RedSun & UnDefend: New 0-Day Exploits Targeting Microsoft Defender

The techniques, namely BlueHammer, RedSun, and UnDefend, developed by a grievance-driven security researcher known as Chaotic Eclipse (or Nightmare-Eclipse), exploit logic flaws in Defender’s privileged operations to achieve local privilege escalation (LPE) or disrupt security functions without requiring administrative rights.

Severity: Critical

Tool 1: Bluehammer (Cve-2026-33825) – Patched

• Class: Local Privilege Escalation (LPE) → SYSTEM
• Mechanism: BlueHammer uses the Windows Update Agent COM interface as its entry point, triggered by a pending Defender signature update. It steers execution via an oplock on a VSS snapshot mount that stalls Defender’s SYSTEM thread.
• Privileged Primitive: Defender reads SAM/SYSTEM/SECURITY hives from the mounted snapshot, enabling offline registry access via offreg.h for NTLM hash extraction.
• Escalation Path: SamiChangePasswordUser → LogonUserEx → token duplication → CreateService
• Patch: Antimalware Platform v4.18.26050.3011 — fixes the specific oplock+VSS interaction by validating snapshot mount state during the sensitive window.
• Exploited In-the-Wild: Huntress SOC observed execution on April 10 from C:\Users[REDACTED]\Pictures\FunnyApp.exe.

Tool 2: Redsun – Unpatched (0-Day As Of April 17, 2026)

• Class: LPE → SYSTEM | No CVE assigned
• Root Cause: The root cause is a missing reparse point validation in MpSvc.dll, the core Malware Protection Engine. When Defender detects a malicious file carrying Cloud Files attributes, it attempts to restore the file to its original detection path without verifying whether that path has been redirected via a junction point.
• Attack Chain (5 Steps):
  • Register a Cloud Files sync root via CfRegisterSyncRoot() — the same API used by OneDrive and Dropbox, with provider name “SERIOUSLYMSFT”.
  • Drop a Cloud Files placeholder via CfCreatePlaceholders() carrying extended attributes that mark it as a remote-backed file pending hydration. This EA tag attracts Defender’s attention.
  • A batch OPLOCK is acquired on the target file. When Defender attempts access during remediation, the OPLOCK breaks, signalling the main thread. The original file is deleted and a Cloud Files placeholder substituted, while the working directory is renamed and recreated as a junction point targeting \??\C:\Windows\System32.
  • With the junction in place, Defender resumes its remediation write targeting the original detection path. The kernel transparently resolves the junction, and Defender writes the attacker-controlled binary directly into C:\Windows\System32\TieringEngineService.exe as SYSTEM.
  • The exploit activates the Storage Tiers Management Engine COM server via DCOM, which executes the replaced TieringEngineService.exe. The payload detects the SYSTEM context and spawns conhost.exe in the user’s active session, delivering an interactive SYSTEM shell.
• Affected Platforms: Windows 10, Windows 11, and Windows Server 2019 and later, with approximately 100% reliability even against the latest April 2026 updates. No kernel exploit, no driver, and no administrator interaction required.
• Exploited In-the-Wild: Huntress observed execution on April 16 from C:\Users[REDACTED]\Downloads\RedSun.exe, which triggered a Defender EICAR file alert as part of its attack technique.

Tool 3: Undefend – Unpatched

• Class: Denial-of-Service against Windows Defender (no privilege escalation)
• Mechanism — Two Modes:
  • Passive mode blocks all signature updates, causing Defender to be unable to detect any new threats – anything new pushed by Microsoft is immediately blocked.
  • Aggressive mode aims to completely disable Defender, but only triggers when Microsoft pushes a major platform update (affecting MsMpEng.exe and related binaries). When triggered, Defender stops responding entirely.
• Privilege Requirement: Standard user, no admin rights needed.

Recommendations

1. Confirm your EDR captures CfRegisterSyncRoot, CfCreatePlaceholders, and CfConnectSyncRoot invocations at the kernel level. Many platforms log process execution but not Cloud Files filter driver (cldflt.sys) interactions.
2. Alert immediately – CfRegisterSyncRoot calls from outside of known cloud sync software such as OneDrive or Dropbox. Provider name “SERIOUSLYMSFT” is an exact-match IOC.
3. Monitor for FSCTL_SET_REPARSE_POINT with IO_REPARSE_TAG_MOUNT_POINT issued against any directory registered as a Cloud Files sync root — this combination does not occur in normal operations.
4. Use centralized security management to alert when multiple endpoints report Error Code 80070643 during signature updates, as this is a primary symptom of UnDefend in passive mode.
5. Hunt for binaries named UnDefend.exe, FunnyApp.exe, or RedSun.exe staged in low-privilege user folders like Downloads or Pictures.
6. Alert on instances where the Windows Defender service (MsMpEng.exe) stops responding or fails to load its engine, particularly during scheduled platform updates.
7. Baseline the SHA-256 hash of C:\Windows\System32\TieringEngineService.exe on all endpoints now. Any modification should trigger an immediate alert. This is the direct write target of RedSun — an unexpected hash change is a confirmed compromise indicator.
8. Block the IOCs at their respective controls
   https://www.virustotal.com/gui/collection/bdd3b2c3954988e3456d7788080bc42d595ed73f598edeca5568e95fbf7fdaef/iocs

Source:

• https://nefariousplan.com/posts/redsun-windows-defender-system-write/
• https://www.cloudsek.com/blog/redsun-windows-0day-when-defender-becomes-the-attacker
• https://x.com/HuntressLabs/status/2044882050314817880
• https://infosec.exchange/@wdormann/116412019416916182

Enjoyed reading this Threat Intelligence Advisory? Stay updated with our latest exclusive content by following us on Twitter and LinkedIn

No related posts found.