Cybersecurity companies say hackers have breached at least one organization by exploiting a Windows vulnerability posted online by a disgruntled security researcher in the past two weeks.
On Friday, cybersecurity firm Huntress said in a series of posts on X that its researchers had witnessed hackers exploiting three Windows security flaws called BlueHammer, UnDefend, and RedSun.
It is unclear who the target of this attack is or who the hacker is.
BlueHammer is the only bug of the three exploited vulnerabilities that Microsoft has patched so far. The BlueHammer fix was rolled out earlier this week.
Hackers appear to be exploiting the bug using exploit code posted online by security researchers.
Earlier this month, a researcher called Chaotic Eclipse published what they claimed was code that exploited an unpatched vulnerability in Windows. The researchers hinted at some kind of conflict with Microsoft as a motive for releasing the code.
“I'm not bluffing Microsoft. They're doing it again,” they wrote. They added, “We are extremely grateful to MSRC's leadership for making this possible,” referring to Microsoft's Security Response Center, the company's team that investigates cyberattacks and processes vulnerability reports.
tech crunch event
San Francisco, CA | October 13-15, 2026
A few days later, Chaotic Eclipse published UnDefend, followed by RedSun earlier this week. Researchers have published code that exploits all three vulnerabilities on a GitHub page.
All three vulnerabilities affect Microsoft's antivirus Windows Defender and allow hackers to gain high-level or administrative access to affected Windows computers.
TechCunch was unable to reach Chaotic Eclipse for comment.
In response to a series of specific questions, Ben Hope, Microsoft communications director, said in a statement that the company supports “coordinated vulnerability disclosure, a widely adopted industry practice to ensure that issues are carefully investigated and addressed before public disclosure,” and supports both customer protection and the security research community.
This is a case of what the cybersecurity industry calls “full disclosure.” If researchers find a flaw, they can report it to the affected software manufacturer so they can help fix it. At this point, the company typically acknowledges receipt and, if the vulnerability is legitimate, the company works to patch it. Companies and researchers often agree on a schedule that defines when researchers can publicly explain their findings.
In some cases, communication breaks down for various reasons and researchers publish details of the bug. In some cases, researchers may go a step further and publish “proof-of-concept” code that can exploit the bug in order to prove the existence or severity of the flaw.
Cybercriminals, government hackers, and others could then obtain that code and use it in attacks, leaving cybersecurity defenders scrambling to deal with the aftermath.
“These are so easily available now and already so easily weaponized that they can be easily used, so I think we're going to end up with another tug-of-war between advocates and cybercriminals, for better or worse,” John Hammond, one of the Huntress researchers tracking the case, told TechCrunch.
“This kind of scenario puts us in competition with our adversaries, and defenders are desperately trying to defend against malicious actors who are rapidly leveraging these exploits, especially now that they are little more than off-the-shelf attack tools,” Hammond said.