Security News Windows Defender "RedSun" zero-day revealed! This unpatched EoP flaw turns antivirus into a delivery tool for malicious payloads. PoC is public!

[Khushal]

Content source

https://github.com/Nightmare-Eclipse/RedSun

Just as the cybersecurity community began digesting the latest round of patches for the high-profile “BlueHammer” vulnerability, a new storm has appeared on the horizon. On April 16, 2026, the security researcher known as Chaotic Eclipse (operating on GitHub under the alias Nightmare-Eclipse) publicly disclosed a new zero-day vulnerability in Windows Defender dubbed “RedSun.”

The vulnerability hinges on a bizarre behavior within Windows Defender’s detection engine. When the antivirus identifies a file as malicious, it typically takes steps to neutralize it. However, the researcher discovered a specific condition involving “cloud tags” that triggers a catastrophic “rewrite” behavior.

RedSun: New Windows Defender Zero-Day Turns Protector into Attacker, PoC Publishes

Windows Defender "RedSun" zero-day revealed! This unpatched EoP flaw turns antivirus into a delivery tool for malicious payloads. PoC is public—patch now!

securityonline.info

GitHub - Nightmare-Eclipse/RedSun: The Red Sun vulnerability repository

The Red Sun vulnerability repository. Contribute to Nightmare-Eclipse/RedSun development by creating an account on GitHub.

github.com

 

[Bot]

Short answer: I would treat that claim very cautiously until it is confirmed by Microsoft or reproduced by multiple trusted researchers.

Why caution is needed

• A public GitHub repository or a security news post is not, by itself, enough to verify that a Windows Defender zero-day is real.
• “Zero-day,” “catastrophic,” and similar wording are often used before full technical validation exists.
• Without independent reproduction, affected-version details, root-cause analysis, and vendor acknowledgement, it is not possible to say whether this is a genuine elevation-of-privilege issue, a limited local abuse case, a bug with narrow prerequisites, or an incomplete claim.

What can be said safely

• If a vulnerability truly allows privilege escalation through Microsoft Defender, that would be significant.
• The presence of proof-of-concept code does not automatically confirm broad real-world exploitability.
• Windows Defender does use local and cloud-assisted detection components, but the specific “cloud tags trigger rewrite behavior” claim needs careful technical validation.

Practical next steps

• Do not test public PoC code on a normal system.
• Wait for confirmation from Microsoft Security Response Center, trusted reverse engineers, or well-established security labs.
• Keep Microsoft Defender, Windows, and security intelligence updates fully current.
• If anyone wants to examine it, use an isolated lab VM with no sensitive data and no production credentials.
• Monitor reputable sources rather than relying only on reposted articles.

What would make the report more credible

• A Microsoft advisory, CVE, or official acknowledgement
• Independent technical write-ups showing successful reproduction
• Clear affected build numbers and prerequisites
• A root-cause explanation that matches Defender architecture
• Evidence that the issue is not just a crash, detection bypass, or lab-only edge case

At this stage, the safest position is: interesting claim, but unverified. It should not be treated as confirmed fact yet.

Sources

• RedSun: New Windows Defender Zero-Day Turns Protector into Attacker, PoC Publishes
• GitHub - Nightmare-Eclipse/RedSun: The Red Sun vulnerability repository
• MSRC - Microsoft Security Response Center

 

[harlan4096]

Weird some avs firms are flagging that file as EICAR-Test

 

[Khushal]

Weird some avs firms are flagging that file as EICAR-Test

because it is a POC and is dropping Eicar

 

[Andy Ful]

Weird some avs firms are flagging that file as EICAR-Test

The POC uses the EICAR antivirus test string in a temp file to provoke Defender's detection actions (which are then abused).

Edit.
Here is the reversed EICAR string embedded in the POCs code:

 char eicar[] = "*H+H$!ELIF-TSET-SURIVITNA-DRADNATS-RACIE$}7)CC7)^P(45XZP\\4[PA@%P!O5X";

 

[Khushal]

The POC uses the EICAR antivirus test string in a temp file to provoke Defender's detection actions (which are then abused).

Edit.
Here is the reversed EICAR string embedded in the POCs code:

 char eicar[] = "*H+H$!ELIF-TSET-SURIVITNA-DRADNATS-RACIE$}7)CC7)^P(45XZP\\4[PA@%P!O5X";

heres where it gets crazy. this isnt some random bug. the same person dropped 3 windows 0days in 13 days

BlueHammer (april 2) - defender LPE. got CVE-2026-33825. patched
UnDefend (april 12) - blocks all defender updates permanently
RedSun (april 15) - this one. still unpatched

they claim MSRC dismissed their reports and "ruined their life." direct quote from their blog: "I was not bluffing Microsoft, and I'm doing it again"

they are threatening to drop an RCE next

 

[Wrecker4923]

I hope Microsoft can work this out with the researcher because this could head toward bad endings.

 

[Victor M]

Asshole researcher releases zero-day POC. And he thinks it is funny.

MS must have a do-not-reengineer clause in the Windows License, Sue the son-of-a-bitch.

What does he gain by doing this - 15 mins of fame ?

 

[Khushal]

RedSun: Windows 0day when Defender becomes the attacker | CloudSEK

RedSun exposes a critical logic flaw in Windows Defender that allows a standard user to escalate privileges to SYSTEM without admin rights or kernel exploits. By exploiting a missing reparse point validation during file restoration, attackers can redirect Defender’s write operation into System32...

www.cloudsek.com