Microsoft Defender Zero-Day Exploited in the Wild — BlueHammer Attack Chain Extracts SAM Hashes and Kills Defender via Race Condition

A privilege escalation vulnerability in Microsoft Defender is under active exploitation using publicly available proof-of-concept code, with Huntress confirming attacks began on April 10 — four days before Microsoft released a patch. CISA added the flaw to its Known Exploited Vulnerabilities catalog on Wednesday, setting a May 6 federal patching deadline.

CVE-2026-33825 carries a CVSS score of 7.8 and stems from a time-of-check to time-of-use (TOCTOU) race condition in Defender's signature update mechanism. The vulnerability was publicly disclosed on April 2 by a researcher operating under the name Chaotic Eclipse, who published three distinct exploitation techniques — BlueHammer, RedSun, and UnDefend — along with full PoC code on GitHub. Interest in the exploit escalated rapidly after a community fork fixed implementation bugs and added documentation.

BlueHammer, the primary technique, uses operation locks to suspend Defender's activity and triggers a signature update that tricks Defender into copying the Security Account Manager (SAM) database to its output directory. The exploit then parses the SAM hive, decrypts users' NT hashes, temporarily changes all user passwords, and uses the new credentials to generate admin sessions that escalate to SYSTEM privileges.

RedSun achieves the same outcome through a different path. It tricks Defender into attempting to restore a non-existent malicious file, placing a copy of the attacker's binary into System32 and spawning a shell with SYSTEM permissions.

UnDefend takes a destructive approach — it kills Defender entirely by monitoring definition update and Malicious Software Removal Tool folders, locking new files before Defender can access them, and locking backup definitions immediately after Defender starts up. The result is a fully neutralized endpoint protection platform.

Huntress observed the first attacks leveraging the public PoC on April 10, with additional activity on April 16. In the most recent incident, attackers accessed the target environment through an SSL VPN connection to a FortiGate firewall, with the source IP geolocated to Russia. The attackers staged binaries from a low-privilege user's Pictures folder and short two-letter subfolders under Downloads. Huntress noted the attackers appeared unfamiliar with how the Defender exploits actually worked and were unsuccessful in their exploitation attempts, though they did perform hands-on keyboard reconnaissance.

Microsoft patched the vulnerability on April 14, twelve days after the public disclosure and PoC release.

Mitigation:

Apply the April 14 patch for CVE-2026-33825 immediately — the CISA KEV deadline is May 6, but active exploitation makes same-day patching the appropriate response. Monitor for the specific staging patterns Huntress identified: binaries placed in user-writable directories like Pictures or short-named subfolders under Downloads. Hunt for unexpected SAM database access or copying activity, particularly from Defender-related processes. Review FortiGate SSL VPN logs for suspicious access from unfamiliar geolocations. The UnDefend technique means Defender itself may be silently disabled on compromised hosts — verify Defender is actually running and updating definitions, not just present on disk.