Researchers found a serious bug in VECT 2.0, a new ransomware family making the rounds: the encryption routine corrupts any file larger than about 131 KB instead of encrypting it reversibly. Files smaller than the threshold encrypt and decrypt normally; everything bigger gets permanently destroyed. Operators don't seem to know yet, so victims who pay get a working decryption tool that recovers small files and tells them the large ones are 'corrupted' - which they are, because VECT broke them on the way in. The bug affects Windows, Linux, and VMware ESXi variants. Any large file on a VECT 2.0-hit system is irrecoverable regardless of whether the ransom is paid.
Kaspersky disclosed PhantomRPC at Black Hat Asia on April 24, an architectural flaw in how Windows handles a core internal communication system called RPC (Remote Procedure Call). When a privileged Windows process tries to talk to an RPC server that isn't running, the operating system doesn't check whether the thing answering is the real one - so a low-privileged attacker can stand up a fake RPC server, intercept the call, and inherit SYSTEM-level access. All Windows versions are affected. Kaspersky demonstrated five different exploitation paths and published the research tools on GitHub. Microsoft has not released a patch.
Just days after Microsoft patched BlueHammer (CVE-2026-33825) in Tuesday's Patch Tuesday, the same researcher 'Chaotic Eclipse' (aka Nightmare-Eclipse) has released a second Microsoft Defender local privilege escalation zero-day called RedSun. The exploit works on fully-patched Windows 10, Windows 11, and Windows Server systems with Windows Defender enabled, even after installing this week's April updates. The flaw abuses Defender's cloud file rollback behavior: when Defender detects a file with a 'cloud tag' it tries to restore it to its original location without validating the target path. The exploit uses NTFS junctions and opportunistic locks to redirect the write to C:\Windows\System32, overwriting system files like TieringEngineService.exe to gain SYSTEM privileges. Huntress Labs is reporting all three recently-leaked Windows Defender zero-days (BlueHammer, RedSun, and UnDefend) are now being exploited in the wild. The researcher has threatened to drop more severe RCE exploits in protest of how Microsoft handled their disclosure process. No patch available for RedSun yet. Working PoC code is public on GitHub.
A frustrated security researcher published working exploit code for an unpatched Windows local privilege escalation flaw after Microsoft's Security Response Center mishandled the disclosure. The researcher, posting as Chaotic Eclipse, dropped the proof-of-concept on GitHub on April 3 with the message "I was not bluffing Microsoft." Will Dormann of Tharsos confirmed the exploit works - it combines a TOCTOU race condition with path confusion to access the SAM database containing local account password hashes, enabling escalation to SYSTEM privileges. The exploit is confirmed working on Windows desktop but unreliable on Windows Server. The researcher deliberately included bugs in the PoC, but the underlying technique is now public and weaponizable.