Huntress is warning that threat actors are taking advantage of three recently discovered security vulnerabilities in Microsoft Defender to gain elevated privileges on compromised systems.
The activity involves the exploitation of three vulnerabilities codenamed Bluehammer (requires GitHub sign-in), Redson, and Undefended, all of which were released as zero-days by a researcher named Chaotic Eclipse (aka Nightmare-Eclipse) in response to Microsoft’s handling of the vulnerability disclosure process.
While Bluehammer and Radson are both local privilege escalation (LPE) flaws affecting Microsoft Defender, Undefended can be used to trigger a denial of service (DoS) condition and effectively block definition updates.
Microsoft took the step to address Bluehammer as part of its Patch Tuesday update released earlier this week. The vulnerability is being tracked under CVE identifier CVE-2026-33825. However, there are no solutions to other flaws at the time of writing.
In a series of posts shared on X, Huntress said she saw all three flaws being exploited in the wild, with Bluehammer being weaponized starting April 10, 2026, followed by Raidson and the Undefended Proof-of-Concept (POC) on April 16.
It says, “These invocations are followed by specific enumerated commands: hoomi /priv, cmdkey /list, netgroup, and others that indicate hands-on-keyboard threat actor activity.”
The cybersecurity vendor said it has taken steps to isolate the affected organization to prevent further exploitation. Hacker News has contacted Microsoft for comment, and we will update the story if we hear back.
