Skip to content
You can now search across every topic, entity and event.What's new
Cybersecurity: Threats and Defences
4JUL

BlueHammer turns into a ransomware step

2 min read
11:00UTC

CISA confirmed ransomware gangs are weaponising BlueHammer, the April Windows Defender flaw, to seize SYSTEM rights before deploying their encryptors.

TechnologyDeveloping
Key takeaway

A patched April flaw in Windows Defender is now a live SYSTEM-access step for ransomware crews.

CISA updated the Known Exploited Vulnerabilities (KEV) entry for CVE-2026-33825, the Windows Defender local-privilege-escalation (LPE) flaw known as BlueHammer, to confirm that ransomware gangs now exploit it for SYSTEM-level access before deploying encryptors. Microsoft patched the flaw on 14 April and CISA listed it on 22 April. It was disclosed by a researcher using the handle Chaotic Eclipse, whose run of Microsoft bugs produced a fifth unpatched zero-day last month . 1

The flaw works as a time-of-check-to-time-of-use race in Defender's remediation engine: the software checks a file's status, then acts on it a moment later, and an attacker swaps the target in between. On its own an LPE does nothing. Chained after an initial break-in, it hands an attacker the SYSTEM rights needed to switch off defences and encrypt at will. That is why the update matters: it turns a three-month-old patch that many programmes deprioritised into a live step in a working ransomware chain.

Deep Analysis

In plain English

Windows Defender is the built-in security software that comes free with Windows and is meant to stop malware. Researchers found a flaw in it that lets someone who has already broken into a computer, through some other route, use Defender itself to take full control of the machine, the highest level of access there is. CISA now says ransomware gangs are using this trick before locking victims' files, which is unsettling because the tool that is supposed to protect the computer has become part of the attack. A researcher who goes by the handle Chaotic Eclipse found the flaw; that same person has found several other serious Windows bugs this year.

Deep Analysis
Root Causes

Windows Defender's kernel-mode components run with system-level trust by design, which is precisely why compromising the security product itself hands a ransomware crew system-level access that a bug in an ordinary, already-restricted application cannot.

Chaotic Eclipse, the same handle already credited with a fifth zero-day disclosure this year, appears to work through private broker or bug-bounty channels rather than Microsoft's own coordinated-disclosure programme. The gap between a privately attributed find and CISA's public 'now confirmed exploited' update suggests BlueHammer circulated in criminal channels before any public patch timeline closed it.

What could happen next?
  • Risk

    Organisations that rely on Windows Defender as their primary endpoint protection now face a scenario where the protection layer itself can be turned against them at the privilege-escalation stage of an intrusion.

  • Meaning

    CISA's decision to update rather than newly list the entry signals the flaw was already tracked before ransomware use was confirmed, suggesting future KEV updates on existing entries deserve the same attention as new listings.

First Reported In

Update #9 · FortiBleed harvest linked to Lynx crew

BleepingComputer· 4 Jul 2026
Read original
Causes and effects
This Event
BlueHammer turns into a ransomware step
A patch many teams deprioritised in April has become a confirmed rung in the ransomware kill chain.
Different Perspectives
UK managed service providers and data centre operators
UK managed service providers and data centre operators
Newly brought into critical-infrastructure scope by the Cyber Security and Resilience Bill's Lords second reading, facing fines up to £17m or 4% of global turnover and a new near-miss reporting duty they did not previously carry. The sector moves from best-practice guidance to statutory exposure within this Parliamentary session.
Threat-intelligence industry
Threat-intelligence industry
SOCRadar's confirmation that one operator sits on two ransomware crews' negotiation panels, following Bitdefender's affiliate-overlap flag six weeks earlier, gives the sector its second independent data point that brand-based tracking undercounts shared access. The firms doing this work are shifting language from named-group attribution toward access-broker mapping.
FSB Centre 16
FSB Centre 16
Named by NCSC as running an SNMP-hijacking campaign against communications, energy, healthcare, defence and financial-services operators, harvesting device data and reconfiguring routers through a decades-old plaintext-authentication protocol. The campaign runs in parallel to, not in place of, the GRU's separate DNS-hijacking operation named in April.
CISA
CISA
CISA's Known Exploited Vulnerabilities catalogue added seven CVEs between 5 and 14 July, none from a headline security vendor, capped by the 18-year-old Cisco IOS bug CVE-2008-4128. BOD 26-04's risk-tiered listing rules make that slowdown as much a policy artefact as a threat-intensity read.
Nidec
Nidec
Nidec faces a $2m demand from Blackfield after the crew breached a server at its supplier Chaun Choung Technology rather than Nidec's own network. The attack reached Nidec's data without touching its own perimeter at all, the same supply-chain route World Leaks used against Tata Electronics.
Tata Electronics
Tata Electronics
Tata Electronics restricted remote access to its purchase-order systems and hired a forensic consultant after World Leaks posted 630GB of its files, including purported Apple and Tesla design material, to a leak site. The exposed value sits on its customers' balance sheets, not its own, which is what makes it hard to price.