Sign in Subscribe

When the Protector Becomes the Weapon: How Microsoft's Own Defender Became a Hacker's Dream

If your computer were a castle, Microsoft Defender would be its moat,
walls, and gatekeeper—built directly into the fortress itself. For
millions of Windows users, this built-in antivirus is the first and last
line of defense against digital invaders. But what happens when the
gatekeeper's own keys can be stolen, copied, and used to unlock every door
from within?

This isn't a theoretical concern. It's happening right now. Three critical
security flaws—dubbed BlueHammer, RedSun, and UnDefend—are turning
Microsoft's own security software against the very systems it's designed
to protect.

The Zero-Day Triple Threat

In April 2026, the cybersecurity world witnessed an unprecedented
disclosure: a security researcher using the alias "Chaotic Eclipse"
publicly released exploit code for three previously unknown
vulnerabilities in Microsoft Defender. This wasn't standard vulnerability
disclosure—it was a protest.

The researcher claims Microsoft's Security Response Center (MSRC)
mishandled their reports, with one allegedly telling them "they will ruin
my life." In response, Chaotic Eclipse decided to take matters public,
dropping working exploits into the wild.

The three vulnerabilities represent a complete toolkit for attackers:

  • BlueHammer (CVE-2026-33825): A local privilege escalation flaw that
    lets attackers with initial access elevate to SYSTEM-level privileges.
    Microsoft patched this on April 14, but it was actively exploited between
    April 10-16.
  • RedSun: Another local privilege escalation that remains unpatched as
    of writing. Security researcher Will Dormann confirmed it works "100%
    reliably" against fully updated Windows 10, Windows 11, and Windows Server
    systems.
  • UnDefend: A denial-of-service attack that blocks Defender's
    definition updates, effectively blinding the security software.

The most dangerous of these, RedSun, exploits a bizarre Defender behavior:
when Defender encounters a malicious file with a specific "cloud tag,"
instead of deleting it, the antivirus actually rewrites the file back to
its original location. Attackers can abuse this to overwrite system files
and gain administrative privileges.

How Your Antivirus Betrays You

The technical details matter because they reveal a pattern Microsoft
hasn't fixed despite years of warnings. RedSun follows a classic attack
chain that security researchers have demonstrated for nearly a decade:

  1. Create a specially crafted file with a "cloud tag"
  2. Trigger Defender's scanning routine
  3. Use a race condition technique called an "oplock" to intercept the
    privileged file operation
  4. Redirect Defender's own SYSTEM-level write to overwrite critical system
    files
  5. Gain complete control of the computer

As Dormann bluntly summarized: "This works 100% reliably to go from
unprivileged user to SYSTEM against Windows 11 and Windows Server with
April 2026 updates, as well as Windows 10, as long as you have Windows
Defender enabled."

The ingredients—op locks, reparse points, race conditions—aren't new.
What's alarming is that Microsoft Defender itself has become "a reliable
privilege-escalation primitive on every supported Windows build."

A Pattern, Not an Anomaly

Reading RedSun as an isolated incident ignores five years of troubling
history:

  • CVE-2021-1647: A remote code execution bug in the Microsoft Malware
    Protection Engine that triggered automatically when Defender scanned a
    crafted file
  • CVE-2021-24092: A local privilege escalation that researchers found
    had been exploitable for roughly twelve years before discovery
  • Multiple SmartScreen bypasses exploited by sophisticated threat
    actors including DarkGate, RemCos, and the Water Hydra APT

Even nation-state actors have weaponized Microsoft's own security
infrastructure against itself. North Korea's Lazarus Group used
Microsoft-signed drivers (CVE-2024-21338 and CVE-2024-38193) to disable
security products including Defender itself.

The Market Dominance Problem

Microsoft Defender isn't just another antivirus—it's the default
protection on hundreds of millions of Windows devices. According to IDC,
Microsoft commands approximately 40.2% of the global endpoint security
market share—more than double its nearest competitor.

This creates what security pioneers Dan Geer and Bruce Schneier warned
about in 2003: "monoculture risk." A single vulnerability in Defender
compromises more endpoints faster than a bug in any competing product.
RedSun's "100% reliable" exploitability across every supported Windows
build is the textbook realization of that warning.

When Lab Ratings Meet Reality

Independent testing organizations consistently rate Defender highly.
AV-TEST awards it "Top Product" certifications nearly every cycle. But
these ratings tell only part of the story.

In real-world ransomware attacks, Defender isn't being bypassed—it's being
disabled. Modern ransomware gangs don't try to outsmart Defender's
detection; they simply turn it off using what security researchers call
"Bring Your Own Vulnerable Driver" (BYOVD) attacks.

Sophos X-Ops documented that ransomware affiliates deploy tools like
EDRKillShifter, which abuse legitimate but vulnerable signed drivers to
terminate security processes from kernel space. Researchers at Hive
Security have tracked 54 distinct EDR killer tools abusing 35 signed
vulnerable drivers.

The human cost is documented in breach after breach. The BlackCat/ALPHV
attack on Change Healthcare resulted in a $22 million ransom payment and
disrupted U.S. pharmacy operations for weeks. Senator Ron Wyden cited the
Ascension Health breach (5.6 million patient records exposed) as evidence
that "Microsoft has become like an arsonist selling firefighting services
to their victims."

The Disclosure Breakdown

Chaotic Eclipse's decision to go public with zero-days wasn't random
frustration—it reflects what other respected researchers have experienced:

  • Tenable CEO Amit Yoran reported Microsoft's response to a critical Azure
    flaw was "grossly irresponsible, if not blatantly negligent"
  • Researcher m3rcer published a Defender bypass after MSRC closed their
    report as "unable to reproduce"
  • Microsoft's own CVE advisory for BlueHammer credits different
    researchers than the one who originally reported it

When established figures like Yoran and Dormann align with a pseudonymous
researcher dropping zero-days out of spite, Microsoft's vulnerability
reporting process has a credibility problem that transcends any single
incident.

What You Should Do Now

  1. Patch Immediately: Install Microsoft's April 2026 security updates
    to protect against BlueHammer. Watch for patches addressing RedSun and
    UnDefend.
  2. Enable Attack Surface Reduction Rules: Specifically enforce rules
    blocking credential theft from LSASS (GUID
    9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2) and abuse of vulnerable signed
    drivers (56a863a9-875e-4185-98a7-b882c64b5ce5).
  3. Implement Application Control: Deploy Windows Defender Application
    Control or AppLocker on systems where user-installed binaries aren't
    required.
  4. Monitor for Suspicious Activity: Look for reparse point creation in
    system directories, unusual oplock acquisition patterns, and modifications
    to Defender files outside update windows.
  5. Consider Defense Diversity: For high-value targets, consider
    layering additional endpoint protection alongside Defender to mitigate
    monoculture risk.

The Bigger Picture

Microsoft launched its Secure Future Initiative in 2023, committing to
"secure by design, secure by default, and secure operations." The
initiative reports progress: 35,000 engineers assigned, 99.6% of employees
on phishing-resistant MFA, executive compensation tied to security
objectives.

Yet RedSun in April 2026 uses the same class of vulnerability that
researcher James Forshaw documented publicly in 2015. The scoreboard of
initiatives and the scoreboard of vulnerabilities are measuring different
things.

Defender isn't broken. It's a capable baseline that has genuinely improved
since 2018. But it's not sufficient. The gap between "enabled and
updating" and "actually resilient" is where ransomware operators have been
making their money since at least 2023.

The right approach isn't panic or complacency—it's recognizing that any
single security control can and will be bypassed. Defense in depth, proper
monitoring, and understanding that even your protectors need protection
are the lessons these zero-days teach us.

Because Microsoft will patch RedSun eventually. But the structural
problems that made it possible? Those will still be there when the next
one drops.

Comments ()