Yesterday, Huntress — a security firm that focuses specifically on small and medium businesses — published a detailed breakdown of a live attack campaign using three Windows Defender exploits, two of which remain completely unpatched. Microsoft has not communicated a fix timeline for either.
This is not a theoretical risk. This is a documented attack chain, confirmed in production environments, as of April 16.
Here's what happened, why it matters to your team, and what you can actually do about it.
How we got here
About two weeks ago, a security researcher using the handles Nightmare-Eclipse and Chaotic Eclipse published exploit code on GitHub. The first tool, BlueHammer, exploited a local privilege escalation flaw in Windows Defender — the kind of bug that lets someone with limited access to a machine reach full SYSTEM-level administrator control.
The circumstances were not typical. The researcher published with full working code after alleging that Microsoft's Security Response Center had mishandled the private disclosure process. Microsoft sat on the report, didn't communicate a timeline, and the researcher apparently decided to force the issue. This is a recurring story in vulnerability research: vendors absorb reports, assign low severity ratings, delay patches, and go quiet. At some point, the researcher stops being willing to absorb all the risk on everyone else's behalf.
Microsoft scrambled. BlueHammer became CVE-2026-33825 and was patched in the April 14 Patch Tuesday release.
But the researcher wasn't done. They published two more tools.
RedSun achieves full SYSTEM-level access on fully patched Windows 10, Windows 11, and Windows Server 2019 and later. No CVE assigned. No patch. No public timeline from Microsoft.
UnDefend blocks Microsoft Defender from receiving signature updates, progressively blinding your antivirus while leaving it appearing to run normally. Same situation — no CVE, no patch.
As of April 16, all three tools were confirmed in active use.
What the attack actually looks like
Huntress' Security Operations Center documented the intrusions in detail. The initial access came through a compromised FortiGate VPN — a device you likely recognize if you've worked with network infrastructure at any small business or government office.
From there, the attackers staged binaries in low-privilege user directories. Specifically: FunnyApp.exe placed in a user's Pictures folder, and RedSun.exe placed in a two-letter subfolder inside Downloads. Before execution, they renamed it to z.exe — an old trick to get past behaviour-based detection.
Before escalating, they ran standard enumeration: whoami /priv, cmdkey /list, net group. These are the commands an attacker runs when they've just landed on a machine and want to understand what they've got. Huntress called it "hands-on-keyboard activity" — meaning a real person, actively operating, not an automated script.
Then they escalated. RedSun abuses Windows Defender's own cloud file rollback mechanism: it tricks Defender into writing an attacker-controlled file to a privileged directory, achieving SYSTEM-level code execution without needing any elevated privileges or user interaction. The same protective software your org relies on becomes the lever attackers use to own the machine.
Why your org specifically is at risk
A few things are worth naming clearly.
FortiGate VPN is the initial access vector. Fortinet has had a string of high-severity CVEs in the past 18 months. FortiGate is extremely common among small government offices, nonprofits, and professional services firms — organizations that set up a VPN appliance years ago and haven't patched it recently. If your org uses FortiGate and hasn't applied recent updates, that's your most urgent problem, ahead of everything else in this article.
Microsoft Defender is the default antivirus for most small orgs. You don't pay for it. It comes with Windows. It's what most small teams are running because buying a separate endpoint product has never felt urgent enough to prioritize. UnDefend targets it specifically. An attacker who deploys UnDefend leaves your Defender looking functional while quietly stopping it from getting new threat intelligence.
Privilege escalation completes the attack. Neither RedSun nor UnDefend lets an attacker break in from outside — they require prior access. But that's how virtually all modern attacks work. Phishing → initial access → privilege escalation → full control. The initial foothold is the hardest part. After that, tools like RedSun hand over the keys. With SYSTEM privileges, an attacker can disable security software, exfiltrate data, deploy ransomware, create persistent backdoors, and pivot to other machines on your network.
No patch exists for the last two tools. April Patch Tuesday shipped four days ago. The next scheduled one is May 12. That's three and a half weeks during which RedSun and UnDefend will remain public, working, and increasingly incorporated into attacker playbooks.
What you can do right now
You can't patch what isn't patched. But there are things that matter here.
Patch BlueHammer. It was fixed in the April 14 Patch Tuesday update. If your systems aren't auto-updating, push the April patches manually today. CVE-2026-33825 is still being used in attacks against unpatched systems because organizations are slow to apply monthly updates.
Audit your VPN appliances. If you're running FortiGate, check the firmware version and compare it against Fortinet's current advisories. This isn't hypothetical — Huntress documented a FortiGate compromise as the confirmed initial access vector in these attacks. A VPN appliance running year-old firmware is a front door with a broken lock.
Harden your initial access surface. RedSun and UnDefend both require someone to already be on a machine. The strongest control available to you is making the initial access step harder:
- MFA on every account, especially anything with remote access
- RDP should not be exposed directly to the internet under any circumstances
- Review your phishing defenses — the EvilTokens device code phishing campaign we covered last week is still active and targeting the exact same small org profile
Look for specific indicators. Huntress named the binaries they found: RedSun.exe, FunnyApp.exe, BlueHammer.exe, and z.exe in user-accessible folders. Check your endpoints — Pictures, Downloads, Desktop. Any machine where you find these should be treated as a confirmed incident, not a maybe.
Monitor Defender's update status. UnDefend silently blocks definition updates. In Windows Security Center or Intune, look at when each endpoint last received a definition update. A machine where Defender hasn't updated in several days warrants investigation. Don't assume it means UnDefend — it might just be a broken update configuration — but it's worth knowing.
The responsible disclosure debate
There's real disagreement in the security community about what Nightmare-Eclipse did, and it's worth understanding both sides.
The case for publishing: Microsoft knew about the flaws. They had time to act. When a vendor sits on vulnerability reports without communicating timelines, the researcher absorbs all the risk of keeping the secret while the vendor does nothing. Publishing forces accountability. The researcher's argument — that Microsoft's inaction made them complicit — isn't entirely wrong.
The case against: Working exploit code, published before patches exist, lands on every Windows user. Not Microsoft. The 12-person legal aid nonprofit. The municipal planning office. The GP practice that hasn't had an IT review in two years. The people who get hurt aren't the ones who didn't do their jobs.
Both arguments are correct. That's why it's a real debate. But from a practical standpoint, the outcome for your organization is identical regardless of which side you land on: two working exploits are public, being used, and unpatched this week.
The pattern worth naming
If you've been reading our recent pieces, you'll recognize the thread. EvilTokens bypassing M365 MFA. The SharePoint zero-day on CISA's Known Exploited Vulnerabilities list. Now RedSun and UnDefend. These aren't isolated incidents — they're a concentrated window of active threat activity targeting exactly the infrastructure small organizations rely on.
Small orgs are not incidental targets. They're the path of least resistance. No dedicated security team. IT is one part-time person. Patch windows get delayed when there's a funding deadline coming up. VPN firmware gets updated only when something breaks. The organizations in Huntress' incident reports this week are the ones where any of those things were true.
The ones that don't show up in those reports had someone paying attention.
Tracking active threats and helping small orgs respond before an incident instead of after is what we do. If you want to know whether your Windows environment or VPN is exposed to what we've described here, start with a conversation.