5 min. read<\/p>\n
Windows Defender has been under active attack since 16 April 2026. The two privilege escalation vulnerabilities BlueHammer (CVE-2026-33825) and RedSun, disclosed on April Patch Tuesday, are now being exploited in real-world incidents. Attackers are chaining the exploits with UnDefend to establish persistence, dump credentials, move laterally, and deploy ransomware. For security teams at DACH organisations, this represents the highest urgency level seen in months.<\/strong><\/p>\n Key Takeaways<\/p>\n Related<\/span>BSI warns on F5 BIG-IP, Citrix and Trivy: operational steps<\/a> \/<\/span> Ransomware Playbook: 72 Hours<\/a><\/p>\n What is BlueHammer?<\/strong> BlueHammer is the public name for zero-day CVE-2026-33825 in Windows Defender. Technically, it is a TOCTOU race condition in the Threat Remediation Engine. A local attacker exploits the window between the check and the processing of a file classified as malicious to escalate their own privileges to SYSTEM level.<\/p>\n The exploit was published on 7 April 2026, before Microsoft had rolled out a patch. April Patch Tuesday (14.04.) closed CVE-2026-33825. Two days later, the same researcher published a second exploit, RedSun, which the author described as a protest against Microsoft’s disclosure process. RedSun exploits a related vulnerability that was not fully addressed in the April patch. UnDefend, finally, is a supplementary tool that bypasses Defender monitoring itself.<\/p>\n From an attacker’s perspective, the BlueHammer plus RedSun plus UnDefend combination is close to perfect. The local privilege escalation path works on a large share of Windows endpoints that haven’t been fully patched in the past 14 days. Attackers bypass EDR telemetry because UnDefend disables the detection components. They then dump credentials from LSASS, move laterally, and deploy their payload \u2014 typically ransomware.<\/p>\n Threat intelligence feeds from Europe and the United States have consistently reported incidents in the financial sector, healthcare, and manufacturing since April 16. Germany’s BSI has not yet issued an official advisory of its own; coordination is running through CERT-Bund channels to the affected sectors. The next 48 to 72 hours will determine how broadly the wave spreads. Several threat intelligence firms report that Russia-linked ransomware groups have already integrated the combination into their attack kits, accelerating its adoption.<\/p>\n The case illustrates how tightly disclosure cycles and active exploitation are coupled in 2026. In this instance, roughly nine days elapsed between the public proof-of-concept release and the first active campaign. Three years ago, that window was three to six weeks. The shrinking timeframe poses fundamental questions for traditional patch management processes. Out-of-band patches and automated deployment pipelines are no longer luxury features \u2014 they are operational necessities.<\/p>\n Immediate Priorities<\/p>\n Medium-Term Hardening<\/p>\n The single most important immediate action is patch velocity. April Patch Tuesday is still mid-rollout at many organizations \u2014 deployment waves typically take 7 to 14 days. In the current threat environment, that cycle is too long. CISOs should work with their client management teams to stand up an emergency wave that forces the April rollup to all endpoints. Anyone still sitting at the March patch level has an acute problem.<\/p>\n Running a hunting sweep over endpoint telemetry in parallel with the patch wave is well worth the effort. Defender service stops, unexpected LSASS access, and anomalous SYSTEM-level processes are the signals that reveal attackers right now. Sentinel customers have prebuilt analytics rules for exactly this; CrowdStrike enabled IOA detections in its April update. For teams without a dedicated threat hunter, a two-hour sweep across the last seven days is enough to surface suspicious patterns.<\/p>\n Finally, there is an organizational point that matters. BlueHammer and RedSun have demonstrated that exploit releases ahead of patches will be more common in 2026. The classic Patch Tuesday cadence is no longer a safe assumption. Security teams should work with client management and leadership to define a standing rule that permits out-of-band patch rollouts when zero-days are actively exploited. Organizations that have not documented this decision in advance will lose days in approval chains they simply cannot afford.<\/p>\n Indicators of compromise include unusual Defender service stops, unexpected SYSTEM-level processes with parent processes originating in user sessions, and clustered LSASS access shortly after login events. Threat intelligence providers including CrowdStrike, Microsoft Defender for Endpoint, and Sentinel have already incorporated these patterns into current detection rules. Running a custom hunt in your SIEM against these signatures is worthwhile right now.<\/p>\n Accelerate the deployment wave immediately. Standard rollout timelines are not suited to the current threat landscape. If a patch is delayed for compatibility reasons, temporary workarounds are documented in the relevant Microsoft advisories. In the meantime, reinforce network segmentation and Zero Trust access controls at critical chokepoints.<\/p>\n Primarily clients, since the attack path requires an active user session. However, Windows servers running interactive logins or Terminal Services are equally in scope. Defender for Servers and the corresponding Azure counterparts carry the relevant patches, though server rollout prioritization is often weaker than on the client side.<\/p>\n\n
What BlueHammer and RedSun mean technically<\/h2>\n
Why attackers operationalized this so quickly<\/h2>\n
What Security Teams Should Do in the Next 72 Hours<\/h2>\n
\n
\n
Frequently Asked Questions<\/h2>\n
How do I detect attacks using BlueHammer or RedSun?<\/h3>\n
What should I do if the April patch has not yet rolled out across the organization?<\/h3>\n
Does this attack affect servers, or only Windows clients?<\/h3>\n
More from the MBF Media Network<\/h2>\n