Attackers exploit three Microsoft Defender zero-days, code-named BlueHammer, RedSun, and UnDefend, to gain elevated access.Attackers are exploiting three recently disclosed zero-day flaws in Microsoft Defender to gain higher privileges on compromised systems. The vulnerabilities, called BlueHammer, RedSun, and UnDefend, were revealed by a researcher known as Chaotic Eclipse after criticizing Microsoft’s handling of the disclosure.Chaotic Eclipse also published proof-of-concept code for the unpatched Windows bug.BlueHammer and RedSun let attackers escalate privileges locally in Microsoft Defender. UnDefend instead triggers a denial-of-service, blocking security definition updates and weakening protection.At this time, Microsoft has only fixed the BlueHammer flaw, tracked as CVE-2026-33825, but the others remain unpatched.Huntress researchers reported attackers are exploiting the three Windows flaws to target systems, though the victims and attackers remain unknown. Huntress said it saw real-world exploitation of all three flaws. Attackers used BlueHammer starting April 10, 2026, then followed with RedSun and UnDefend proof-of-concept exploits on April 16.Researchers believe attackers are using public exploit code released online by Chaotic Eclipse.The Huntress SOC is observing the use of Nightmare-Eclipse's BlueHammer, RedSun, and UnDefend exploitation techniques.Investigation by: @wbmmfq, @Curity4201, + @_JohnHammond pic.twitter.com/ZFRI2XAYIA— Huntress (@HuntressLabs) April 16, 2026Huntress said attackers started exploiting BlueHammer on April 10, 2026, then followed with RedSun and UnDefend proof-of-concept exploits on April 16.And today, April 16:→ C:Users[REDACTED]DownloadsRedSun.exeThis triggered a Defender EICAR file alert, as is part of its attack technique. pic.twitter.com/LulC1QNiBn— Huntress (@HuntressLabs) April 16, 2026When exploit code becomes publicly available, threat actors can quickly weaponize it in attacks in the wild. Follow me on Twitter: @securityaffairs and Facebook and MastodonPierluigi Paganini(SecurityAffairs – hacking, Microsoft defender)