Inside the Nightmare-Eclipse Zero-Day Campaign: A Six-Week Retaliatory Siege on Microsoft Windows

Exploit Summary and Patch Status

Three of the six vulnerabilities were patched by late May 2026. Three remained unresolved, with MiniPlasma posing the most direct operational risk.

MiniPlasma is especially dangerous because it lets a standard user gain SYSTEM-level privileges on a system with all current May 2026 updates applied . It exploits the same cldflt.sys Cloud Files driver that BlueHammer targeted by re-triggering a previously addressed vulnerability from 2020 that the researcher claims Microsoft never fully patched .

Researcher's Motivation: A Protest Against MSRC

The researcher explicitly described the disclosures as retaliation for mistreatment by MSRC. Public statements and reporting indicate that prior private submissions were dismissed, slow, or met with demands that the researcher found excessive—reportedly including a request for a video demonstration of the exploit . A recurring claim attributed to the researcher states that MSRC threatened to "ruin my life and they did" .

The timing of later releases—posted the day after Patch Tuesday—was transparently designed to maximize exposure and pressure. YellowKey and GreenPlasma dropped on May 12, immediately after Microsoft's May cycle, and MiniPlasma followed on May 17 .

Microsoft's Response and the Legal Threat

On May 27, Microsoft published a blog post titled "A shared responsibility: Protecting customers through coordinated vulnerability disclosure" . The post:

• Named all six exploits as "not responsibly disclosed" .
• Urged the security community to follow Coordinated Vulnerability Disclosure (CVD) practices.
• Included a veiled threat from Microsoft's Digital Crimes Unit, warning that weaponized public disclosure could carry legal consequences .

Microsoft's language escalated the conflict, but it did not resolve the core problem: three zero-days remained unpatched. The platforms hosting the code—GitHub around May 23 and GitLab a few days later—took enforcement action by terminating the researcher's accounts .

Active Exploitation and Institutional Alarms

By mid-April, all three initial Defender exploits were under active exploitation. Huntress and Barracuda identified threat actors pulling PoC code directly from public GitHub repositories and using infrastructure linked to Russian geolocations .

CISA reacted quickly. BlueHammer was added to the KEV catalog on April 22 with a May 6 patching deadline for federal agencies . RedSun and UnDefend followed later, with a June 3 deadline . The additions reflect deep concern: when security tools themselves become the attack vector, traditional defense models fracture.

Community Reaction: A Broken Disclosure Process

The cybersecurity community responded with a split verdict.

Criticism of the researcher came from Barracuda, ThreatLocker, and LevelBlue, which characterized the campaign as dangerous and counterproductive . Publicly dropping weaponized exploits put enterprise users at immediate risk when no patch existed.

Criticism of Microsoft was equally sharp. Many researchers noted that the entire saga could have been avoided with a more respectful and responsive MSRC process. The disclosures revived long-standing grievances: slow triage, opaque communication, and an adversarial posture toward finders who do not fit the corporate bounty mold .

One striking dynamic: Microsoft threatened legal action while three exploits remained unpatched—a move that commentators called performative and misprioritized .

What Comes Next

The researcher has gone quiet but not silent. After losing platform access, they moved to a personal blog and explicitly threatened another mass release on July 14—the next Patch Tuesday . Whether that threat is credible remains unknown, but the pattern is established.

For security teams, the immediate priority is clear: apply the out-of-band Defender patches, implement YellowKey mitigations (removing the autofstx.exe BootExecute value and enabling TPM+PIN for BitLocker) , and treat MiniPlasma as a live threat with no official remediation. Monitor for additional PoC releases timed against future Patch Tuesdays, and prepare compensating controls for Defender components that attackers now systematically target.

The Nightmare-Eclipse episode is not just about six vulnerabilities. It is a stress test for the relationship between platform vendors and the researchers they depend on. When that relationship breaks, the consequences are public, exploitable, and severe.