We Named Microsoft's Defender Zero-Days on May 20. Microsoft's Answer Was to Ban the Researcher From Its Own GitHub and Sic Its Crimes Unit on Him. RedSun and MiniPlasma Are Still Unpatched.

On May 20, we indexed an IOC in our corpus named defender-attack-surface-campaign-2026-05-20. It named BlueHammer, RedSun, UnDefend, and two CVEs, as a single family of Microsoft Defender privilege-escalation flaws. We had been writing about the first of them, BlueHammer, since April 17. Eight days after our May 20 index entry, the broad news cycle caught up and the trade press started covering the cluster. We are telling you this not to take a victory lap — though forty days of lead time on a KEV-listed, actively-exploited Defender bug family is exactly the lead time we exist to provide — but because the forty days is the context for the part of this story that should bother you more than the bugs themselves. While the holes sat open, Microsoft spent its energy on the man who pointed at them.

Here is the situation as it actually stands today. A researcher operating as Nightmare-Eclipse released six Windows zero-day exploits in a six-week sprint starting April 3 — BlueHammer, RedSun, UnDefend, YellowKey, GreenPlasma, and MiniPlasma, most of them privilege-escalation flaws in Windows Defender, the software that is supposed to be the thing protecting the endpoint. Three of them — BlueHammer, RedSun, UnDefend — were weaponized in real-world attacks and added to CISA's Known Exploited Vulnerabilities catalog. As of this week, RedSun and MiniPlasma remain unpatched. MiniPlasma, which originated as a Google Project Zero report, has been confirmed to open a SYSTEM-level command prompt on a fully patched Windows 11 Pro machine. These are not theoretical. They are exploited, cataloged, and in two cases still open.

And Microsoft's response to that reality was to ban the researcher from GitHub — which Microsoft owns — around May 23. GitLab followed three days later. Microsoft's Security Response Center published a post criticizing the public disclosure as putting customers at "unnecessary risk," and invoked its Digital Crimes Unit, the arm that handles criminal referrals and law-enforcement coordination, with language about pursuing the researchers "and those that enable their criminal activity." Then, when the security community reacted the way the security community always reacts to a hundred-billion-dollar company threatening a lone researcher with prosecution, Microsoft clarified that it would not actually sue security researchers after all. Ban first, threaten second, walk it back third, patch — for RedSun and MiniPlasma — not yet.

We are not going to hand you a clean hero in this story, because there isn't one, and pretending otherwise is the dishonest version. Dropping six weaponized, unpatched zero-day exploits to public repositories is not noble full-disclosure. Three of these got used against real victims, and a researcher who publishes a working SYSTEM exploit for a fully-patched OS with no fix available is endangering every defender downstream, whatever their grievance. The researcher's grievance is real too — they claim Microsoft revoked their MSRC reporting account, the literal portal for submitting vulnerabilities, and left a bug bounty unpaid, which if true is Microsoft breaking the coordinated-disclosure machine from its own end. Both things can be true. A reckless researcher and a vendor that mishandled the relationship until coordinated disclosure collapsed are not mutually exclusive. They usually travel together.

But here is the part that cuts through all of it, and it is the only part a defender needs: the disclosure drama does not patch RedSun, and it does not patch MiniPlasma. Microsoft has roughly seventy-eight billion dollars in liquid cash. The choice of where to spend institutional energy — bans, MSRC blog posts, Digital Crimes Unit referrals, and a public-relations walk-back — versus shipping the two fixes that are still outstanding, is a choice. Every hour spent on the messenger is an hour the SYSTEM-level hole on fully-patched Windows 11 stays open. The researcher's repo is gone from GitHub and GitLab, and it does not matter, because weaponized exploit code does not un-exist when a platform deletes the account; it is archived and circulating in private channels right now, in the hands of exactly the people the takedown was supposed to stop. The ban removed the warning label. It did not remove the exploit.

So the honest, 95%-capped read: we have been forty days ahead on this cluster because we watch where the exploits stage, not where the vendor's press releases land, and that gap is the whole value of left-of-boom. The bugs are real, three are exploited, two are open, and a seventh act is scheduled — Nightmare-Eclipse has aimed explicit language at July 14, the next Patch Tuesday after June. Whatever you think of the researcher, do the defender thing: assume RedSun and MiniPlasma are live in your environment, hunt the Defender privilege-escalation surface now, and do not wait for the vendor whose first instinct was to ban the person holding the flashlight. The holes are where the flashlight was pointing. They are still there.

The threat feed this post is built on

1.14M+ IOCs, STIX 2.1, precursor signals, supply-chain detection. Free API key in 30 seconds.

Get your free key → analytics.dugganusa.com/stix/register