Two Windows Defender Zero-Days Are Still Unpatched. A Ransomware Gang Exploits the Gap. And Someone Weaponized Obsidian.

Patrick Duggan
2 hours ago
5 min read

Three stories broke this week that are actually one story. The thread connecting them is the gap — the window between when a vulnerability becomes known and when defenders can act on it. Every organization lives in that gap. The question is how wide yours is.

Story One: Nightmare-Eclipse

Huntress SOC published findings on a trio of Windows Defender zero-days being chained together in the wild under the collective name Nightmare-Eclipse. Three separate privilege escalation flaws in the software that's supposed to protect the endpoint:

BlueHammer (CVE-2026-33825) — the one we wrote about Wednesday, the one CrowdStrike published their Patch Tuesday analysis about, the one the disgruntled researcher dropped publicly before Microsoft had a patch. Microsoft patched it in the April update. Active exploitation since April 10.

RedSun — no CVE assigned. No patch available. Active exploitation since April 16. Discovered by Huntress after BlueHammer was patched, as if the attackers had a backup ready.

UnDefend — no CVE assigned. No patch available. Active exploitation since April 16. Same timeline as RedSun. Same attacker toolkit. Different escalation path.

Two out of three are still open. Right now. On every Windows machine running Defender. Which is most of them.

CrowdStrike's Patch Tuesday analysis covered BlueHammer. It did not cover RedSun or UnDefend, because those were discovered after CrowdStrike published. The advisory that was supposed to help defenders understand the threat landscape was already incomplete by the time it was indexed.

This is not a criticism of CrowdStrike's analysis speed. This is an observation about how fast the threat landscape moves relative to how fast vendor advisories can keep up. By the time you read the advisory, two more zero-days are in the wild.

Our KEV index has BlueHammer (CVE-2026-33825). RedSun and UnDefend don't have CVE assignments yet, so they can't be in any KEV catalog. But Huntress published the exploitation indicators — file paths, registry keys, behavioral signatures — and those are the things defenders need right now, not a CVE number that hasn't been assigned.

If you run Windows Defender in production, your mitigation options for RedSun and UnDefend today are: monitor for the exploitation indicators Huntress published, restrict local privilege escalation paths via Group Policy, and wait for Microsoft to assign CVEs and ship patches. The gap is open. The attackers are inside it.

Story Two: Storm-1175 Lives in the Gap

Microsoft Threat Intelligence published a profile of Storm-1175 — a financially motivated ransomware operation that specifically targets the window between vulnerability disclosure and widespread patch adoption. Their playbook: monitor for new CVE disclosures, build or buy exploit code, and hit organizations that haven't patched yet. The name for this is "N-day exploitation" — not zero-day (unknown), not patched (safe), but the dangerous middle ground where the vulnerability is public, the exploit is available, and the patch exists but hasn't been applied.

Storm-1175 targets web-facing systems. Manufacturing and construction are their primary verticals. Construction ransomware incidents are up 44% year-over-year in Q1 2026.

What Microsoft described is exactly the threat model our exploit harvester was built to counter. When a weaponized proof-of-concept hits GitHub, our harvester catches it — we demonstrated 37 minutes on CVE-2026-37748 earlier this week. The STIX feed pushes the detection signature to 275+ consumers. The gap between "exploit is public" and "defenders can detect it" shrinks from days to minutes.

Storm-1175's business model depends on that gap being wide. Ours depends on making it narrow. Microsoft's own threat intelligence team just described the problem. We're one of the organizations building the solution.

The irony: Storm-1175 weaponizes N-days. We catch weaponized N-days in 37 minutes. The race is real, and the gap is the prize. Every hour the gap stays open, Storm-1175 wins. Every hour it closes faster, defenders win.

Story Three: PHANTOMPULSE Via Obsidian

A social engineering campaign is using Obsidian — the popular cross-platform note-taking application — as an initial access vector to deliver a previously undocumented Windows RAT called PHANTOMPULSE. Targets: individuals in financial services and cryptocurrency.

The attack works because Obsidian supports community plugins with broad system access, and users trust the application because it runs locally and stores notes on-device. The attacker distributes a malicious Obsidian plugin that appears legitimate, the victim installs it, and PHANTOMPULSE gets a foothold.

This matters to us for two reasons.

First: Obsidian is on our integration roadmap. We're building a DugganUSA plugin for Obsidian that enriches IOCs inline — paste an IP in your notes, get threat enrichment. The PHANTOMPULSE campaign demonstrates that Obsidian's plugin ecosystem is now an active attack surface. Our plugin, when it ships, will need to address the same trust questions that the PHANTOMPULSE campaign exploits: why should you install a community plugin that calls an external API? The answer is the same answer we give for every integration: open source, MIT licensed, no telemetry, only IOC values transmitted, inspect the code yourself.

Second: the PHANTOMPULSE RAT is a new indicator set. If you're an Obsidian user in financial services or crypto, check your installed plugins against the indicators Huntress and The Hacker News published. If you consume our STIX feed, PHANTOMPULSE indicators will be in the next harvest cycle as they propagate through the upstream sources.

The Thread

Nightmare-Eclipse (two unpatched Defender zero-days), Storm-1175 (ransomware gang that weaponizes the patch gap), and PHANTOMPULSE (RAT delivered via a trusted note-taking app) are three different threats with one common physics: the gap between when a threat becomes real and when defenders can act.

For Nightmare-Eclipse, the gap is between Huntress publishing exploitation indicators and Microsoft shipping patches. For Storm-1175, the gap is between CVE disclosure and enterprise patch deployment. For PHANTOMPULSE, the gap is between a malicious plugin appearing in a community marketplace and users recognizing it as hostile.

Every integration we shipped this week — the VS Code extension, the CLI tool, the GitHub Action, the Splunk TA, the Sentinel connector, the Elastic module, the Chrome extension, the Slack bot — is an attempt to close a different instance of the same gap. Put the threat intelligence where the decision happens, before the gap closes on its own or — worse — before the attacker gets there first.

The gap isn't going away. The attackers aren't slowing down. The only variable is how fast the intelligence reaches the people who need it.

We close it in 37 minutes. The integrations close it at the point of decision. The rest is just the gap doing what gaps do — waiting to be exploited or defended.

— Patrick

Sources: