Researcher Publishes ‘BlueHammer’ Exploit Targeting Windows Defender

A security researcher using the name Chaotic Eclipse just publicly released a working zero-day exploit for Windows Defender on GitHub. He also has a blunt message for Microsoft, as he wrote that he won’t explain how the exploit works, but he noted that any genius can figure out the operating process.

Known as BlueHammer, this exploit allows an individual with a low-level user account on a Windows computer to escalate their privileges to complete SYSTEM privilege i.e., gaining full permissions.

On April 3, 2026, the researcher published the “proof of concept” code on GitHub. He confirmed that the attack targets Defender’s internal signature update mechanism to achieve local privilege escalation.

Why the researcher went public

Chaotic Eclipse, the researcher’s online account name, says he feels frustrated with Microsoft’s Security Response Center (MSRC). He claims the quality of MSRC’s work has dropped because Microsoft laid off experienced security staff and replaced them with people who only follow flowcharts.

The researcher points to one unusual requirement. He says MSRC asked him to submit a video demonstrating the exploit as part of the reporting process.

While Microsoft’s vulnerability response draws criticism, other government entities are facing their own security challenges, the U.S. Government Publishing Office recently suffered a cyberattack with employees’ data allegedly stolen and offered for sale on the dark web, demonstrating that security failures extend beyond private tech companies to federal institutions responsible for protecting sensitive personnel information. Many in the security community find this demand unusual and burdensome.

The researcher believes this request created a deliberate roadblock. As a result, Microsoft reportedly closed its case without a fix. He wrote on GitHub that he wonders at the “math” which Microsoft used for its decision in laying off the case without patching the vulnerable.

How the attack works and what it steals

BlueHammer is an exploit that uses two different kinds of bugs: a TOCTOU condition (time of checking to time of using) and a path confusion flaw to gain unauthorized access to Windows operating system. While not 100% reliable, the researcher admits it works “well enough” to be dangerous.

Well-known vulnerability expert, Will Dormann tested the exploit and confirmed it works. In his test, a standard restricted user account can open a command prompt from C:\User\limited\Downloads> to gain full SYSTEM privileges within seconds.

The exploit also shows credential-harvesting capabilities. It displays NTLM password hashes for local accounts and confirms SYSTEM shell access. Dormann notes that once attackers reach this level, they will gain complete control of the system.

No patch yet: What users should do now

Currently, Microsoft has not unpatched this vulnerability nor sent any CVE associated with it.  In response to a statement, a Microsoft representative told BleepingComputer that the organization intends to follow through with its obligations as a provider of software and monitor for any vulnerabilities related to security based on customer feedback.

An investigation will enable the company to make the necessary fix and update affected devices for customers’ protection as soon as possible.

However, for now, systems remain exposed. Because the exploit requires local access, attackers first need to trick you into running something or steal your login. But once inside, they can grab password hashes and disable security tools.

Security experts recommend these immediate steps to the public:

• Restrict local user permissions to the bare minimum.
• Monitor EDR tools for unusual privilege escalation activity.
• Watch for SYSTEM-level command prompts spawning from user folders.

Until Microsoft acts, treat any local account as a potential entry point for full system takeover.