ctipilot.ch

Nightmare Eclipse

actor · actor:nightmare-eclipse single-source

Pseudonymous vulnerability researcher/broker persona (tracked under both names) publicly dropping Windows zero-day proof-of-concepts through 2026 — the series includes BlueHammer, RedSun, UnDefend, YellowKey (BitLocker, later CVE-2026-45585), GreenPlasma (CTFMON LPE), MiniPlasma (cldflt.sys), GreatXML (BitLocker/WinRE) and RoguePlanet (Defender TOCTOU) — and threatening further releases after Microsoft's Digital Crimes Unit threatened criminal action.

Aliases: Chaotic Eclipse

Coverage timeline
14
first 2026-05-15 → last 2026-06-22
Peak priority
high
5 high · 9 notable
Sources cited
34
22 hosts
Sections touched
6
active-threats, trending-vulnerabilities, updates
Co-occurring entities
8
see Related entities below
2026-05-1514 appearances2026-06-22

Story timeline

  1. 2026-06-22Chaotic Eclipse / Nightmare Eclipse zero-day wave — RoguePlanet (CVE-2026-50656) still unpatched, PoC works on June builds
    weekly-long-running
  2. 2026-06-19Nightmare/Chaotic Eclipse zero-day wave — the Defender LPE now carries a CVE, a public PoC, and Microsoft's "Exploitation More Likely" rating, with no patch
    trending-vulnerabilities
  3. 2026-06-14Looking ahead — 2026-W24
    weekly-looking-ahead
  4. 2026-06-14Chaotic Eclipse / Nightmare Eclipse Windows zero-day wave — three long-tracked bugs patched, a fourth still open
    weekly-multi-day
  5. 2026-06-12"GreatXML": unpatched BitLocker bypass via crafted XML on the recovery partition — PoC public, practical severity contested
    active-threats
  6. 2026-06-11"RoguePlanet" Microsoft Defender zero-day: TOCTOU race in the scan engine yields a SYSTEM shell, no CVE, no patch
    active-threats
  7. 2026-06-01Looking ahead — 2026-W23
    weekly-looking-ahead
  8. 2026-05-30Nightmare Eclipse / Chaotic Eclipse — Microsoft's Digital Crimes Unit threatens criminal action; GreenPlasma and MiniPlasma (cldflt.sys SYSTEM escalation) remain unpatched; researcher announces July 14 drop
    trending-vulnerabilitiesNightmare Eclipse / Chaotic Eclipse — Microsoft's Digital Crimes Unit threatens criminal action; GreenPlasma and MiniPlasma (cldflt.sys SYSTEM escalation)
  9. 2026-05-25Looking ahead — 2026-W22
    weekly-looking-ahead
  10. 2026-05-25Chaotic Eclipse / Nightmare Eclipse — MiniPlasma confirmed SYSTEM on a fully-patched Windows 11; sixth zero-day in six weeks
    weekly-long-running
  11. 2026-05-20CVE-2026-45585 (YellowKey) — Microsoft formally assigns CVE and publishes WinRE mitigation
    updates
  12. 2026-05-19Chaotic Eclipse Windows zero-days — MiniPlasma is third PoC in series; cldflt.sys CfAbortHydration path, claimed re-exploitable CVE-2020-17103 regression
    trending-vulnerabilities
  13. 2026-05-18Windows "Chaotic Eclipse" zero-day proliferation — YellowKey, GreenPlasma, MiniPlasma
    weekly-multi-day
  14. 2026-05-15Windows BitLocker "YellowKey" and CTFMON "GreenPlasma" zero-days: public PoC, no patch, TPM-only BitLocker bypassed
    active-threats

Where this entity is cited

  • active-threats3
  • trending-vulnerabilities3
  • weekly-looking-ahead3
  • weekly-multi-day2
  • weekly-long-running2
  • updates1

Source distribution

  • bleepingcomputer.com5 (15%)
  • msrc.microsoft.com3 (9%)
  • helpnetsecurity.com2 (6%)
  • security-hub.ncsc.admin.ch2 (6%)
  • securityweek.com2 (6%)
  • tenable.com2 (6%)
  • thehackernews.com2 (6%)
  • theregister.com2 (6%)
  • other14 (41%)

Related entities

All cited sources (34)

Entries about Nightmare Eclipse (14)

2026-06-22 · view entry permalink →

Chaotic Eclipse / Nightmare Eclipse zero-day wave — RoguePlanet (CVE-2026-50656) still unpatched, PoC works on June builds

key: item:nightmare-chaotic-eclipse-zero-day-wave-the-defender-lpe-now. The serialised Windows zero-day campaign the W24 weekly consolidated has a worsening status. As of 2026-06-21, CVE-2026-50656 (RoguePlanet) remains unpatched. The exploit abuses a Time-of-Check-to-Time-of-Use race in Microsoft Defender's file-processing workflow (CWE-59): Defender checks a file path under SYSTEM, then reopens it, and the exploit swaps the file in the gap to get SYSTEM-level execution (Help Net Security, 2026-06-17; MSRC; daily 06-19). The PoC is validated against fully-patched Windows 10 and 11 including the June 2026 Patch Tuesday build, Real-Time Protection status is irrelevant, and the researcher states small PoC changes defeat mitigations — "the only thing you can realistically do is wait for a patch." Microsoft confirms a fix is in development with no timeline. This is post-initial-access privilege escalation (local auth required), so it compounds rather than initiates a breach; until a patch ships, the realistic controls are application allowlisting to constrain post-exploitation and hunting for MsMpEng.exe spawning unexpected children or temp-directory symlink manipulation timed to scans. Outstanding question to watch: whether Microsoft ships an out-of-band fix or holds it to July Patch Tuesday.

synthesis22 Jun 00:15Zmulti-sourceOpen finding ↗

2026-06-19 · view entry permalink →

Nightmare/Chaotic Eclipse zero-day wave — the Defender LPE now carries a CVE, a public PoC, and Microsoft's "Exploitation More Likely" rating, with no patch

UPDATE (originally covered in the 2026-W24 weekly summary): The serialised Windows zero-day campaign tracked as Nightmare/Chaotic Eclipse has a new, formally-identified entry: RoguePlanet, the local elevation-of-privilege flaw in the Microsoft Malware Protection Engine (mpengine.dll, used by Defender on all supported Windows 10/11), is now assigned CVE-2026-50656, acknowledged by Microsoft, and rated Exploitation More Likely on the MSRC Exploitability Index (Microsoft MSRC, 2026-06-16; Help Net Security, 2026-06-17).

The exploit abuses a TOCTOU race: during a scan Defender resolves a file path and later reopens it for analysis, and the PoC swaps in a malicious file in that window to obtain a SYSTEM shell. It requires only local low-privilege access, needs no user interaction, and the researcher states it functions regardless of whether real-time protection is enabled — though the race makes it non-deterministic ("hit or miss") (The Hacker News, 2026-06-17). As of 2026-06-18 Microsoft states a fix is in development with no timeline; the public PoC is the in-window delta.

vulnerability19 Jun 05:21Zmulti-sourceOpen finding ↗

2026-06-14 · view entry permalink →

NOTABLE

Looking ahead — 2026-W24

A focused, justified list — items already in motion, not predictions.

  • G7 Évian summit, 15–17 June — pre-stage DDoS mitigations now. NCSC-CH's advisory explicitly names Swiss organisations as the hacktivist-DDoS target pool for the summit window (Évian sits on the Swiss border), consistent with the NoName057(16) pattern around past Swiss-adjacent summits. Confirm upstream scrubbing burst capacity, test CDN/anycast failover, and pre-position out-of-band NOC comms before Monday. MITRE ATT&CK T1498/T1499. (NCSC-CH G7 advisory)
  • GreatXML and RoguePlanet remain unpatched — watch MSRC for an out-of-band response. Two Chaotic Eclipse disclosures (GreatXML BitLocker bypass, RoguePlanet Defender SYSTEM EoP) have public PoCs and no fix after June Patch Tuesday closed three siblings; the researcher's cadence suggests more. Retain BitLocker PIN/TPM policy and monitor MSRC. (SecurityWeek — GreatXML; BleepingComputer — RoguePlanet; daily 06-12)
  • CRA 11 September reporting-platform milestone is now ~90 days out. ENISA's SBOM survey shows generation outpacing consumption; the window to build SBOM-ingestion into your vulnerability-management workflow before the reporting obligation begins is closing. (ENISA SBOM)
  • npm v12 will disable install scripts by default — audit CI/CD before July. GitHub's announced breaking change (preinstall/install/postinstall off by default, npm approve-builds required) is the single most effective structural mitigation against the Shai-Hulud/Atomic Arch install-time-execution kill chain, but it will break pipelines that rely on build scripts. Inventory affected pipelines now. (GitHub changelog; daily 06-12)
  • Acer Wave-7 mesh-router maximum-severity zero-days (CVE-2026-49200/-49201) still await a fix targeted for end-June. Cleartext-credential logging plus a hardcoded backup key, CVSS 10.0, no patch yet — track the firmware release and treat exposed Wave-7 management as compromised in the interim. (BleepingComputer; daily 06-08)
  • EDPB Article 33 harmonised-template consultation closes 5 August. Breach-response process owners with multi-jurisdiction obligations have a window to review and comment. (EDPB)
outlook14 Jun 23:57Zmulti-sourceOpen finding ↗

Earlier coverage (11)

2026-06-14HIGHChaotic Eclipse / Nightmare Eclipse Windows zero-day wave — three long-tracked bugs patched, a fourth still openJune Patch Tuesday was the largest ever (198 CVEs) and finally closed the long-tracked Chaotic Eclipse zero-days (YellowKey, GreenPlasma, MiniPlasma) — but a fourth, GreatXML, remains unpatched, and an HTTP.sys pre-auth RCE (CVE-2026-47291, CVSS 9.8) headlines the release. (daily 06-10, daily 06-12, BleepingComputer)2026-06-12HIGH"GreatXML": unpatched BitLocker bypass via crafted XML on the recovery partition — PoC public, practical severity contested"GreatXML": unpatched BitLocker bypass with public PoC — crafted XML files on the recovery partition yield a SYSTEM shell in WinRE; severity is contested (an initial Defender offline scan, which requires admin, must have run once) (SecurityWeek, 2026-06-11).2026-06-11HIGH"RoguePlanet" Microsoft Defender zero-day: TOCTOU race in the scan engine yields a SYSTEM shell, no CVE, no patchA new Microsoft Defender SYSTEM-LPE zero-day, "RoguePlanet," dropped as a public PoC hours after June Patch Tuesday — a TOCTOU race in the Defender scan engine, no CVE and no patch (BleepingComputer, 2026-06-09). No in-the-wild use reported yet; monitoring is the only mitigation.2026-06-01NOTABLELooking ahead — 2026-W23June 10 — Patch Tuesday: Chaotic Eclipse patches expected; researcher promises a "big surprise" the same day. YellowKey (CVE-2026-45585, BitLocker bypass via WinRE autofstx.exe), GreenPlasma (CTFMON SYSTEM escalation), and MiniPlasma (CVE-2020-17103, cldflt.sys Cloud Filter LPE) remain unpatched as of 7 June.2026-05-30NOTABLENightmare Eclipse / Chaotic Eclipse — Microsoft's Digital Crimes Unit threatens criminal action; GreenPlasma and MiniPlasma (cldflt.sys SYSTEM escalation) remain unpatched; researcher announces July 14 dropUPDATE (originally covered 2026-W21): Microsoft's Digital Crimes Unit issued a formal public statement on 28–29 May 2026 calling uncoordinated zero-day releases "never justifiable" and warning its DCU would "continue bringing cases against these actors and those that enable their criminal activity" (The Record …2026-05-25NOTABLELooking ahead — 2026-W22Windows "Chaotic Eclipse" zero-day cluster — June 2026 Patch Tuesday (~2026-06-10) is the expected first fix, with a researcher drop announced for July 14.2026-05-25NOTABLEChaotic Eclipse / Nightmare Eclipse — MiniPlasma confirmed SYSTEM on a fully-patched Windows 11; sixth zero-day in six weeksThe Windows zero-day cluster carried a material technical update beyond the 2026-05-30 daily. MiniPlasma — the sixth zero-day the "Chaotic Eclipse" researcher has dropped in six weeks — is a local privilege escalation in the Windows Cloud Filter driver (cldflt.sys) that reuses CVE-2020-17103, the researcher …2026-05-20NOTABLEupdateCVE-2026-45585 (YellowKey) — Microsoft formally assigns CVE and publishes WinRE mitigationUPDATE (originally covered 2026-05-15): Microsoft formally assigned CVE-2026-45585 to the BitLocker / WinRE bypass disclosed by "Nightmare Eclipse" on 2026-05-12 and confirmed there is still no security update.2026-05-19NOTABLEChaotic Eclipse Windows zero-days — MiniPlasma is third PoC in series; cldflt.sys CfAbortHydration path, claimed re-exploitable CVE-2020-17103 regressionUPDATE (originally covered 2026-05-15): Researcher "Chaotic Eclipse" / "Nightmare Eclipse" released a third unpatched Windows LPE PoC on 2026-05-17 — MiniPlasma — extending the YellowKey and GreenPlasma series covered in the 2026-05-15 daily (BleepingComputer, 2026-05-17; The Hacker News, 2026-05-18).2026-05-18NOTABLEWindows "Chaotic Eclipse" zero-day proliferation — YellowKey, GreenPlasma, MiniPlasmaThe researcher cluster "Chaotic Eclipse" / "Nightmare Eclipse" continued releasing unpatched Windows LPE/bypass PoCs across the window. On 2026-05-19 a third PoC — MiniPlasma — landed, targeting the cldflt.sys CfAbortHydration path and claiming a re-exploitable regression of the 2020-era CVE-2020-17103.2026-05-15HIGHWindows BitLocker "YellowKey" and CTFMON "GreenPlasma" zero-days: public PoC, no patch, TPM-only BitLocker bypassedWindows BitLocker "YellowKey" zero-day (no CVE) bypasses TPM-only disk encryption via WinRE NTFS transaction replay; working PoC is public; no patch available; add BitLocker pre-boot PIN to close the current PoC (BleepingComputer, 2026-05-13).