Hackers broke into at least one organization using Windows vulnerabilities posted online by a disgruntled security researcher in the past two weeks, according to a cybersecurity firm.
On Friday, cybersecurity firm Huntress said a series of posts on X that its researchers have seen hackers exploiting three Windows security flaws, called BlueHammer, UnDefend and RedSun.
It is unclear what the target of this attack is and who the hackers are.
BlueHammer is the only bug among the three exploitable vulnerabilities Microsoft has patched up to here. A patch for BlueHammer was released earlier this week.
It appears that hackers are exploiting the bugs using exploit code that the security researcher posted online.
Earlier this month, a researcher going to Chaotic Eclipse published on their blog what they said was code to exploit an unpatched vulnerability in Windows. The researcher cited some conflict with Microsoft as the motivation behind releasing the code.
“I didn’t bluff Microsoft and I’m doing it again,” they say he wrote. “Many thanks to the MSRC leadership for making this possible,” they added, referring to Microsoft’s Security Response Center, the company’s team that investigates cyberattacks and handles vulnerability reports.
Techcrunch event
San Francisco, California
|
13-15 October 2026
Days later, Chaotic Eclipse published UnDefend and then earlier this week published RedSun. The researcher published code to exploit all three of its vulnerabilities GitHub page.
All three vulnerabilities affect Microsoft’s Windows Defender antivirus, allowing a hacker to gain high-level or administrator access to an affected Windows computer.
TechCunch was unable to reach Chaotic Eclipse for comment.
In response to a series of specific questions, Microsoft communications director Ben Hope said in a statement that the company supports “coordinated vulnerability disclosure, a widely adopted industry practice that helps ensure issues are carefully investigated and addressed before public disclosure, supporting both customer protection and the security research community.”
This is a case of what the cybersecurity industry calls “full disclosure.” When researchers find a flaw, they can report it to the affected software manufacturer to help them fix it. At that point, the company usually acknowledges receipt, and if the vulnerability is legitimate, the company works to patch it. Often, the company and the researchers agree on a timeline that determines when the researcher can publicly explain their findings.
Sometimes, for various reasons, this communication breaks down and researchers publicly disclose details of the bug. In some cases, in part to demonstrate the existence or severity of a flaw, researchers go a step further and publish “proof of concept” code capable of exploiting that flaw.
When that happens, cybercriminals, government hackers and others can then take the code and use it for their own attacks, prompting cybersecurity defenders to rush to deal with the consequences.
“Because these are so readily available now and they’re already weaponized for easy use, for better or worse, I think that ultimately puts us in another tug-of-war between defenders and cybercriminals,” John Hammond, one of the researchers at Huntress who was following the case, told TechCrunch.
“Scenarios like these force us to compete with our adversaries; defenders are frantically trying to protect against malicious actors who are quick to exploit these exploits … especially now that they are just ready-made attack tools,” Hammond said.
