Last updated: July 5, 2026 at 9:01 AM UTC
All 557 Vulnerability 199 Breach 106 Threat 245 Defense 7
Tag: windows (14 articles)Clear

Broken VECT 2.0 ransomware is silently destroying any file larger than 131 KB on Windows, Linux, and ESXi - paying the ransom recovers nothing

Researchers found a serious bug in VECT 2.0, a new ransomware family making the rounds: the encryption routine corrupts any file larger than about 131 KB instead of encrypting it reversibly. Files smaller than the threshold encrypt and decrypt normally; everything bigger gets permanently destroyed. Operators don't seem to know yet, so victims who pay get a working decryption tool that recovers small files and tells them the large ones are 'corrupted' - which they are, because VECT broke them on the way in. The bug affects Windows, Linux, and VMware ESXi variants. Any large file on a VECT 2.0-hit system is irrecoverable regardless of whether the ransom is paid.

Check
Make sure every host that handles documents, databases, or virtual machine images has tested, off-network backups - because if VECT 2.0 hits, restore from backup is your only path.
Affected
Any Windows, Linux, or VMware ESXi system running unpatched RDP, SMB, or VPN exposure that VECT 2.0 operators are using as initial access. The 131 KB threshold catches almost everything important: Office documents, PDFs, databases, virtual machine disks, source code repos. Small config files survive, which makes the attack look partially recoverable until victims realize the scope.
Fix
Verify backups are off-network (immutable storage, air-gapped tape, S3 object lock) and test restore for at least one large file from each business-critical system. If hit by VECT 2.0, do not pay the ransom - large files cannot be recovered even if the operator delivers a working decryption tool. Restore from clean backup. Watch for VECT 2.0 indicators in EDR feeds; the bug may be patched in future versions.

New 'PhantomRPC' bug lets any low-privileged Windows process become SYSTEM - all Windows versions affected, no patch from Microsoft

Kaspersky disclosed PhantomRPC at Black Hat Asia on April 24, an architectural flaw in how Windows handles a core internal communication system called RPC (Remote Procedure Call). When a privileged Windows process tries to talk to an RPC server that isn't running, the operating system doesn't check whether the thing answering is the real one - so a low-privileged attacker can stand up a fake RPC server, intercept the call, and inherit SYSTEM-level access. All Windows versions are affected. Kaspersky demonstrated five different exploitation paths and published the research tools on GitHub. Microsoft has not released a patch.

Check
Treat any unprivileged Windows process as a potential SYSTEM-escalation foothold and tighten EDR rules around suspicious RPC server registrations until Microsoft patches.
Affected
All Windows versions including Windows 10, Windows 11, and Windows Server, plus older builds. Acute risk on multi-user systems, terminal servers, and any host where untrusted code might run as a low-privileged service account such as NETWORK SERVICE - those are the easiest launch points for the technique.
Fix
There is no Microsoft patch yet. Use Kaspersky's public PhantomRPC tooling to audit your environment for exploitable RPC patterns. Tighten EDR detection on processes registering RPC endpoints with privileged-service UUIDs. On terminal servers, limit which low-privileged accounts can run code. Watch Microsoft Security Response Center for updates over the coming weeks.

Second Microsoft Defender zero-day PoC released - 'RedSun' grants SYSTEM privileges on fully-patched Windows including this week's April patches

Just days after Microsoft patched BlueHammer (CVE-2026-33825) in Tuesday's Patch Tuesday, the same researcher 'Chaotic Eclipse' (aka Nightmare-Eclipse) has released a second Microsoft Defender local privilege escalation zero-day called RedSun. The exploit works on fully-patched Windows 10, Windows 11, and Windows Server systems with Windows Defender enabled, even after installing this week's April updates. The flaw abuses Defender's cloud file rollback behavior: when Defender detects a file with a 'cloud tag' it tries to restore it to its original location without validating the target path. The exploit uses NTFS junctions and opportunistic locks to redirect the write to C:\Windows\System32, overwriting system files like TieringEngineService.exe to gain SYSTEM privileges. Huntress Labs is reporting all three recently-leaked Windows Defender zero-days (BlueHammer, RedSun, and UnDefend) are now being exploited in the wild. The researcher has threatened to drop more severe RCE exploits in protest of how Microsoft handled their disclosure process. No patch available for RedSun yet. Working PoC code is public on GitHub.

Check
Assume unprivileged-to-SYSTEM escalation is available to any attacker on your Windows endpoints until Microsoft patches RedSun. Defense-in-depth measures matter more than usual.
Affected
Windows 10, Windows 11, and Windows Server 2019 and later systems with Windows Defender enabled. The exploit works on fully-patched systems including the April 2026 Patch Tuesday updates. Any attacker with local unprivileged access (via phishing, drive-by download, or stolen credentials) can escalate to SYSTEM.
Fix
No patch available yet. Immediate mitigations: (1) Block execution of untrusted binaries from user-writable directories via AppLocker or Windows Defender Application Control - this prevents the initial foothold required for RedSun. (2) Monitor EDR for unexpected file writes to System32 and NTFS junction creation. (3) Apply the April Patch Tuesday updates anyway to close BlueHammer (CVE-2026-33825) and other critical flaws - RedSun is a separate issue. (4) Watch for Microsoft's out-of-band update or May Patch Tuesday fix.

Unpatched Windows zero-day "BlueHammer" leaked after researcher's dispute with Microsoft - exploit code public, no fix available

A frustrated security researcher published working exploit code for an unpatched Windows local privilege escalation flaw after Microsoft's Security Response Center mishandled the disclosure. The researcher, posting as Chaotic Eclipse, dropped the proof-of-concept on GitHub on April 3 with the message "I was not bluffing Microsoft." Will Dormann of Tharsos confirmed the exploit works - it combines a TOCTOU race condition with path confusion to access the SAM database containing local account password hashes, enabling escalation to SYSTEM privileges. The exploit is confirmed working on Windows desktop but unreliable on Windows Server. The researcher deliberately included bugs in the PoC, but the underlying technique is now public and weaponizable.

Check
Assess your Windows endpoint fleet's exposure. This is a local privilege escalation - it requires an attacker to already have local access, making it a post-compromise escalation tool.
Affected
Windows desktop systems (Windows 10, Windows 11). Windows Server appears less affected - testing shows the exploit is unreliable on Server editions. No CVE has been assigned yet.
Fix
No patch available - this is an unpatched zero-day. Mitigate by restricting local user permissions to minimum necessary, monitoring EDR for unusual privilege escalation and SAM database access attempts, and hardening against the initial access vectors (phishing, stolen credentials) that would give attackers the local foothold they need. Watch for a Microsoft patch in an upcoming Patch Tuesday or out-of-band update.