A vindictive security researcher has publicly dropped a second Windows Defender privilege escalation exploit, less than two weeks after Microsoft scrambled to plug the first one. The vigilante is threatening to start releasing even more dangerous remote code execution exploits because Microsoft “mopped the floor with me.”
-
A rogue researcher, out of frustration, released a second Windows Defender exploit immediately after Microsoft patched the first vulnerability.
-
The privilege escalation exploit abuses Defender to overwrite system files and gain SYSTEM-level access.
-
The researcher threatens to release even more severe remote code execution (RCE) exploits.
The same rogue security researcher, going by the alias Nightmare-Eclipse on GitHub, who made headlines for releasing a working Windows Defender exploit as a vengeful act, just dropped another way to skin the cat.
Cybernews reported that the same researcher released the first Windows Defender exploit two weeks ago – simply running FunnyApp.exe was enough to gain SYSTEM privileges.
Microsoft later acknowledged the elevation of privilege vulnerability and patched it this week during Patch Tuesday. This bug, tracked as CVE-2026-33825, received a 7.8 out of 10 severity rating. Interestingly, Microsoft credited other security researchers, Zen Dodd and Yuanpei XU, for disclosing the bug.
New app to gain system privileges
The hacker has now released a similar exploit, named “RedSun.” It claims to achieve the same result – if the proof of concept works, it grants System privileges to unprivileged Windows users.
The exploit once again abuses a Windows Defender bug. However, this time, the hacker also teased Microsoft’s team for flawed logic in their software.
“It's way too funny. When Windows Defender realizes that a malicious file has a cloud tag, for whatever stupid and hilarious reason, the antivirus that’s supposed to protect decides that it is a good idea to just rewrite the file it found again to its original location. The PoC abuses this behavior to overwrite system files and gain administrative privileges,” the repository reads.
“I think antimalware products are supposed to remove malicious files.”
The researcher also released a screenshot of their code in action – with privileges, it also posts a short poem to the terminal.
More grievances about Microsoft
With the new exploit, the hacker also shared a detailed blog post, threatening Microsoft with more exploits.
“I didn’t want to be evil, but they are actively poking me to start releasing RCEs, which I will be doing at some point… I will personally make sure that it gets funnier every single time Microsoft releases a patch,” the hacker said on the Blogspot platform.
The attacker justifies their action as a response to Microsoft allegedly ruining their life.
“I was told personally by them that they would ruin my life, and they did,” the disgruntled grey hat writes.
“They took away everything. They mopped the floor with me and pulled every childish game they could. It was soo bad at some point I was wondering if I was dealing with a massive corporation or someone who is just having fun seeing me suffer, but it seems to be a collective decision.”
Curious what others think about this story? Contribute your thoughts to the debate below.
The hacker’s previous posts hinted at a prior relationship with Microsoft Security Response Center (MSRC) that likely went sour, potentially a formal or informal bug bounty or responsible disclosure arrangement.
“They do everything but support the research community, I won't disclose details but they sabotage people a lot. I mean just look at the past, Microsoft is the only major company who had a track of multiple vulnerabilities being publicly disclosed just because the researchers were soo upset by how MSRC treated them.”
The hacker reacted to the previous “generic” Microsoft statement by saying that the company doesn’t care, is fully aware of public disclosures, but chose to ignore the filed case.
The researcher previously alleged that Microsoft “stabbed them in the back” by violating an agreement and leaving them “homeless with nothing.”
Cybernews has reached out to Microsoft for comment and will update the story with its response.
Earlier, the company said the following:
“Microsoft has a customer commitment to investigate reported security issues and update impacted devices to protect customers as soon as possible. We also support coordinated vulnerability disclosure, a widely adopted industry practice that helps ensure issues are carefully investigated and addressed before public disclosure, supporting both customer protection and the security research community.”
Tech enthusiasts on GitHub and social media are already sharing the new exploit.
Attackers who gain initial access to Windows systems can quickly escalate their privileges using a public tool, gain administrative control, and move laterally across the network.
Unlock more exclusive Cybernews content on YouTube.
Your email address will not be published. Required fields are marked