Security research sometimes breaks in uncomfortable ways. In early April, a researcher known as Chaotic Eclipse or Nightmare-Eclipse published proof-of-concept exploit code for three Windows Defender vulnerabilities on GitHub -- not as coordinated disclosure, but as a direct protest against how Microsoft's Security Response Center handled the reporting process. Within two weeks, Huntress Labs confirmed that threat actors had weaponized all three exploits against live enterprise targets.
We are not publishing this to pile on Microsoft. Patch Tuesday will continue to be a recurring exercise in patch management for every organization running Windows. What is worth discussing is the structural problem these three exploits expose: your endpoint protection layer is not a neutral observer. It is an active participant in the file system, and skilled attackers have learned to use that participation against you.
Let us break down what each exploit does, how they chain together operationally, and why the Vectra AI Platform -- specifically through the Respond UX (RUX) interface and its EDR integrations -- is positioned to catch this activity where perimeter and endpoint tools go blind.
The Three Exploits: What They Actually Do
BlueHammer (CVE-2026-33825): Racing the Defender
BlueHammer is a time-of-check to time-of-use (TOCTOU) race condition buried inside Windows Defender's signature update workflow. The exploit abuses the interaction between Defender's file remediation logic, NTFS junction points, the Windows Cloud Files API, and opportunistic locks (oplocks) to redirect a Defender-initiated file rewrite into a privileged system path.
In plain terms: Defender detects a suspicious file, decides to rewrite it, and an attacker wins a race condition that redirects that rewrite to a location of their choosing -- granting SYSTEM-level access. No kernel exploit. No memory corruption. Just a clever abuse of how Defender interacts with the file system during remediation.
Microsoft patched BlueHammer as part of the April 2026 Patch Tuesday cycle. Organizations that have applied those patches have closed this specific vector -- but that is one of three, and the patch window is never instantaneous across a fleet.
RedSun: The Patch Did Not Close It
RedSun follows a similar abuse pattern -- Cloud Files API, oplocks, a directory junction redirecting a Defender-triggered rewrite into a protected system path -- but it targets a different component: TieringEngineService.exe. What makes RedSun more operationally significant is that it works on fully patched Windows 10, Windows 11, and Windows Server 2019 and later systems even after the April Patch Tuesday updates.
The exploit baits Defender's real-time protection engine using an embedded EICAR test string. Defender sees a known signature, initiates a remediation cycle, and RedSun wins the race to redirect the resulting file rewrite. At that point, the Cloud Files Infrastructure executes the attacker-planted binary as SYSTEM.
RedSun does not require a new vulnerability. It requires Defender to be running and doing its job. That is the uncomfortable part.
Security researcher Will Dormann confirmed the exploit works on fully patched systems, and Huntress observed binaries staged in low-privilege user directories -- Pictures folders and two-letter subfolders inside Downloads -- under filenames from the original PoC repositories (FunnyApp.exe, RedSun.exe) and in renamed variants like z.exe.
UnDefend: Degrading the Defense Layer Quietly
UnDefend does not escalate privileges directly. Instead, it disrupts Defender's definition update mechanism to progressively degrade the endpoint protection layer's detection fidelity over time. Spawn it as a child of cmd.exe under Explorer and run it with the -agressive flag -- exactly the pattern Huntress observed in live incidents -- and you begin starving Defender of current threat intelligence without triggering the kind of hard failure that would generate an obvious alert.
The combination matters operationally. An attacker uses BlueHammer or RedSun to achieve SYSTEM, then deploys UnDefend to ensure the endpoint protection layer becomes progressively less capable of catching follow-on activity. It is a layered degradation strategy, not a one-shot exploit.
The Attack Pattern Huntress Observed
The in-the-wild activity is not automated spray. Huntress's analysis of incidents as of April 16 describes a pattern consistent with hands-on-keyboard intrusion: manual enumeration commands before exploitation, including whoami /priv to inventory current privileges. The binaries are staged deliberately in low-noise user directories. This is targeted intrusion, not commodity malware.
That context matters for how defenders need to think about detection. A commodity scanner looking for known-bad hashes or signatures may catch the original PoC binaries. A renamed z.exe with an encrypted EICAR string -- which Dormann demonstrated easily reduces VirusTotal detections -- will not. The behavioral fingerprint is what persists across variants.
The reconnaissance pattern observed before exploitation -- privilege enumeration, deliberate staging in user-writable directories, child process spawning under Explorer -- is detectable. Not at the endpoint layer that is being targeted, but at the network and identity layer that sits above it.
Where Vectra AI Fits Into This Scenario
Endpoint protection tools are the intended target of these exploits. That is not a criticism of EDR -- it is an accurate description of the attack surface. When the exploits succeed, they operate inside the trust boundary that endpoint agents depend on. Catching what happens next requires visibility that does not depend on the integrity of the endpoint agent.
Network detection and response -- specifically the Vectra AI Platform operating through RUX -- provides that visibility. Here is where it matters across the attack chain.
Pre-Exploitation: Behavioral Enumeration
The manual enumeration Huntress documented (whoami /priv, privilege inventory) generates process execution and command-line events that Vectra's EDR integrations surface as third-party signals directly inside RUX. For organizations running CrowdStrike Falcon, EDR Process Correlation -- which went GA in RUX in March 2026 -- automatically identifies which process on an endpoint triggered suspicious network behavior detected by Vectra, eliminating the manual correlation gap between NDR and EDR telemetry. Microsoft Defender for Endpoint AI stitching is on the roadmap for 1H 2026, and the existing MDE integration already supports host context enrichment and host lockdown. SentinelOne provides bidirectional metadata sharing and lockdown capability. Across all three, Attack Signal Intelligence correlates these host-level behaviors against the network context of the account and device, applying urgency scoring that factors in account privilege, lateral movement breadth, and velocity.
An analyst in RUX does not receive an isolated whoami alert. They receive a prioritized entity view that shows the account in question, what assets it has touched, what privilege enumeration looks like against its baseline, and what the urgency score is -- all in one place, without pivot tabs.
Privilege Escalation: Process Anomalies on the Network
SYSTEM-level process execution following Defender remediation activity creates observable anomalies. A process spawned at SYSTEM privilege in a user's Pictures folder, initiating outbound connections to infrastructure it has no business reaching, is a detection candidate across multiple Vectra models: suspicious process-to-network binding, anomalous privilege elevation, unusual outbound connection patterns.
Vectra's AI stitches these signals across changing IPs and session contexts in real time. By the time an analyst opens the investigation in RUX, the attack graph is already assembled -- the original compromised host, the privilege escalation event correlated with the process-level EDR signal, and any lateral connections initiated from the newly elevated session.
UnDefend: Degradation as a Detection Signal
This is where the NDR advantage is most direct. An endpoint tool being degraded by UnDefend becomes progressively less reliable -- which means the detection gap grows over time at the host level. Vectra does not depend on that tool to maintain visibility. Network behavioral baselines persist independently of endpoint agent health.
More practically: UnDefend running as a child of cmd.exe under Explorer, executing with the -agressive flag, is the kind of anomalous parent-child process relationship that EDR integrations surface inside RUX as a third-party detection. Correlated with outbound Defender update suppression patterns at the network layer, the signal becomes high-confidence and fast to investigate.
Response: One Click to Containment
RUX's integrated response capability -- single-click pivots to CrowdStrike, Microsoft Defender for Endpoint, or SentinelOne -- means an analyst who identifies an actively exploiting host does not need to context-switch to a separate console. Host lockdown, account suspension, and network isolation actions are available directly from the investigation view.
For organizations running Vectra MXDR, that response capability extends to 24x7 analyst coverage. An exploitation attempt at 2 AM on a Saturday does not wait for business hours.
What This Means Practically
Two of these three exploits remain unpatched as of this writing. RedSun works on fully patched April 2026 systems. UnDefend has no patch. The operational window is not closing quickly.
The organizations that will weather this exposure period best are the ones that have network visibility operating independently of the endpoint layer. The behavior patterns in these exploits -- privilege enumeration, SYSTEM process anomalies, Defender update suppression, unusual process-to-network activity -- are all detectable through the network and identity telemetry that the Vectra AI Platform analyzes continuously.
For security teams assessing their current posture against these specific threats, the question to ask is simple: if my EDR is successfully exploited by RedSun and SYSTEM-level access is established, what is my next layer of detection? If that answer involves another tool dependent on the same endpoint stack, the gap is real.
Patch what you can. Apply the April 2026 updates to address BlueHammer. Monitor for RedSun and UnDefend behavioral indicators at the network layer. And make sure the tool watching the network does not share a trust boundary with the tool being targeted.
See how Vectra AI detects post-exploitation activity
If you want to understand how the Vectra AI Platform surfaces privilege escalation, process anomalies, and lateral movement across a live environment, these are the best places to start.