- microsoft
- defender
- cve
- privilege-escalation
- windows
- toctou
- lpe
- local
- zero-day
news
BlueHammer: Defender Signature-Update TOCTOU LPE (CVE-2026-33825)
Nightmare-Eclipse PoC races MpSigStub.exe signature updates via oplocks and NTFS junctions to duplicate SAM/SYSTEM hives as SYSTEM — CISA KEV, patched April 2026.
Summary
BlueHammer is the first public release in the Nightmare-Eclipse / MSNightmare Windows exploit cluster. Published April 3, 2026 by the researcher operating as Nightmare-Eclipse (later Chaotic Eclipse, Dead Eclipse, MSNightmare), it weaponizes a Time-of-Check to Time-of-Use (TOCTOU) race in Microsoft Defender's signature update pipeline — specifically MpSigStub.exe running as NT AUTHORITY\SYSTEM — to achieve local privilege escalation and credential extraction without admin rights or kernel memory corruption.
Microsoft assigned CVE-2026-33825 on April 14, 2026 and shipped a fix in Defender Antimalware Platform 4.18.26030.3011 during April 2026 Patch Tuesday. CISA added the flaw to its Known Exploited Vulnerabilities catalog; Huntress and other vendors later documented in-the-wild use alongside sibling cluster tools RedSun and UnDefend.
OFFSITE.DARK indexes this entry from the Project Nightcrawler PoC repository, CVEReports technical analysis, and public vendor advisories. We did not discover or weaponize this flaw.
Technical Details
| Aspect | Detail |
|---|---|
| CVE | CVE-2026-33825 |
| Component | Microsoft Defender Antimalware Platform — MpSigStub.exe signature update path |
| Root cause | TOCTOU between path security check and privileged file write (CWE-1220 insufficient access-control granularity; also described as link-following abuse) |
| Privileges required | Standard local user |
| Attack primitives | Defender RPC/signature-update trigger, opportunistic locks (oplocks), NTFS junctions, Object Manager symlinks, Volume Shadow Copy (VSS) |
| Primary PoC outcome | Duplicate protected hives (SAM, SYSTEM) to attacker-readable location → offline NTLM hash extraction |
| Patch | Defender platform ≥ 4.18.26030.3011 / engine ≥ 1.1.26030.3011 (April 2026) |
| PoC reliability | Researcher notes bugs in published PoC that may prevent execution on some hosts |
BlueHammer is not a single API bug. It chains legitimate Windows behavior: Defender's update engine validates a destination directory once, then performs move/copy operations without holding a directory lock or re-validating reparse points. An attacker:
- Triggers or waits for a Defender signature update via exposed RPC interfaces.
- Places an oplock on a user-writable directory Defender will touch during update staging.
- When
MpSigStub.exeopens the directory, the oplock pauses the SYSTEM thread at the TOCTOU boundary. - Swaps the benign junction for a symlink targeting protected resources (e.g.,
C:\\Windows\\System32\\config\\SAM). - Releases the oplock; Defender resumes and copies the locked hive through VSS-assisted paths into attacker-controlled storage.
The patched code path adds directory handle locking with sharing disabled, reparse-point validation before write, and impersonation of the calling user when resolving paths in user-writable namespaces — preventing SYSTEM from following attacker-planted junctions.
Cluster context
BlueHammer established the researcher's pattern: abuse Microsoft Defender and adjacent Windows security plumbing with standard-user access, publish full PoC without coordinated disclosure, and iterate when patches or account takedowns force redesign. RedSun (write primitive), UnDefend (Defender disablement), and later RoguePlanet (quarantine pipeline) extend the same actor and target surface.
CVE
| Field | Value |
|---|---|
| CVE | CVE-2026-33825 |
| CVSS 3.1 | 7.8 High (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) |
| CWE | CWE-1220 (Insufficient Granularity of Access Control) |
| Published | 2026-04-14 |
| Fixed version | Microsoft Defender Antimalware Platform 4.18.26030.3011 |
| Exploit status | Weaponized PoC; added to CISA KEV |
| EPSS (CVEReports) | ~0.04% at indexing |
Impact
- Local privilege escalation to SYSTEM-equivalent access via credential theft from duplicated SAM/SYSTEM hives.
- Trust inversion: the endpoint security product's update mechanism becomes the privileged read/write primitive.
- Lateral movement enabler: extracted NTLM hashes support pass-the-hash and domain pivoting after any low-privilege foothold.
- Operationalized beyond PoC: documented in live intrusion chains with RedSun and UnDefend per Huntress and CSA reporting.
Confirmed not requiring: kernel exploit, admin group membership, or disabling Defender.
Mitigation
- Verify Defender Antimalware Platform ≥ 4.18.26030.3011 on all endpoints (
Get-MpComputerStatus/ Windows Security About page). - Restrict Create symbolic links user right for standard users via Group Policy where policy allows (reduces junction/symlink primitive).
- Monitor
MpSigStub.exe/MsMpEng.exeperforming reads or writes under user profile or%TEMP%trees. - Alert on VSS snapshot activity correlated with Defender update processes from non-backup contexts.
- Assume cluster chaining: BlueHammer-era TTPs may appear with newer cluster tools — investigate matching behavioral sequences immediately.
Sources
- Project Nightcrawler — NightmareEclipse/BlueHammer (primary PoC source)
- Church of Malware git — Nightmare_Eclipse/BlueHammer (historical mirror)
- CVEReports — CVE-2026-33825 / BlueHammer analysis
- Microsoft MSRC — CVE-2026-33825
- Cyderes Howler Cell — BlueHammer cluster context
- Picus Security — Nightmare Eclipse cluster overview
- OFFSITE.DARK — RoguePlanet cluster index