ctipilot.ch

Nightmare Eclipse

campaign · campaign:nightmare-eclipse-microsoft-dcu-threat-greenplasma-miniplasmaaac single-source

Nightmare Eclipse: Microsoft DCU threat, GreenPlasma/MiniPlasma unpatched, July 14 deadline

Coverage timeline
10
first 2026-05-15 → last 2026-06-22
Entries
10
10 distinct days
Sources cited
20
12 hosts
Sections touched
5
active-threats, trending-vulnerabilities, updates
Co-occurring entities
6
see Related entities below
2026-05-1510 appearances2026-06-22

Story timeline

  1. 2026-06-22Chaotic Eclipse / Nightmare Eclipse zero-day wave — RoguePlanet (CVE-2026-50656) still unpatched, PoC works on June builds
    weekly-long-runningChaotic Eclipse / Nightmare Eclipse zero-day wave — RoguePlanet (CVE-2026-50656) still unpatched, PoC works on June builds
  2. 2026-06-14Chaotic Eclipse / Nightmare Eclipse Windows zero-day wave — three long-tracked bugs patched, a fourth still open
    weekly-multi-dayChaotic Eclipse / Nightmare Eclipse Windows zero-day wave — three long-tracked bugs patched, a fourth still open
  3. 2026-06-12"GreatXML": unpatched BitLocker bypass via crafted XML on the recovery partition — PoC public, practical severity contested
    active-threats"GreatXML": unpatched BitLocker bypass via crafted XML on the recovery partition — PoC public, practical severity contested
  4. 2026-06-11"RoguePlanet" Microsoft Defender zero-day: TOCTOU race in the scan engine yields a SYSTEM shell, no CVE, no patch
    active-threats"RoguePlanet" Microsoft Defender zero-day: TOCTOU race in the scan engine yields a SYSTEM shell, no CVE, no patch
  5. 2026-05-30Nightmare Eclipse / Chaotic Eclipse — Microsoft's Digital Crimes Unit threatens criminal action; GreenPlasma and MiniPlasma (cldflt.sys SYSTEM escalation) remain unpatched; researcher announces July 14 drop
    trending-vulnerabilitiesNightmare Eclipse / Chaotic Eclipse — Microsoft's Digital Crimes Unit threatens criminal action; GreenPlasma and MiniPlasma (cldflt.sys SYSTEM escalation)
  6. 2026-05-25Chaotic Eclipse / Nightmare Eclipse — MiniPlasma confirmed SYSTEM on a fully-patched Windows 11; sixth zero-day in six weeks
    weekly-long-runningChaotic Eclipse / Nightmare Eclipse — MiniPlasma confirmed SYSTEM on a fully-patched Windows 11; sixth zero-day in six weeks
  7. 2026-05-20CVE-2026-45585 (YellowKey) — Microsoft formally assigns CVE and publishes WinRE mitigation
    updatesCVE-2026-45585 (YellowKey) — Microsoft formally assigns CVE and publishes WinRE mitigation
  8. 2026-05-19Chaotic Eclipse Windows zero-days — MiniPlasma is third PoC in series; cldflt.sys CfAbortHydration path, claimed re-exploitable CVE-2020-17103 regression
    trending-vulnerabilitiesChaotic Eclipse Windows zero-days — MiniPlasma is third PoC in series; cldflt.sys CfAbortHydration path, claimed re-exploitable CVE-2020-17103 regression
  9. 2026-05-18Windows "Chaotic Eclipse" zero-day proliferation — YellowKey, GreenPlasma, MiniPlasma
    weekly-multi-dayWindows "Chaotic Eclipse" zero-day proliferation — YellowKey, GreenPlasma, MiniPlasma
  10. 2026-05-15Windows BitLocker "YellowKey" and CTFMON "GreenPlasma" zero-days: public PoC, no patch, TPM-only BitLocker bypassed
    active-threatsWindows BitLocker "YellowKey" and CTFMON "GreenPlasma" zero-days: public PoC, no patch, TPM-only BitLocker bypassed

Where this entity is cited

  • active-threats3
  • weekly-multi-day2
  • trending-vulnerabilities2
  • weekly-long-running2
  • updates1

Source distribution

  • bleepingcomputer.com4 (20%)
  • msrc.microsoft.com3 (15%)
  • security-hub.ncsc.admin.ch2 (10%)
  • securityweek.com2 (10%)
  • theregister.com2 (10%)
  • attack.mitre.org1 (5%)
  • heise.de1 (5%)
  • helpnetsecurity.com1 (5%)
  • other4 (20%)

Related entities

All cited sources (20)

Entries about Nightmare Eclipse (10)

2026-06-22 · view entry permalink →

Chaotic Eclipse / Nightmare Eclipse zero-day wave — RoguePlanet (CVE-2026-50656) still unpatched, PoC works on June builds

notable synthesis discovered 2026-06-22 00:15 UTC

key: item:nightmare-chaotic-eclipse-zero-day-wave-the-defender-lpe-now. The serialised Windows zero-day campaign the W24 weekly consolidated has a worsening status. As of 2026-06-21, CVE-2026-50656 (RoguePlanet) remains unpatched. The exploit abuses a Time-of-Check-to-Time-of-Use race in Microsoft Defender's file-processing workflow (CWE-59): Defender checks a file path under SYSTEM, then reopens it, and the exploit swaps the file in the gap to get SYSTEM-level execution (Help Net Security, 2026-06-17; MSRC; daily 06-19). The PoC is validated against fully-patched Windows 10 and 11 including the June 2026 Patch Tuesday build, Real-Time Protection status is irrelevant, and the researcher states small PoC changes defeat mitigations — "the only thing you can realistically do is wait for a patch." Microsoft confirms a fix is in development with no timeline. This is post-initial-access privilege escalation (local auth required), so it compounds rather than initiates a breach; until a patch ships, the realistic controls are application allowlisting to constrain post-exploitation and hunting for MsMpEng.exe spawning unexpected children or temp-directory symlink manipulation timed to scans. Outstanding question to watch: whether Microsoft ships an out-of-band fix or holds it to July Patch Tuesday.

vulnerabilities zero-day lpe poc-public no-patch global CVE-2026-50656

2026-06-14 · view entry permalink →

Chaotic Eclipse / Nightmare Eclipse Windows zero-day wave — three long-tracked bugs patched, a fourth still open

high synthesis discovered 2026-06-14 23:57 UTC

This researcher's serialised zero-day disclosures have run across four weekly cycles, and this week brought both resolution and a fresh open wound. June Patch Tuesday (9 June) finally closed the three bugs the W20–W22 weeklies tracked as "expected fix in June": YellowKey (CVE-2026-45585, BitLocker bypass via the Windows Recovery Environment, physical access required), GreenPlasma (CVE-2026-45586, CTFMON elevation to SYSTEM), and MiniPlasma (a re-opened regression of CVE-2020-17103 in the Cloud Filter driver cldflt.sys), per the patch-day round-ups (BleepingComputer; Tenable).

But the cadence continued the same day. On 9 June the researcher published RoguePlanet, a TOCTOU race in the Microsoft Defender scan engine yielding a SYSTEM shell — hours after the patches landed, with no CVE and no fix (BleepingComputer; daily 06-11). Two days later came GreatXML, a BitLocker bypass via crafted XML on the recovery partition — PoC public, practical severity contested, still unpatched (SecurityWeek; daily 06-12). The trajectory: deploy the June cumulative update to close the three patched bugs, retain BitLocker PIN/TPM policy regardless, and keep monitoring MSRC — the fourth disclosure is the pattern, not the exception.

vulnerabilities zero-day lpe poc-public global

2026-06-12 · view entry permalink →

"GreatXML": unpatched BitLocker bypass via crafted XML on the recovery partition — PoC public, practical severity contested

high threat discovered 2026-06-12 05:00 UTC

The researcher operating as Nightmare Eclipse (also tracked as Chaotic Eclipse) published GreatXML on 11 June — a working proof-of-concept that bypasses BitLocker full-volume encryption and spawns a SYSTEM command prompt inside the Windows Recovery Environment (WinRE), with no CVE assigned and no Microsoft patch available (SecurityWeek, 2026-06-11). The technique places a crafted unattend.xml at the root of the recovery partition plus a second malformed XML under Recovery/, then reboots into WinRE; the Microsoft Defender Offline scan path processes the attacker-controlled XML while the volume is unlocked. Per the researcher, "any Windows machine becomes vulnerable to GreatXML as soon as Defender's offline scanning is initiated" — i.e. the bypass arms itself once an offline scan has ever run on the host (SecurityWeek, 2026-06-11). Independent researcher Will Dormann disputes the practical severity, noting that triggering the prerequisite Defender Offline scan requires an existing Windows logon with admin credentials — an attacker in that position could already disable BitLocker outright (The Register, 2026-06-11). NCSC-CH is tracking the disclosure as part of the same researcher's zero-day series (BlueHammer, RedSun, UnDefend, YellowKey, GreenPlasma, RoguePlanet — RoguePlanet covered 2026-06-11) (NCSC-CH CSH, 2026-06-11). Maps to T1542.001 (Pre-OS Boot) territory: code execution from the recovery path while the BitLocker-protected volume is mounted.

Why it matters to us: evil-maid and stolen-laptop scenarios against BitLocker-protected fleets get cheaper where an offline scan has previously run. Until a patch lands: audit recovery-partition contents for unexpected unattend.xml/ReAgent.xml modifications, require TPM+PIN pre-boot authentication on high-value mobile assets, and weigh reagentc /disable on machines where recovery capability is dispensable.

vulnerabilities zero-day auth-bypass poc-public no-patch global

2026-06-11 · view entry permalink →

"RoguePlanet" Microsoft Defender zero-day: TOCTOU race in the scan engine yields a SYSTEM shell, no CVE, no patch

high threat discovered 2026-06-11 05:00 UTC

A researcher operating as "Nightmare Eclipse" (also tracked as Chaotic Eclipse) published a working proof-of-concept named RoguePlanet on 9 June 2026 — hours after Microsoft patched two of the researcher's earlier disclosures (YellowKey/CVE-2026-45585 and GreenPlasma/CVE-2026-50507) in June Patch Tuesday (BleepingComputer, 2026-06-09). RoguePlanet abuses a time-of-check/time-of-use race condition in the Microsoft Defender real-time scan engine (MsMpEng.exe, running as SYSTEM): an attacker times a file-system operation to coincide with Defender's scan pass and redirects it, achieving local privilege escalation to SYSTEM on fully-patched Windows 10 and 11 (SecurityWeek, 2026-06-10). NCSC-CH GovCERT consolidated this disclosure alongside the researcher's prior 2026 Defender drops — BlueHammer, RedSun, UnDefend, YellowKey and GreenPlasma (NCSC-CH GovCERT, 2026-06-10). The primitive requires local code execution first (a standard-user foothold is sufficient) and is reliability-limited by the race; no in-the-wild exploitation has been reported and Microsoft has not assigned a CVE or issued an advisory. Technique class: T1068 Exploitation for Privilege Escalation.

Why it matters to us: Microsoft Defender is the default endpoint protection on Windows fleets across Swiss federal and EU public-sector environments, so the affected component is universal. With no patch, detection is the control: alert on MsMpEng.exe spawning cmd.exe/powershell.exe child processes (Sysmon EID 1 / Windows 4688 with parent image in the Defender path) and on SYSTEM-context shells not tied to a service restart.

vulnerabilities zero-day lpe priv-esc poc-public no-patch global

2026-05-30 · view entry permalink →

Nightmare Eclipse / Chaotic Eclipse — Microsoft's Digital Crimes Unit threatens criminal action; GreenPlasma and MiniPlasma (cldflt.sys SYSTEM escalation) remain unpatched; researcher announces July 14 drop

notable vulnerability discovered 2026-05-30 05:00 UTC

UPDATE (originally covered 2026-W21): Microsoft's Digital Crimes Unit issued a formal public statement on 28–29 May 2026 calling uncoordinated zero-day releases "never justifiable" and warning its DCU would "continue bringing cases against these actors and those that enable their criminal activity" (The Record, 2026-05-29). The pseudonymous researcher Nightmare Eclipse / Chaotic Eclipse responded by threatening a new vulnerability release on 14 July 2026 (the next Patch Tuesday).

Of the six Windows vulnerabilities the researcher has released since early April: BlueHammer (CVE-2026-33825), UnDefend (CVE-2026-45498), and RedSun (CVE-2026-41091) are patched and saw confirmed in-the-wild exploitation following PoC publication. YellowKey (CVE-2026-45585 — BitLocker bypass via Windows Recovery Environment, requiring physical access), GreenPlasma (LPE class), and MiniPlasma remain unpatched as of 30 May 2026. MiniPlasma specifically abuses the Windows Cloud Files Mini Filter Driver (cldflt.sys) to achieve a SYSTEM shell from a standard user session on fully-patched Windows 11; the root cause is assessed as an incomplete remediation of CVE-2020-17103 (no CVE yet assigned to MiniPlasma itself).

The July 14 release deadline should be treated as a hard date for resolving any outstanding Windows LPE chain gaps. Defenders on Windows 11 estates should monitor for cldflt.sys-related anomalies and consider AppLocker/WDAC policies blocking unsigned executables from low-privileged user sessions while patches are pending. Next Patch Tuesday: 10 June 2026.

vulnerabilities zero-day lpe no-patch global CVE-2026-45585

2026-05-25 · view entry permalink →

Chaotic Eclipse / Nightmare Eclipse — MiniPlasma confirmed SYSTEM on a fully-patched Windows 11; sixth zero-day in six weeks

notable synthesis discovered 2026-05-25 05:00 UTC

The Windows zero-day cluster carried a material technical update beyond the 2026-05-30 daily. MiniPlasma — the sixth zero-day the "Chaotic Eclipse" researcher has dropped in six weeks — is a local privilege escalation in the Windows Cloud Filter driver (cldflt.sys) that reuses CVE-2020-17103, the researcher claiming the 2020 patch was incomplete or partially reverted. ThreatLocker independently confirmed MiniPlasma achieves SYSTEM on a fully-patched Windows 11 running the May 2026 cumulative update — i.e. there is no configuration that closes it today. Three earlier drops in the series (BlueHammer, RedSun, UnDefend) have been observed in real attacks. Microsoft's DCU has called the uncoordinated releases "never justifiable" but has shipped no out-of-band fix; June 10 Patch Tuesday is the first fix opportunity (. Until then, treat any cldflt.sys-adjacent LPE as live.

vulnerabilities zero-day lpe no-patch poc-public global CVE-2020-17103

2026-05-20 · view entry permalink →

CVE-2026-45585 (YellowKey) — Microsoft formally assigns CVE and publishes WinRE mitigation

UPDATE — originally covered Windows BitLocker "YellowKey" and CTFMON "GreenPlasma" zero-days: public PoC, no patch, TPM-only BitLocker bypassed (2026-05-15)

notable vulnerability discovered 2026-05-20 05:00 UTC single-source

UPDATE (originally covered 2026-05-15): Microsoft formally assigned CVE-2026-45585 to the BitLocker / WinRE bypass disclosed by "Nightmare Eclipse" on 2026-05-12 and confirmed there is still no security update. The MSRC update guide entry, published 2026-05-19, classifies it as CWE-77 (command injection in BitLocker / Windows Recovery Environment), CVSS 6.8 (AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), with exploit-code maturity rated E:P (proof-of-concept) and remediation level RL:W (workaround only).

Microsoft's interim mitigation requires per-endpoint work on every device using TPM-only BitLocker (no PIN / password protector): mount the WinRE image, remove the autofstx.exe entry from the BootExecute registry value inside the WinRE image, commit the image, then re-establish BitLocker trust for WinRE. The MSRC FAQ states: "A successful attacker could bypass the BitLocker Device Encryption feature on the system storage device. An attacker with physical access to the target could exploit this vulnerability to gain access to encrypted data."

Practically: for fleets at scale (Swiss federal admin, cantonal endpoints, classified Windows devices), the more durable hardening is to add a BitLocker PIN or password protector rather than relying solely on TPM-only. The WinRE registry edit is fragile and breaks on Windows feature updates that re-stage the WinRE image; the PIN/password protector closes the exposure regardless of WinRE state.

vulnerabilities no-patch poc-public global CVE-2026-45585

2026-05-19 · view entry permalink →

Chaotic Eclipse Windows zero-days — MiniPlasma is third PoC in series; cldflt.sys CfAbortHydration path, claimed re-exploitable CVE-2020-17103 regression

notable vulnerability discovered 2026-05-19 05:00 UTC

UPDATE (originally covered 2026-05-15): Researcher "Chaotic Eclipse" / "Nightmare Eclipse" released a third unpatched Windows LPE PoC on 2026-05-17 — MiniPlasma — extending the YellowKey and GreenPlasma series covered in the 2026-05-15 daily (BleepingComputer, 2026-05-17; The Hacker News, 2026-05-18). The material new technical detail: MiniPlasma targets the cldflt.sys Cloud Filter Mini Filter Driver — specifically the HsmOsBlockPlaceholderAccess routine — and abuses the undocumented CfAbortHydration API to create arbitrary registry keys in the .DEFAULT user hive without proper ACL checks, escalating from standard user to SYSTEM. The flaw was originally reported by Google Project Zero (James Forshaw) in September 2020 and nominally patched in December 2020 as CVE-2020-17103; Chaotic Eclipse asserts the exact same code path remains exploitable on fully-patched Windows 11 with May 2026 cumulative updates applied. Will Dormann independently confirmed the PoC opens a SYSTEM cmd.exe reliably on Windows 11 Pro fully patched. The exploit reportedly fails on the latest Insider Preview Canary builds, suggesting Microsoft has a fix in the pipeline but has not yet released an out-of-band patch. ThreatLocker published two registry-path hunt pivots: \Registry\User\Software\Policies\Microsoft\CloudFiles\BlockedApps* and \Registry\User\.DEFAULT\Volatile Environment*.

Defender takeaway: the proliferation of unpatched LPEs from one researcher signals an extended period of SYSTEM-shell availability for any attacker that lands user-level execution on Windows endpoints. Sysmon EID 13 (RegistryEvent / SetValue) on the .DEFAULT hive from non-SYSTEM processes is the primary hunt pivot; Sysmon EID 6 driver-load monitoring catches related driver-abuse paths. Hardening: BitLocker PIN mitigates the companion YellowKey BitLocker bypass; disabling Cloud Files / OneDrive integration removes the MiniPlasma attack surface but is not practical in most environments. MITRE T1068 (Exploitation for Privilege Escalation).

“researcher Will Dormann confirmed the exploit works reliably on Windows 11 Pro with the latest May 2026 Patch Tuesday updates” — BleepingComputer

“the flaw impacts the 'cldflt.sys' Cloud Filter driver and its 'HsmOsBlockPlaceholderAccess' routine, which was originally reported to Microsoft by Google Project Zero researcher James Forshaw in September 2020” — The Hacker News

vulnerabilities zero-day lpe poc-public no-patch global CVE-2020-17103

2026-05-18 · view entry permalink →

Windows "Chaotic Eclipse" zero-day proliferation — YellowKey, GreenPlasma, MiniPlasma

notable synthesis discovered 2026-05-18 05:00 UTC

The researcher cluster "Chaotic Eclipse" / "Nightmare Eclipse" continued releasing unpatched Windows LPE/bypass PoCs across the window. On 2026-05-19 a third PoC — MiniPlasma — landed, targeting the cldflt.sys CfAbortHydration path and claiming a re-exploitable regression of the 2020-era CVE-2020-17103. On 2026-05-20 Microsoft formally assigned CVE-2026-45585 to the BitLocker/WinRE bypass (YellowKey) disclosed on 2026-05-12 and published a WinRE mitigation — but confirmed there is still no security update for the cluster; the earliest fix window remains the June 2026 Patch Tuesday. Three public PoCs (YellowKey, GreenPlasma, MiniPlasma) now exist against the Windows-centric desktop estates standard in CH/EU federal and cantonal administrations. Until a patch ships, enforce BitLocker PIN/Network-Unlock GPOs and AppLocker/WDAC rules on ctfmon.exe injection paths, and segregate privileged accounts from the workstation tier.

vulnerabilities lpe priv-esc poc-public no-patch global CVE-2026-45585 CVE-2020-17103

2026-05-15 · view entry permalink →

Windows BitLocker "YellowKey" and CTFMON "GreenPlasma" zero-days: public PoC, no patch, TPM-only BitLocker bypassed

high threat discovered 2026-05-15 05:00 UTC

Researcher "Nightmare Eclipse" published two new unpatched Windows zero-days on 2026-05-12–13 as full-disclosure drops after a disclosure dispute with Microsoft, bringing the total of unpatched Nightmare Eclipse Windows zero-days to four (BleepingComputer, 2026-05-13 · The Register, 2026-05-13 · NCSC-CH Security Hub #12574, 2026-05-14). YellowKey exploits a Windows Recovery Environment (WinRE) bug in NTFS transaction-log (TxF/FsTx) replay: crafted FsTx folder contents placed on a USB drive or the EFI partition are replayed by WinRE during startup, deleting winpeshl.ini — the file that suppresses the recovery shell — and dropping the attacker into a CMD prompt with the BitLocker-protected volume already mounted and readable. The current public PoC defeats TPM-only BitLocker configurations on Windows 11 and Windows Server 2022/2025; the researcher asserts the full bypass also defeats TPM+PIN but the unpublished variant is unconfirmed. MITRE ATT&CK: T1542.001 (Pre-OS Boot: System Firmware), T1006 (Direct Volume Access). GreenPlasma is a local privilege-escalation flaw in the CTFMON (Collaborative Translation Framework) service: an unprivileged user creates arbitrary section objects in SYSTEM-writable directories, which can be leveraged to manipulate privileged services for a SYSTEM token; the public PoC is partial and the exploit chain triggers a UAC prompt in default configurations. MITRE ATT&CK: T1134 (Access Token Manipulation), T1068 (Exploitation for Privilege Escalation). Neither vulnerability has been assigned a CVE nor received a Microsoft patch as of 2026-05-15; Microsoft states it is "actively investigating." A previous drop by the same researcher (BlueHammer, CVE-2026-33825, now patched) was confirmed used in real-world intrusions by Huntress in April 2026, demonstrating that this researcher's PoCs are operationally adopted. Immediate mitigations: require BitLocker pre-boot PIN (Group Policy Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption > Require additional authentication at startup); set BIOS/UEFI boot password and disable USB/external-media boot; disable WinRE where operationally viable (reagentc /disable).

vulnerabilities poc-public no-patch lpe global