RedSun: Windows Defender cloud-tag behavior allegedly lets attackers overwrite system files on April 2026 update

April 16, 2026
aisecurityopen-source
Crop unrecognizable computer geek typing on netbook with codes on screen while hacking system in darkness
Photo by Sora Shimazaki on Pexels

Summary

A new vulnerability dubbed "RedSun" has surfaced for Windows 11, Windows 10 and Server installations running the April 2026 Update. It has been reported that a proof-of-concept published to a GitHub repository named "Nightmare-Eclipse/RedSun" and discussed on Hacker News demonstrates how Windows Defender's handling of cloud‑tagged detections can be abused to overwrite system files and gain administrative privileges. Strange, right? The antivirus meant to stop malware appears to be doing the opposite — at least according to the researcher who posted the report.

What the researcher claims and why it matters

Allegedly, when Defender identifies a file with a cloud tag it sometimes restores or rewrites that file to its original location rather than removing it, and the PoC leverages that behavior to replace protected system binaries. Replace a critical file with a malicious version and you have a fast track to system-level control. This is high-impact in a local context: a misbehaving protection mechanism that ends up granting privilege escalation is the kind of irony security teams dread. The story taps into a larger industry anxiety about cloud-assisted telemetry and automation — helpful in theory, hazardous when things go sideways.

Response and what to watch

It has been reported that the researcher held back on dropping full exploit details for obvious reasons; responsible disclosure timelines and vendor coordination will matter here. Microsoft has not publicly commented at the time of writing, and defenders should monitor official advisories. In the meantime, enterprises should watch for vendor guidance and patches, and treat claims like this with urgency but also caution — verify through trustworthy channels before making sweeping changes. This one has a punchline with teeth: a security tool that “fixes” an infection by putting it right back where it can do real damage.

Sources: github.com/nightmare-eclipse, Hacker News