Hackers weaponize exploit code for three Windows Defender flaws as at least one breach is reported

April 17, 2026
aisecurityprivacybusiness
Detailed close-up of a rusty padlock securing a weathered door, highlighting age and texture.
Photo by Rulo Davila on Pexels

What happened

It has been reported that hackers have broken into at least one organization by using Windows vulnerabilities published online by a disgruntled researcher. Security firm Huntress said on X that it has observed attackers taking advantage of three bugs — BlueHammer, UnDefend and RedSun — all of which target Microsoft’s built‑in antivirus, Windows Defender. BlueHammer was patched earlier this week; UnDefend and RedSun remain unpatched, it has been reported, and the exploit code for all three was allegedly posted by a researcher who goes by Chaotic Eclipse on a blog and on GitHub. Chaotic Eclipse reportedly framed the posts as a provocation toward Microsoft — not exactly a subtle nudge.

Why it matters

All three flaws can grant high‑level or administrative access if successfully exploited. That’s a fast track to full compromise. It appears attackers are copying the publicly available proof‑of‑concept code and turning it into ready‑made tooling. “Scenarios like these cause us to race with our adversaries,” Huntress researcher John Hammond told TechCrunch, calling it a tug‑of‑war between defenders and cybercriminals. Sound familiar? Yes — it echoes past full‑disclosure crises like Log4Shell, where public proof‑of‑concepts accelerated exploitation and put defenders on the back foot.

Microsoft said it supports “coordinated vulnerability disclosure,” arguing that careful handling usually gives customers time to patch. Ben Hope, the company’s communications director, reiterated that in a statement. But when dialogue breaks down and code hits the web, the clock starts ticking — and defenders don’t get extra coffee breaks for that sprint.

What organizations should do

Patch BlueHammer immediately if you haven’t already. Monitor endpoints, increase logging for suspicious Defender‑related activity, and apply any mitigations Microsoft issues for UnDefend and RedSun as they arrive. In plain terms: assume the exploit code is in the wild and act fast — because once exploit scripts are public, opportunistic attackers don’t need an invitation.

Sources: techcrunch