RoguePlanet: How a Windows Zero-Day Turns Microsoft Defender Into a Privilege Escalation Weapon
Category: Vulnerability Research | Windows Security | Zero-Day Analysis
Published: June 10, 2026
Table of Contents
- The Setup: Seven Zero-Days in Ten Weeks
- Who Is Nightmare-Eclipse?
- What Is RoguePlanet?
- Why Defender's Quarantine Pipeline Is the Target
- The Seven-Stage Attack Chain Explained
- The Poseidon I/O System: Turning a Race Condition Into a Reliable Exploit
- Why This Is Not a Typical Privilege Escalation Bug
- Current Patch Status and the Defender Signature Limitation
- The Attacker's Own Words
- MITRE ATT&CK Mapping
- Detection and Hunting Guidance for Defenders
- IOC Reference
- The Bigger Picture: A Sustained Campaign Against Windows Security
- References
1. The Setup: Seven Zero-Days in Ten Weeks
On June 10, 2026 hours after Microsoft shipped its June Patch Tuesday updates a new GitHub repository appeared under the handle MSNightmare. The repository contained RoguePlanet, a working proof-of-concept for a Windows local privilege escalation zero-day. The timing was deliberate. Three of the researcher's prior exploits had just received patches in the same Patch Tuesday release. The response was to drop a new one the same day.
This is not an isolated vulnerability disclosure. RoguePlanet is the seventh exploit targeting Windows security components released by the same researcher across a span of roughly ten weeks. The first dropped on April 3, 2026. The researcher has operated under three aliases: Nightmare-Eclipse, Chaotic Eclipse, and now MSNightmare. None of these releases went through coordinated disclosure with Microsoft. All were published directly to GitHub or mirrors with full proof-of-concept code.
The prior six tools in this cluster:
| Tool | CVE | Patch Status | Notes |
|---|---|---|---|
| BlueHammer | CVE-2026-33825 (CVSS 7.8) | Patched April 14, 2026 | Added to CISA KEV. Confirmed real-world exploitation. |
| RedSun | CVE-2026-41091 | Patched May 21, 2026 (out-of-band) | Added to CISA KEV. Confirmed exploitation. |
| UnDefend | CVE-2026-45498 | Patched May 21, 2026 (out-of-band) | Added to CISA KEV. |
| YellowKey | CVE-2026-45585 | Patched June 9, 2026 (Patch Tuesday) | |
| GreenPlasma | CVE-2026-45586 | Patched June 9, 2026 (Patch Tuesday) | |
| MiniPlasma | CVE-2020-17103 (researcher-attributed) | Patched June 9, 2026 (Patch Tuesday) | Described as a comprehensive re-exploitation of an incomplete 2020 fix. |
| RoguePlanet | No CVE assigned | No patch available | PoC publicly available as of June 10, 2026. |
BlueHammer, RedSun, and UnDefend have already been documented in real-world attack chains by Huntress researchers. The threat from the earlier tools has moved beyond proof-of-concept into active exploitation. RoguePlanet, as a new unpatched release, begins at a higher threat level than most disclosures start from, precisely because the researcher's prior work has already demonstrated that these tools reach production attackers.
2. Who Is Nightmare-Eclipse?
The identity behind these releases is unknown. The researcher operates under the aliases Nightmare-Eclipse, Chaotic Eclipse, and Dead Eclipse across GitHub and a self-hosted Blogger site at deadeclipse666.blogspot.com. Their blog posts are cryptographically signed with PGP a detail that signals either genuine operational security awareness or a deliberate effort to establish authenticity for their public persona. The MSNightmare GitHub profile lists affiliation as "Microsoft," which appears to be a deliberate provocation rather than a factual claim.
The stated motivation is grievance. In signed posts on their blog, the researcher describes a history with Microsoft's Security Response Center (MSRC) that includes having portal access revoked, submitted vulnerability reports dismissed, bounties refused on confirmed findings, and what they characterize as defamation. Whether these claims are accurate cannot be independently verified, but they establish the researcher's public framing for why they chose not to coordinate disclosure.
The technical consistency across seven releases all targeting Microsoft Defender or closely related Windows security components, all using overlapping primitive sets around NTFS junction manipulation, opportunistic locks, and scheduled task abuse indicates a single researcher or small team with deep, sustained focus on one attack surface rather than a broad vulnerability hunter operating across different codebases.
Microsoft took action on the researcher's accounts:
- May 23, 2026: GitHub terminated the Nightmare-Eclipse account and removed all six prior exploit repositories.
- May 26, 2026: GitLab suspended the mirrored account and removed repositories.
Both takedowns appear to have accelerated distribution rather than slowing it. Within hours of the GitLab removal, copies of the repositories spread to paste sites, alternative Git hosts, and security forums. The new MSNightmare account and the self-hosted mirror at git.projectnightcrawler[.]dev/NightmareEclipse ensure the code remains accessible regardless of platform-level enforcement.
3. What Is RoguePlanet?
RoguePlanet is a local privilege escalation (LPE) exploit for Windows that elevates a standard, unprivileged user account to NT AUTHORITY\SYSTEM the highest privilege level on a Windows system. It has been confirmed working on a fully patched Windows 11 Pro host by the Cyderes Howler Cell Threat Research Team.
What makes it unusual is what it does not require:
- No kernel exploit
- No memory corruption bug
- No administrative rights
- No driver installation
- No software other than what is present in a default Windows installation with Defender active
The exploit works by threading together five legitimate Windows components Microsoft Defender's real-time scan and quarantine pipeline, NTFS directory junctions (reparse points), NTFS opportunistic locks (oplocks), Volume Shadow Copy Service (VSS), and the Windows Error Reporting (WER) QueueReporting scheduled task in a specific sequence that produces a result none of those components were individually designed to permit.
The vulnerability is in the gap between when Defender creates a quarantine artifact and when it validates where that artifact actually landed. That gap, which exists by design in Defender's quarantine workflow, is the entire attack surface.
The researcher's own description from their Blogger post captures the scope of effort: the original version was built as remote code execution targeting Defender's handling of files on SMB shares. A mid-May 2026 Defender engine update broke that approach along with many junction-based techniques used in prior exploits. The researcher spent the following three weeks rebuilding the exploit as a local privilege escalation race condition. The result is RoguePlanet.
4. Why Defender's Quarantine Pipeline Is the Target
Microsoft Defender's quarantine process is, at its core, a SYSTEM-level file operation. When Defender detects a malicious file, it does not simply delete it it moves the file into a protected quarantine store. This operation is performed under SYSTEM privileges because the quarantine store must be protected from tampering by the user.
The vulnerability emerges from a specific design characteristic of this workflow: Defender uses NTFS file paths to create and access the quarantine artifact, and NTFS paths can be transparently redirected by reparse points (junctions and symlinks) without the accessing process being aware of the redirection. Defender creates the quarantine artifact, but the path it used to create that artifact is not the same as where the artifact actually landed because an NTFS junction was switched between those two moments.
The result is a SYSTEM-owned file sitting in attacker-controlled directory space. From there, the exploit has one more task: find a SYSTEM-level process that will execute a file at the path where the injected artifact now lives. The WER QueueReporting scheduled task present on every standard Windows installation, running as SYSTEM, and triggerable by an unprivileged user through the Task Scheduler COM interface is that process.
The entire chain uses no vulnerabilities in the traditional sense of the word. Every individual operation is a documented, supported Windows feature working exactly as designed. The vulnerability is a sequencing problem a combination of features that produces an unintended outcome.
5. The Seven-Stage Attack Chain Explained
Here is a step-by-step walkthrough of how RoguePlanet elevates privileges from a standard user to SYSTEM.
Stage 1: Dual-Mode Entry Orchestrator or Payload?
The RoguePlanet binary is self-referential it contains both the unprivileged orchestration logic and the SYSTEM-level payload in a single executable. On startup, it checks its own token. If it is already running as SYSTEM (meaning the exploit has already succeeded), it takes the payload path: it connects to a named pipe it previously created (\\.\pipe\RoguePlanet), identifies the interactive session of the user who launched the original unprivileged process, and spawns conhost.exe inside that session with SYSTEM privileges delivering the elevated shell. If it is not running as SYSTEM, it enters the orchestrator path and begins the exploitation sequence.
Stage 2: I/O Thread Saturation and IPC Setup
Before doing anything to Defender, the exploit initializes its Poseidon I/O subsystem a purpose-built component for making the subsequent race condition reliable. One generator thread continuously produces random data via the system cryptographic RNG. One worker thread per logical CPU core continuously writes that data to UUID-named temporary files in tight loops. These threads are launched but held dormant on an event object until they are needed. Their sole purpose is to create sustained, controllable disk I/O pressure that makes the oplock race windows deterministic rather than probabilistic. The named pipe \\.\pipe\RoguePlanet is created immediately after and kept open for the lifetime of the process.
Stage 3: ISO Extraction, Working Directory, and Filesystem Setup
The exploit extracts an ISO image embedded in its own data section, writes it to a UUID-named temp file, and mounts it as a read-only virtual disk with no drive letter. The ISO is accessed via its raw NT kernel path (\Device\CdRom<N>), bypassing Win32 path restrictions. Inside the ISO is a wermgr.exe carrying the EICAR test signature the standard antivirus test string that triggers Defender's detection and quarantine pipeline without requiring an actual malicious payload.
A working directory named RP_<UUID> is created under %TEMP%. Two subdirectories are created inside it: one named wdtest_temp (the quarantine artifact capture zone) and one named System32 taking its name from the last path component of C:\Windows\System32. This naming is intentional: the scan path passed to Defender will be %TEMP%\RP_<UUID>\System32\wermgr.exe, which is structurally identical to the legitimate path C:\Windows\System32\wermgr.exe. This matters in Stage 7.
Stage 4: EICAR Delivery, VSS Discovery, and Oplock Placement
The EICAR-signed wermgr.exe is written to the System32 subdirectory. An NTFS Alternate Data Stream (ADS) named :WDFOO is also created on this file using low-level NT file APIs. The Poseidon I/O threads are released simultaneously. A separate thread calls directly into MpClient.dll via runtime-resolved exports to trigger a Defender scan of the EICAR file through the Defender RPC interface, with scan flags configured to activate the full remediation pipeline.
Simultaneously, a shadow copy finder thread begins polling the NT object manager directory \Device, watching for Defender to spin up a new Volume Shadow Copy as part of its remediation workflow. When the new HarddiskVolumeShadowCopy* device appears, the exploit constructs the full path to the EICAR file's :WDFOO ADS through that shadow copy volume and places an oplock on it. When Defender's internal processing reaches the point where it opens this file through the shadow copy, the oplock fires, pausing Defender mid-operation with a controlled and guaranteed window to perform the junction swaps that follow.
Stage 5: The Junction Swap Chain Capturing the SYSTEM-Owned Artifact
While Defender is paused on the oplock, the System32 subdirectory is converted into a reparse point junction targeting the mounted ISO. When Defender resumes, it follows the junction and sees the legitimate-looking wermgr.exe on the ISO rather than the EICAR file. Defender's internal state continues forward.
The exploit then watches C:\Windows recursively for Defender creating a temporary file matching the pattern Temp\TMP with exactly sixteen trailing characters the signal that Defender has entered its active quarantine workflow. On that signal, the junction is swapped again to point at wdtest_temp. A second EICAR is written through the junction path, landing inside wdtest_temp. The ISO's wermgr.exe is then byte-range locked, preventing Defender from removing it. Faced with a locked source file, Defender creates a quarantine placeholder instead which lands inside wdtest_temp through the active junction. The exploit captures the path of this placeholder file. The result: a SYSTEM-owned file sitting inside attacker-controlled directory space.
Stage 6: Payload Injection and Path Redirect to C:\Windows
The reparse point is removed from the System32 subdirectory handle, reverting it to a plain directory. The captured quarantine placeholder is opened with full write access and overwritten with the exploit binary read from the current process's own image on disk. The file now contains the exploit binary but retains the SYSTEM-level ownership and metadata that Defender assigned to it.
All working artifacts are then atomically renamed to random UUID paths using NtSetInformationFile with FileRenameInformationEx, preserving open handles while freeing the original paths. The root working directory %TEMP%\RP_<UUID> is converted into a reparse point junction targeting C:\Windows. After this operation, the path %TEMP%\RP_<UUID>\System32\wermgr.exe where the injected exploit binary now lives resolves transparently to C:\Windows\System32\wermgr.exe. Any path-based check will see a legitimate system binary location.
Stage 7: WER Task Execution and SYSTEM Shell Delivery
The Windows Task Scheduler COM interface is used to trigger the QueueReporting scheduled task inside the Windows Error Reporting task folder. This task is present on every standard Windows installation, runs as SYSTEM, and can be triggered programmatically by an unprivileged user through the Task Scheduler COM API. Its execution involves wermgr.exe at the System32 path. Because of the junction chain built in Stage 6, that path now resolves to the exploit binary.
The exploit binary launches as SYSTEM, enters the payload branch at the top of main, connects back to the \\.\pipe\RoguePlanet named pipe, identifies the interactive user's session, and spawns conhost.exe into that session with SYSTEM privileges. The main process unblocks from ConnectNamedPipe, prints success, and releases all COM resources cleanly. The unprivileged user now has a SYSTEM shell.
6. The Poseidon I/O System: Turning a Race Condition Into a Reliable Exploit
Race conditions in exploit development are notoriously hard to productize. A race condition that succeeds 10% of the time in a lab is essentially unusable in production. The researcher's investment in the Poseidon I/O subsystem is specifically designed to solve this problem.
By saturating disk I/O across all logical CPU cores with high-frequency random writes to temporary files, the Poseidon system creates predictable pressure on the Windows I/O scheduler. This pressure makes the timing windows around the oplock and the junction swaps consistent and reproducible in controlled lab conditions. The researcher themselves describes the PoC as "hit or miss" in production, with 100% success on some test machines and failure on others. Hardware configuration differences, variable background load, and scheduler behavior in real enterprise environments reintroduce timing uncertainty that the lab setup was engineered to remove.
This is an important caveat for both attacker and defender modeling: RoguePlanet is not a single-shot reliable LPE in all environments. It may require multiple attempts. But the detection signals from Poseidon I/O activity one generator thread plus per-core worker threads executing high-frequency writes to UUID-named temp files are also distinctive and useful for hunting.
7. Why This Is Not a Typical Privilege Escalation Bug
Most local privilege escalation vulnerabilities fall into recognizable categories: a buffer overflow in a privileged service, an integer overflow in a kernel driver, an unquoted service path, a DLL hijacking opportunity in a privileged process. All of these involve a coding error in some component that can be patched by fixing that component.
RoguePlanet does not fit any of these categories. There is no coding error to point to. Each individual component involved Defender's quarantine pipeline, NTFS junctions, oplocks, VSS, WER's scheduled task, the Task Scheduler COM interface is functioning exactly as it was designed to function. The vulnerability is in the interaction pattern between them: a design-level assumption in the quarantine pipeline that the path used to create an artifact is the same path that artifact occupies when later accessed. NTFS reparse points make that assumption false.
This has a significant implication for patching. A fix cannot target a specific API call or a buffer boundary. It requires a change to how Defender validates path integrity across the quarantine workflow either by using file handles rather than paths for the post-creation operations, by validating junction state before and after artifact creation, or by removing the condition where the WER task's execution path can be influenced by user-space reparse points. All of these are architectural changes, which is why no patch has been released.
8. Current Patch Status and the Defender Signature Limitation
As of June 10, 2026, no patch addressing the root cause of RoguePlanet has been released. No CVE has been assigned. Microsoft has issued a Defender signature update (Exploit:Win32/DfndrRugPlnt.BB) that detects the specific compiled proof-of-concept binary. However, this detection:
- Targets the compiled sample, not the underlying technique
- Is defeated by minor source code modifications and recompilation
- Does not detect the behavioral chain during execution
- Provides no protection against any actor who has adapted the technique from the published PoC
The Cyderes Howler Cell team confirmed that the behavioral chain survives recompilation with minimal source modification and remains undetected by static means. Signature-based detection of the PoC binary, while useful for blocking the exact published sample, is not a substitute for behavioral detection coverage.
An important platform limitation: RoguePlanet does not work on Windows Server editions because standard users on Server SKUs cannot mount ISO images. The exploit depends on ISO mounting to deliver the EICAR trigger without dropping it as a standalone file. However, this does not reduce urgency for Windows 10/11 workstation environments, which constitute the primary target surface for initial access followed by local privilege escalation in most enterprise attack chains.
9. The Attacker's Own Words
On June 9, 2026, the researcher posted to their Blogger site in a PGP-signed message, describing the development of RoguePlanet in terms that are unusual for a vulnerability researcher and worth reading as context for the level of commitment behind this campaign:
"I have worked on this non stop since the start of May... I did not eat, I did not drink water, I even forgot what outside looked like. I slept for 3 hours after 96 hours of non stop continuous work. Getting this PoC to work genuinely drained my soul, it severely degraded my mental and physical health but in the end of May, a full PoC was developed."
The post also includes a statement that contextualizes why account bans and repository takedowns have not slowed the releases:
"Microsoft forgot that even if they banned my GitLab and GitHub accounts, they cannot unwrite my code. Once it's public, you can't remove it."
The researcher also mentions a "batch of memory corruption vulnerabilities in Defender" and "other batches of vulnerabilities in several other components" as future disclosures. Whether this is credible or a bluff, the track record of seven working exploits in ten weeks multiple of which have been confirmed in real-world attack chains makes dismissal unreasonable.
10. MITRE ATT&CK Mapping
| Technique ID | Technique Name | How RoguePlanet Uses It |
|---|---|---|
| T1068 | Exploitation for Privilege Escalation | Core exploit: elevates unprivileged user to NT AUTHORITY\SYSTEM without kernel exploit or memory corruption |
| T1574.010 | Hijack Execution Flow: Services File Permissions Weakness | Injects exploit binary into SYSTEM-owned quarantine artifact, later executed by WER scheduled task as SYSTEM |
| T1053.005 | Scheduled Task/Job: Scheduled Task | WER QueueReporting task (SYSTEM) triggered via Task Scheduler COM interface by unprivileged user to execute injected payload |
| T1055 | Process Injection | SYSTEM-level conhost.exe spawned into interactive user session after privilege elevation |
| T1564.004 | Hide Artifacts: NTFS File Attributes | NTFS Alternate Data Stream (:WDFOO) created on EICAR wermgr.exe using low-level NT APIs to bypass Win32 ADS restrictions |
| T1480 | Execution Guardrails | IsRunningAsLocalSystem() check gates payload vs. orchestrator execution path; ISO mounting limitation restricts execution to desktop Windows SKUs |
| T1036.005 | Masquerading: Match Legitimate Name or Location | Working directory named System32; exploit binary injected at path resolving to C:\Windows\System32\wermgr.exe via junction chain |
| T1490 | Inhibit System Recovery | VSS (Volume Shadow Copy) used as an attack primitive Defender's VSS access during remediation is used as the oplock trigger point |
| T1485 | Data Destruction (indirect) | Embedded EICAR and byte-range locking force Defender into quarantine workflow, which is then subverted |
11. Detection and Hunting Guidance for Defenders
Because no patch is available and the signature detection only covers the compiled PoC binary, behavioral detection is the primary defensive control. The following detection signals are ordered from most reliable to most environment-specific.
Tier 1 High Confidence, Low False-Positive Risk
- Named pipe
\\.\pipe\RoguePlanetcreated by a non-SYSTEM process. No legitimate Windows software uses this pipe name. Against the published PoC, this is a near-certain indicator. Any actor adapting the technique will rename the pipe but this signal is valid for the current release. - Filesystem artifact cluster under %TEMP%: Monitor for simultaneous creation of the following three paths by the same process:
%TEMP%\RP_<UUID>\wdtest_temp\%TEMP%\RP_<UUID>\System32\%TEMP%\RP_<UUID>\System32\wermgr.exe
- wermgr.exe written to or executed from any path outside of
C:\Windows\System32\orC:\Windows\SysWOW64\. Legitimate wermgr.exe lives in System32. Any execution or write of wermgr.exe from an unusual path especially from under %TEMP% is highly suspicious. - conhost.exe spawned from a SYSTEM-integrity parent with no associated cmd.exe or terminal host in the process tree, into an interactive user session. This is the SYSTEM shell delivery event. Conhost.exe is legitimately spawned by terminal processes; a SYSTEM-owned conhost with no terminal parent in the tree is anomalous.
Tier 2 Medium Confidence, Requires Baseline Tuning
- Poseidon I/O pattern: One generator thread plus per-core worker threads executing high-frequency random writes to UUID-named temporary files under %TEMP% simultaneously. This pattern has no common legitimate equivalent outside of disk benchmarking and storage stress tools. Combined with any of the Tier 1 indicators above, it becomes a high-confidence composite signal.
- VSS enumeration from non-SYSTEM, non-backup processes: NtQueryDirectoryObject calls targeting
HarddiskVolumeShadowCopy*from user-space processes are rare outside of system and backup tooling. Tune this detection against known backup agent process names before operationalizing to reduce false positives. - NTFS junction creation under %TEMP% pointing to system paths: A user-space process creating a reparse point junction under their own temp directory that redirects to
C:\Windowsor system volume paths has very few legitimate use cases.
Tier 3 Situational Awareness
- ISO mounting by non-admin user processes in close temporal proximity to Defender activity: Correlating ISO mount events with Defender scan triggers from the same process lineage narrows the detection surface significantly.
- Task Scheduler COM API calls triggering the WER QueueReporting task from a non-SYSTEM process: The Task Scheduler COM interface is used legitimately by many applications. This signal is useful as a correlating indicator combined with others, not as a standalone alert.
What Not to Rely On
- The
Exploit:Win32/DfndrRugPlnt.BBDefender signature alone it covers the compiled PoC only, not adapted versions - Hash-based detections for the PoC binary
- Blocking the GitHub or Git mirror URLs the code is already widely mirrored
12. IOC Reference
| Indicator | Type | Notes |
|---|---|---|
\\.\pipe\RoguePlanet | Named Pipe | Created by orchestrator; used as IPC success channel between unprivileged and SYSTEM instances |
%TEMP%\RP_<UUID>\ | File Path Pattern | Working directory root; UUID-named, contains wdtest_temp and System32 subdirectories |
%TEMP%\RP_<UUID>\System32\wermgr.exe | File Path | EICAR-bearing wermgr.exe dropped here; later becomes the injected exploit binary post-junction chain |
wermgr.exe:WDFOO | NTFS ADS | Alternate Data Stream created on EICAR file using low-level NT APIs |
Exploit:Win32/DfndrRugPlnt.BB | Defender Signature | Detects compiled PoC binary only; does not detect behavioral chain or recompiled variants |
hxxps[://]github[.]com/MSNightmare/RoguePlanet | PoC URL | Defanged. Original GitHub PoC repository. |
hxxps[://]git.projectnightcrawler[.]dev/NightmareEclipse | Mirror URL | Defanged. Self-hosted Git mirror maintained by researcher. |
hxxps[://]deadeclipse666.blogspot[.]com/ | Attacker Blog | Defanged. PGP-signed posts track new releases and researcher communications. |
13. The Bigger Picture: A Sustained Campaign Against Windows Security
RoguePlanet should not be evaluated in isolation. Viewed across the full ten-week release cycle, this is not a vulnerability researcher making occasional disclosures it is a systematic campaign against a single attack surface, executed at a pace and technical depth that has no recent parallel in public Windows exploit research.
Several observations are worth holding together:
The architectural consistency is deliberate. All seven tools target the intersection of Microsoft Defender, NTFS reparse point behavior, scheduled task infrastructure, and Windows security component internals. This is not breadth it is depth. The researcher has mapped a family of related design assumptions in this specific attack surface and is methodically exploiting each one.
Each patch enables the next exploit. The April 2026 Patch Tuesday fix for BlueHammer did not end the campaign it informed the next release. The mid-May Defender engine update that broke RoguePlanet's original remote code execution path was met with three weeks of continuous work to rebuild the exploit on a different primitive. The researcher is adapting to Microsoft's defensive responses in near-real-time.
The move to full public release changes the threat model. Responsible disclosure would have kept these exploits from public attackers for 90 days or more. Full immediate public release means every actor commodity ransomware, nation-state, and everything in between has access to working LPE code the moment it is published. The confirmation that BlueHammer, RedSun, and UnDefend appeared in real-world attack chains within weeks of their release shows this is not a hypothetical concern.
The stated pipeline of future disclosures deserves serious attention. A researcher who has delivered seven working exploits in ten weeks, and who explicitly describes holding additional batches targeting memory corruption and other Windows components, has earned the benefit of the doubt on the credibility of future release threats regardless of the unusual circumstances surrounding their motivation.
Until a patch addressing the root cause is available, behavioral detection against the TTPs described above is the primary and only reliable defensive control against RoguePlanet.
14. References
- Primary Technical Analysis: Reegun Jayapaul and Rahul Ramesh, Cyderes Howler Cell Threat Research Team "RoguePlanet: Windows Zero-Day That Weaponizes Defender's Own Quarantine Pipeline," June 10, 2026. https://www.cyderes.com/howler-cell/rogueplanet-windows-zero-day
- Researcher Disclosure Post: Nightmare Eclipse (MSNightmare / Dead Eclipse) "It's Patch Tuesday !!!", Blogger, June 9, 2026. https://deadeclipse666.blogspot.com/2026/06/its-patch-tuesday.html
- Cyderes Howler Cell BlueHammer (CVE-2026-33825) Analysis: https://www.cyderes.com/howler-cell/windows-zero-day-bluehammer
- Cyderes Howler Cell RedSun (CVE-2026-41091) Analysis: https://www.cyderes.com/howler-cell/redsun-zero-day
Tags: Windows Zero-Day, Privilege Escalation, Microsoft Defender, LPE, NTFS Junctions, Oplocks, Volume Shadow Copy, WER Scheduled Task, Nightmare-Eclipse, MSNightmare, RoguePlanet, MITRE ATT&CK, CVE, Patch Tuesday, Windows 11, Vulnerability Research, Zero-Day Exploit, Defender Quarantine, Threat Intelligence
