Threat Briefing · Ransomware Tooling

BlueHammer Is Loose: How Fast Ransomware Inherits a Public Exploit

A leaked Windows Defender zero-day went from a researcher's GitHub repo to confirmed ransomware use in under three weeks. The pattern is not new, but the timeline keeps shrinking, and the consequences keep landing on the same kinds of organizations.

Deception Check Threat Briefing · June 30, 2026

BlueHammer threat briefing cover — BlueHammer is the latest in a string of Nightmare Eclipse Windows zero-day drops. Ransomware operators reach for these the moment they go live.

The short version

On June 29, 2026, CISA confirmed that ransomware gangs are actively exploiting BlueHammer, the local privilege escalation flaw tracked as CVE-2026-33825. A researcher operating as Nightmare Eclipse dropped the exploit on GitHub in early April with no coordinated disclosure. Microsoft patched it on April 14, after it had already been exploited as a zero-day, and Huntress publicly detailed live, hands-on-keyboard use days later. CISA added it to the Known Exploited Vulnerabilities catalog on April 22, and flagged it as ransomware-linked this week. The exploit lets a low-privileged local user reach NT AUTHORITY\SYSTEM on a fully patched Windows 10 or 11 host, with no kernel bug, no memory corruption, and no admin rights to start. The technique chains four legitimate Windows features into a race condition that exposes the SAM database for the minute it takes to crack a hash.

The deeper story is the speed. According to Mandiant's M-Trends 2026 and VulnCheck's Exploit Intelligence Report, roughly one third of newly weaponized CVEs in 2025 saw exploitation on or before patch day. Public proof-of-concept code shortens that further. Ransomware groups, who already dominate the 4,669 victims posted to PRiSM's leak-site index in the first half of 2026, do not need a novel bug to break in. They just need somebody else's working code and a patched machine that has not been updated yet.

< 60s

BlueHammer user-to-SYSTEM, on a fully patched host

4,669

ransomware leak-site victims in 2026 (PRiSM, H1)

~32%

of weaponized CVEs in 2025 exploited on or before patch day

What BlueHammer is

BlueHammer is a local privilege escalation in Microsoft Defender, tracked as CVE-2026-33825. Microsoft's own advisory is short: "insufficient granularity of access control in Microsoft Defender allows an authorized attacker to elevate privileges locally." That phrasing understates what the exploit actually does. It abuses the way Defender, Volume Shadow Copy Service (VSS), the Windows Cloud Files API, and opportunistic locks interact during a routine Defender update workflow. Each of those components is legitimate Windows machinery. The vulnerability only emerges when an attacker can chain them together in the right order, with the right timing.

The exploit author publishes under the alias Nightmare Eclipse (also seen as Chaotic Eclipse). The release was uncoordinated. Nightmare Eclipse posted full proof-of-concept source code to GitHub in early April with a note aimed at the Microsoft Security Response Center: "I was not bluffing Microsoft, and I'm doing it again." Will Dormann, principal vulnerability analyst at Tharros, independently confirmed the exploit functions against fully patched Windows 10 and 11 systems. Huntress reported real-world, hands-on-keyboard use during a customer intrusion days after the drop, alongside two other Nightmare Eclipse tools, RedSun and UnDefend, traced back to compromised FortiGate SSL VPN access.

How it works

BlueHammer is a textbook Time-Of-Check, Time-Of-Use (TOCTOU) race condition with a clever twist. The attacker does not race the kernel. They use Cloud Files callbacks and opportunistic locks to freeze Defender at exactly the wrong moment, leaving a Volume Shadow Copy snapshot mounted with the password database sitting in the clear.

BlueHammer attack chain — The BlueHammer chain from low-privileged shell to SYSTEM. The cracking step happens entirely on the attacker's hardware; nothing in this chain triggers a remote network alert.

In sequence, the exploit checks for a pending Defender signature update, drops an EICAR test file to bait Defender into a remediation scan, then uses a Cloud Files sync root to detect the precise moment Defender begins enumerating that directory. It then takes a batch oplock on a placeholder file. Defender stalls on the open, holding the VSS snapshot mounted. With Defender paused, the exploit reads the SAM, SYSTEM, and SECURITY registry hives directly from the shadow copy, reconstructs the boot key, and decrypts the local NTLM hashes. It uses SamiChangePasswordUser to briefly replace a local administrator's password (the proof-of-concept uses the now-infamous $PWNed666!!!WDFAIL), authenticates as that admin, duplicates a SYSTEM token, creates a temporary Windows Service, spawns a SYSTEM-level cmd.exe, and then restores the original NTLM hash so the password change leaves no trace from the user's perspective.

Microsoft pushed a Defender signature update that detects the original proof-of-concept binary as Exploit:Win32/DfndrPEBluHmr.BB. That detection covers a specific compiled sample, not the technique. Recompile from slightly modified source, change a few timing parameters, swap the placeholder filename, and the behavioral chain still works. Cyderes' Howler Cell team resolved the acknowledged bugs in the public proof-of-concept and ran the full exploit end-to-end. A ransomware affiliate with even moderate development skill can do the same.

A note on what we know and do not know CISA has flagged BlueHammer as ransomware-exploited but has not, as of this writing, attributed the activity to a specific operator. Huntress' published intrusion narrative describes hands-on-keyboard operators using BlueHammer alongside RedSun and UnDefend, with initial access through stolen FortiGate VPN credentials from a source IP geolocated to Russia, and follow-on tunneling through a Go-based agent the team dubbed BeigeBurrow. The tradecraft is consistent with a mid-tier affiliate program, not a top-five brand-name crew. We will revise this brief as cleaner attribution emerges.

Which ransomware operators are most likely to weaponize it first

Ransomware adoption of public exploit code is a known pattern with a short list of likely first movers. The groups that adopt fastest are not always the largest, but they share a profile: a working internal development capability, an affiliate program incentivized to land first-on-target advantage, and a documented history of integrating leaked tooling within days.

Most dangerous adopters — Operators with the documented capability and incentive structure to weaponize BlueHammer quickly. Ranking is by victim count in 2026 plus historical fast-adoption behavior.

The 2026 ranking changes the leaderboard. Qilin has been the most prolific ransomware operation for three consecutive quarters and now sits at 725 victims year-to-date in the PRiSM dataset, more than twice the next operator and a 67% lead over the all-time number one. Qilin runs a Rust-based encryptor, iterates TTPs rapidly, and in late 2025 entered a documented alliance with LockBit and DragonForce, a cartel structure that tends to accelerate cross-pollination of new tradecraft. The Gentlemen, a newer entrant, has surged to 454 victims in the same window. Then come Akira (329), DragonForce (249), INC Ransom (240), and LockBit itself (203), still in the top ten despite the 2024 law-enforcement disruption.

Top ransomware operators 2026 — The top 15 ransomware operators by victims posted in 2026 (PRiSM, January through June). Amber bars are operators with documented histories of adopting new public exploits within days of release.

Two groups deserve a specific mention even though they do not lead this year's leak-site rankings. CL0P built its modern reputation on mass-exploitation of file-transfer zero-days (Accellion, GoAnywhere MFT, MOVEit, Cleo). It has shown, more than once, that it can integrate a fresh CVE into a campaign that fires before most defenders have heard of the bug. LockBit, even at reduced operational tempo, has a documented history of folding fresh public exploits into its operations within days of release, including the PrintNightmare Windows print-spooler flaw. BlueHammer, with full source code, a confirmed working chain, and bypassable signature detection, fits the exact pattern these groups have rewarded affiliates for adopting.

How often this happens: the broader pattern

BlueHammer is not an anomaly. It is the latest data point in a multi-year trend that defenders need to plan for, not react to. Three numbers tell the story.

First, the time-to-exploit has collapsed. Mandiant's M-Trends 2026 reports that the mean time-to-exploit has gone negative, on average about a week before a patch is even available, down from 63 days in 2018. VulnCheck found that roughly 32% of the vulnerabilities exploited in the first half of 2025 were hit on or before the day they were publicly disclosed. A public proof-of-concept, like the one for BlueHammer, only shortens that window further.

Second, Mandiant tracked 90 in-the-wild zero-days in 2025. Financially motivated threat groups, which is the polite term for ransomware crews and the brokers who feed them, accounted for nine of those, double the five attributed to them in 2024. Vulnerability exploitation has been the number one initial access vector in Mandiant incident response engagements for three years running.

Third, CISA marked 24 vulnerabilities added to the Known Exploited Vulnerabilities catalog in 2025 as ransomware-exploited, which is roughly one new ransomware-grade CVE every two weeks. Local privilege escalations like BlueHammer are well represented in that list because LPEs are the connective tissue between initial access (a phished credential, a VPN bypass, a malicious document) and the SYSTEM-level access an encryptor needs to disable backups, dump credentials, and move laterally.

A public proof-of-concept is not a research artifact. To a ransomware affiliate, it is a deliverable.

Why this lands so hard on small and mid-sized organizations

The PRiSM Ransomware Spectral Analysis index has tracked 4,669 ransomware victims in the first six months of 2026, an average of about 777 named victims per month, and that count only reflects the organizations that ended up on a public leak site. The unreported number is meaningfully higher.

PRiSM monthly victim counts 2026 — Monthly ransomware victims posted to leak sites in 2026. March was the busiest month of the year so far, with April, when BlueHammer hit GitHub and entered CISA's KEV catalog, close behind.

The targeting is broad, but not uniform. Business services and consulting firms lead, followed by manufacturing, IT and software, healthcare, and construction. These are the industries that combine messy IT estates, supply-chain reach, and the operational pressure that turns a ransom demand into a quick payment.

PRiSM 2026 industry breakdown — Top ten industries by ransomware victim count in 2026 (PRiSM, January through June).

Most damning, the size profile is the opposite of what the headlines suggest. The marquee cases get coverage, but the bulk of the damage falls on small and mid-sized organizations.

PRiSM 2026 victim size donut — More than half of all 2026 ransomware victims have 200 or fewer employees. Source: PRiSM Ransomware Spectral Analysis.

56% of victims posted in 2026 have 200 or fewer employees, and over a third have 50 or fewer. These are the organizations least likely to have a dedicated incident response retainer, the most likely to be running default Windows configurations, and the most exposed to exactly the kind of exploit BlueHammer represents: a public proof-of-concept that an affiliate can weaponize with a copy-paste and a recompile.

What to do this week

The fix list for BlueHammer is short and well-defined. The harder posture change is internal: assume that, the next time Nightmare Eclipse or anyone else publishes a working LPE, a ransomware affiliate will have it in a tested toolchain within the week. Build for that timeline.

This week

Patch CVE-2026-33825 everywhere. Microsoft's April 14 update fixes BlueHammer. Confirm Defender platform and security-intelligence updates have rolled out fleet-wide, not just on the laptops that get used daily.
Hunt for the BlueHammer behavior, not the binary. Alert on NtQueryDirectoryObject enumeration of HarddiskVolumeShadowCopy* from non-system processes. Alert on CfRegisterSyncRoot from anything that is not a known cloud sync client. Alert on low-privileged processes calling CreateService. Alert on local administrator password changes (Event ID 4723/4724) that flip and then flip back within seconds.
Tighten Defender's signature detection. Confirm Exploit:Win32/DfndrPEBluHmr.BB is firing on test samples in your estate, and treat that detection as a high-confidence indicator of attempted use, not a successful block.

This month

Audit who can run code on your Windows endpoints. BlueHammer requires local execution. Every unnecessary local user account, every standing local admin, every shared workstation is a possible launch point. Enforce least privilege with intent.
Close the VPN initial-access path. Huntress' BlueHammer intrusion started with stolen FortiGate SSL VPN credentials. That is not abstract for us: it is the same automated pressure on Fortinet logins our own sensors record every day, which we documented in our FortiBleed analysis. The VPN credential is the way in, BlueHammer is the escalation, and deception is what catches the step in between. Phishing-resistant MFA (FIDO2 or certificate-based) on every remote access path is the single highest-leverage control.
Patch the rest of the Nightmare Eclipse drops. GreenPlasma, MiniPlasma, and YellowKey were fixed in the June 2026 Patch Tuesday. RedSun and UnDefend remain unpatched as of this writing; restrict Cloud Files API usage and monitor for the specific patterns described in Huntress' April writeup.

Standing

Treat every uncoordinated zero-day drop as a 7-day countdown. The data is consistent across Mandiant, VulnCheck, and Recorded Future. By the end of the first week, the exploit has been integrated by someone. Build your patch SLA around that reality.
Deploy decoys at the credential layer. A honeypot administrator account, a fake configuration file with a plausible-looking management interface URL, a deception that looks like a SAM dump waiting to be cracked, these are zero-false-positive alarms. Nothing legitimate ever touches them. An attacker chaining BlueHammer to credential extraction trips them on the first try.

The deeper lesson

You cannot patch your way out of the time gap between a public exploit drop and ransomware adoption. The gap is now measured in days, sometimes hours. The question that matters is whether you can detect the exploit being used, not just whether you have patched the underlying CVE on every host. Behavioral detection on the steps an exploit takes, plus deception at the resources it tries to read, gives you a high-confidence alert the moment the technique runs, regardless of which compiled variant the affiliate happens to be shipping that week.

That is the work we focus on at Deception Check. BlueHammer is a reminder that the most important window in modern security is not the gap between disclosure and patch. It is the gap between patch and the patch actually being applied, and ransomware operators have built an entire business model around that gap. Close it, and watch the accounts and the credentials you cannot fully lock down.

Patch fast. Detect faster. And put something attractive in front of the attacker that you do not mind them touching.

Sources

Sergiu Gatlan, "CISA: Windows BlueHammer flaw now exploited by ransomware gangs," BleepingComputer, June 30, 2026. link
Microsoft Security Response Center, "CVE-2026-33825." link
NVD, "CVE-2026-33825 detail." link
Cyderes Howler Cell, "Windows Zero-Day BlueHammer." link
Huntress, "Nightmare Eclipse Intrusion," April 20, 2026. link
Nightmare Eclipse, "BlueHammer" proof-of-concept repository. link
Google Cloud / Mandiant, "Look What You Made Us Patch: 2025 Zero-Days in Review."
Google Cloud / Mandiant, "M-Trends 2026."
VulnCheck, "2026 Exploit Intelligence Report."
Recorded Future Insikt Group, "H1 2025 Malware and Vulnerability Trends."
PRiSM Ransomware Spectral Analysis (Duncan Walls / Data Breaches Digest), dbd.knack.com. Stats current as of June 30, 2026.
Check Point Research, "The State of Ransomware Q1 2026."

About this brief Deception Check publishes operationally-focused threat briefs grounded in our own sensor data and the broader open record. We use decoys, honeytokens, and credential-layer deception to turn a ransomware affiliate's first attempt into a high-confidence alert, with nothing to patch and no legitimate reason for anyone to ever touch them. If BlueHammer or its successors are something you are tracking inside your environment, get in touch.