defender disruption tool designed to weaken or blind Microsoft Defender rather than directly give the attacker control. Public analysis shows it interferes with Defender’s ability to receive updates and detect new threats while making the system appear healthy. It is best understood as a defense‑evasion companion: once an attacker has elevated access, UnDefend can make follow‑on activity much harder to detect.

YellowKey—No CVE

A BitLocker bypass that may allow someone with physical access to a Windows system to access data on drives protected by TPM sys‑only BitLocker configurations. In practical terms, a stolen laptop relying on default BitLocker settings could be at higher risk because the attacker may be able to reach an unlocked drive through recovery behavior. This undermines a key safeguard for lost devices, though additional protections such as pre‑boot PINs, firmware controls, and strong device‑custody practices can reduce the risk.

GreenPlasma—No CVE

A Windows local privilege escalation issue that exposes a partial or incomplete exploit rather than a fully turnkey attack. The released code provides a building block that a capable attacker could potentially develop further to gain higher privileges. Its significance is that it expands the Nightmare-Eclipse disclosures beyond Defender‑specific weaknesses into broader Windows internals.

MiniPlasma—No CVE

A newly disclosed Windows local privilege escalation tied to a flaw originally reported and supposedly fixed in 2020. Independent testing confirmed that the proof of concept could still produce SYSTEM‑level access on fully patched Windows 11 systems as of May 2026. This is significant because it suggests a vulnerability thought to be resolved years ago may still be exploitable on current Windows releases.

The attack chain: how they work together

Multiple researchers have observed these exploits in the wild since April. With each new exploit leaked by Nightmare-Eclipse, an operational attack chain has emerged:

1. Escalate: BlueHammer, RedSun, or MiniPlasma are three different methods to escalate an unprivileged user to SYSTEM.
2. Blind: UnDefend makes the endpoint appear healthy to Defender, while making Defender less capable of detecting anything new.
3. Access (physical): YellowKey bypasses BitLocker on stolen or confiscated devices.
4. Persist (future): GreenPlasma, once weaponized, provides a backup SYSTEM escalation path through a different subsystem.

SecurityToday reported that attackers were chaining these Microsoft Defender exploits with ransomware deployment as an end goal. Advanced threat actors routinely integrate local privilege escalation (LPE) code within days of release.  BlueHammer and RedSun are well beyond that, and the MiniPlasma window is closing soon.

This is what makes Nightmare-Eclipse a malicious actor rather than just a disgruntled researcher airing grievances. By deliberately releasing working exploit code for unpatched vulnerabilities, they have effectively outsourced actual intrusions to the broader criminal ecosystem.

In threat intelligence terms, Nightmare-Eclipse is in the same category as any other actor who knowingly supplies tools, access or capabilities that others use to attack organizations. The distinction from a traditional threat group matters for classification, but it doesn't change the operational risk: Nightmare-Eclipse has directly enabled privilege escalation, defense evasion and credential theft in confirmed enterprise intrusions.

Defend yourself

The researcher isn't done. Their blog and GitHub posts have included explicit warnings:

• A threat to begin releasing remote code execution (RCE) vulnerabilities: "they are actively poking me to start releasing RCEs which I will be doing at some point"
• A promise of "a big surprise" for the June 2026 Patch Tuesday
• A claim that they will "drag other companies into this"
• A "dead man's switch" that would automatically release additional exploits if certain conditions are met

There’s no reason to think they won’t follow through on these threats. In a May 15 statement, Microsoft said it “is aware of the purported vulnerabilities and is actively investigating the validity and potential applicability of these claims across our platforms and services.”

What can you do? Apply the April 2026 Patch Tuesday update for BlueHammer (CVE-2026-33825). Verify Defender platform version 4.18.26050.3011 or later. Monitor vendor advisories for out-of-band patches addressing UnDefend, YellowKey, and GreenPlasma. Explore YellowKey mitigation techniques like creating a BitLocker startup PIN and a BIOS/UEFI password. Unfortunately, this is not a permanent fix against the exploit. It hardens the device, but the issue may still be exploitable.

Defending against these exploits requires security outside the endpoint. Network detection, identity controls, behavioral detection, and response capabilities can operate independently of the compromised system. Barracuda can help managed service providers (MSPs) and security teams detect, contain and respond to post‑compromise activity—before a single exploited endpoint becomes a full‑scale breach. Visit www.Barracuda.com for more.