BlueHammer, RedSun, UnDefend: Three Tools Hammering Microsoft Defender Right Now.

A researcher going by Chaotic Eclipse dropped a Microsoft Defender 0day on April 7, 2026. The vulnerability, now tracked as CVE-2026-33825 and named BlueHammer, is a TOCTOU race condition in Defender's malware cleanup engine. It allows a low-privileged user to escalate to SYSTEM on fully-patched Windows 10 and Windows 11. CVSS 7.8. Microsoft eventually patched it in Defender Antimalware Platform version 4.18.26050.3011. CISA added it to the Known Exploited Vulnerabilities catalog on April 22, 2026 — the official confirmation that BlueHammer is being exploited in production attacks right now, not theory.

That is the part that has a CVE.

The part without CVEs is the part that should worry you more.

The same disclosure cluster includes two additional named toolkits — RedSun and UnDefend — that are being indexed by community detection engineers alongside BlueHammer in a coordinated three-folder threat-hunting pack. As of this morning, neither RedSun nor UnDefend has a CVE assigned. Microsoft has not publicly named either one. There is no CISA KEV entry for the toolkits Microsoft has not formally acknowledged. The community is shipping detection rules for behaviors Microsoft is not currently confirming as vulnerabilities.

Here is what the public artifacts say each tool does.

BlueHammer (CVE-2026-33825). TOCTOU race in Defender's malware cleanup engine. Low-priv user → SYSTEM. Public PoC at github.com/kaleth4/CVE-2026-33825 published April 22, the same day CISA added the CVE to KEV. The PoC walks through the exploitation flow in detail, in Spanish, with NIST and Microsoft official-source attribution badges. It is not a demonstration repo. It is operational code.

RedSun. No CVE assigned. The Letlaka detection pack indexes it with eleven KQL queries covering Cloud Files abuse, temporary payload staging, reparse and oplock telemetry, Storage Tiers COM activation, Defender-origin file writes, and SYSTEM execution artifacts. That is a multi-stage attack chain pattern, not a single bug. It walks like a kill chain. Microsoft has not named it.

UnDefend. No CVE assigned. The Letlaka pack ships eight KQL queries for Defender registry reconnaissance, signature file access, update directory monitoring, WinDefend service monitoring, update or engine failure conditions, and MRT (Malicious Software Removal Tool) directory access. Translation: this is the reconnaissance and disable layer. Once you have BlueHammer's SYSTEM, UnDefend's job is to keep Defender from telling anyone.

The full chain reads like a textbook. RedSun establishes initial foothold and stages payloads through Cloud Files and Storage Tiers. BlueHammer escalates to SYSTEM via the TOCTOU race. UnDefend disables the security control that would normally see all of this happen. Three named tools, one ecosystem, one defender, two of three not yet acknowledged by the vendor.

Why you should care if you run Microsoft Defender.

Roughly a billion machines worldwide run Defender as their primary endpoint security control. The patch for BlueHammer exists — Antimalware Platform 4.18.26050.3011 or later. If your fleet's Defender platform version is below that, you are exposed. The query to check it is on every Microsoft TechNet page about Defender platform updates. Microsoft pushes platform updates separately from Windows Update, and the lag is real; we have seen environments running 4.18.25xxx versions weeks after a fix shipped.

The harder problem is the part Microsoft has not fixed. RedSun and UnDefend will not appear on any Patch Tuesday note this month because neither has a CVE. The detection coverage is community-shipped KQL queries that you have to manually load into Defender XDR Advanced Hunting. There is no automatic deployment. If you have not already imported the Letlaka detection pack — which the README itself flags as AI-generated, requires review and tuning, and ships with explicit no-warranty language — your Defender XDR tenant has no signal on the chain that follows BlueHammer.

Here is what to do tonight.

If you run Microsoft Defender at any scale, query your fleet for Antimalware Platform versions below 4.18.26050.3011 and force the update. The KQL is straightforward — DeviceTvmSecureConfigurationAssessment | where ConfigurationId in ("scid-2010", "scid-2011") will surface the platform version on every monitored endpoint. The patch closes BlueHammer specifically. It does not close RedSun or UnDefend, because those do not have patches.

If you have a SOC capable of running Advanced Hunting, pull the Letlaka detection pack from github.com/Letlaka/redsun-bluehammer-undefend-detection-pack. Treat the queries as research-grade not production-grade. Tune them in your environment before alerting on them. The author explicitly disclaims warranty and notes the queries are AI-generated. That is correct of them and you should respect it.

If you do not have a SOC and you are running Defender as a primary control, you should know that your security stack has a vulnerability with a working public PoC, two related toolkits Microsoft has not publicly named, and a community detection layer that is your only signal on the chain. The cost of subscribing to a threat intelligence feed that tracks all three of those by name is nine dollars a month. We are that feed.

A note on what we will not claim. We are NOT the first ones to publish on BlueHammer. CISA added CVE-2026-33825 to KEV on April 22. The kaleth4 PoC published the same day. The Letlaka and Bilal3755 detection repos predated this post by several days. We were behind on this one and we are saying so. What we are doing today is naming the three tools together — BlueHammer, RedSun, UnDefend — and tying them to Chaotic Eclipse's April 7 disclosure as one ecosystem rather than three unrelated bugs. That is the value-add, not the discovery.

Sources: NVD CVE-2026-33825, CISA Known Exploited Vulnerabilities catalog April 22 addition, github.com/kaleth4/CVE-2026-33825, github.com/Letlaka/redsun-bluehammer-undefend-detection-pack, github.com/Bilal3755/Detecting_blue_hammer_vuln, Microsoft Defender Antimalware Platform release notes for build 4.18.26050.3011.

The cheapest, fastest, most accurate threat feed on the internet.

275+ enterprises pulling daily. 1M+ IOCs. 17.4M indexed documents. We beat Zscaler by 43 days on NrodeCodeRAT. Starter tier $9/mo — less than any competitor's sales demo.

Look up an IOC → · Audit your brand on AIPM → · See pricing →

How do AI models see YOUR brand?

AIPM has audited 250+ domains. 15 seconds. Free while still in beta.

Audit your site now → aipmsec.com