One Researcher Dropped Three Windows Defender Zero Days in 13 Days—Microsoft Has Only Patched One

How RedSun Takes Over Your Machine

RedSun exploits how Windows Defender handles files tagged by its cloud protection service. When Defender detects a cloud tagged file, it tries to restore it to its original location without checking whether the target path has been tampered with.

The attack works like this: an attacker places a crafted file that triggers Defender detection, replaces it with a cloud placeholder through the Windows Cloud Files API, then uses NTFS junction points and batch opportunistic locks to redirect Defender's restoration process to C:\Windows\System32. When Defender follows through, it overwrites a legitimate system executable with the attacker's payload using SYSTEM privileges.

The result: full SYSTEM access on a fully patched Windows 10, Windows 11, or Windows Server machine.

UnDefend: Blinding the Antivirus

While RedSun grants attackers elevated access, UnDefend does something arguably worse: it silently strips away the protection itself. A standard user with no admin rights can block Microsoft Defender from receiving signature updates or disable it entirely when Microsoft pushes a major update.

This means an attacker who gets any foothold on a system can prevent Defender from learning about new threats. Over time, the antivirus becomes a shell of itself: running but unable to detect anything recent.

Attackers Are Already Chaining Them Together

Security firm Huntress confirmed on April 17 that all three exploits have been used in live attacks. In one documented case, a threat actor used compromised SSLVPN credentials to access a network, then deployed UnDefend and RedSun on the same Windows device before beginning credential discovery and lateral movement.

Huntress described "hands on keyboard threat actor activity" with exploit files placed in Pictures and Downloads folders, renamed to avoid detection. The attacker used UnDefend to blind Defender, then RedSun to escalate to SYSTEM, a two step sequence that effectively neutralizes the security tool and takes full control in a single session.

One Researcher's Protest, Three Zero Days

The researcher behind all three disclosures has been vocal about their frustrations with Microsoft's Security Response Center. Their grievances include what they describe as an unnecessary requirement to submit video demonstrations before reports are triaged.

"I was not bluffing Microsoft, and I'm doing it again," they wrote alongside the original BlueHammer release. The subsequent RedSun and UnDefend drops suggest this standoff is far from over.

Microsoft patched BlueHammer (CVE-2026-33825, CVSS 7.8) during the April 14 Patch Tuesday. But the next scheduled Patch Tuesday is weeks away, and the company has not indicated whether emergency out of band patches are forthcoming for RedSun or UnDefend.

What You Should Do Right Now

While there are no patches for RedSun or UnDefend, organizations can take immediate steps:

• Apply the April 2026 security updates to close the BlueHammer vector.
• Monitor for unauthorized files in user directories like Pictures and Downloads that may be exploit staging areas.
• Watch for Defender signature update failures which could indicate UnDefend activity.
• Restrict NTFS junction point creation where possible through group policy.
• Review SSLVPN access logs since compromised VPN credentials have been the initial entry point in observed attacks.
• Consider supplementary endpoint protection that does not rely solely on Defender during this gap.