Skip to content
You can now search across every topic, entity and event.What's new
Cybersecurity: Threats and Defences
4JUL

Microsoft ends the Nightmare Eclipse run

2 min read
11:00UTC

Microsoft shipped an out-of-band Defender update on 9 July patching RoguePlanet, the seventh and final zero-day from the researcher known as Nightmare Eclipse.

TechnologyDeveloping
Key takeaway

Nightmare Eclipse's seven-drop run against Microsoft is closed, but the disclosure breakdown leaves defenders exposed in each gap.

Microsoft shipped an out-of-band (OOB) Malware Protection Engine update, version 1.1.26060.3008, on Thursday 9 July, patching RoguePlanet (CVE-2026-50656) 1. The flaw let a local attacker escalate to SYSTEM, the highest account on a Windows machine, through improper link resolution in Windows Defender, a local privilege escalation (LPE). The fix ships silently through the normal Defender signature channel, so administrators need take no action.

RoguePlanet was the seventh and final zero-day from the researcher known as Nightmare Eclipse since April, closing the series rather than extending it. The fifth in that run landed in June still unpatched. RoguePlanet itself sat public with proof-of-concept code for roughly a month before the fix arrived.

Nightmare Eclipse released working exploits before patches existed, and Microsoft answered with legal threats and account takedowns while the code stayed live on public mirrors 2. Coordinated disclosure depends on both sides trusting the process, and a month of public exploit code against Defender, seven times since April, shows that trust fraying. Defenders absorb the exposure in the gap between drop and patch, which pushes the burden onto compensating controls like application allow-listing and endpoint tamper protection.

Deep Analysis

In plain English

Windows Defender is Microsoft's built-in antivirus tool. RoguePlanet was a flaw in Defender itself that let an attacker who already had limited access to a machine grant themselves full administrator control, known as privilege escalation. Microsoft fixed it by pushing an updated "engine", the core scanning software inside Defender, rather than waiting for its usual monthly round of security patches. This was the seventh and last flaw in a series found by a researcher going by the handle Nightmare Eclipse, so this update closes out that whole run of bugs.

Deep Analysis
Root Causes

RoguePlanet is a local privilege-escalation flaw, which exploits a trust boundary inside Defender's own scanning engine rather than a network-facing surface, so Microsoft could fix it by shipping a new engine build (1.1.26060.3008) instead of waiting for a full security update. That distinction, engine-level versus OS-level patching, is why this fix reached endpoints faster than a typical CVE on Patch Tuesday.

Nightmare Eclipse's run of seven disclosures against the same component over one series points to systematic fuzzing of that trust boundary rather than independent, unrelated discoveries.

First Reported In

Update #10 · One operator worked both ransomware brands

The Register· 14 Jul 2026
Read original
Causes and effects
This Event
Microsoft ends the Nightmare Eclipse run
A month of public Defender exploit code, seven times since April, shows coordinated disclosure fraying between Microsoft and an adversarial researcher.
Different Perspectives
UK managed service providers and data centre operators
UK managed service providers and data centre operators
Newly brought into critical-infrastructure scope by the Cyber Security and Resilience Bill's Lords second reading, facing fines up to £17m or 4% of global turnover and a new near-miss reporting duty they did not previously carry. The sector moves from best-practice guidance to statutory exposure within this Parliamentary session.
Threat-intelligence industry
Threat-intelligence industry
SOCRadar's confirmation that one operator sits on two ransomware crews' negotiation panels, following Bitdefender's affiliate-overlap flag six weeks earlier, gives the sector its second independent data point that brand-based tracking undercounts shared access. The firms doing this work are shifting language from named-group attribution toward access-broker mapping.
FSB Centre 16
FSB Centre 16
Named by NCSC as running an SNMP-hijacking campaign against communications, energy, healthcare, defence and financial-services operators, harvesting device data and reconfiguring routers through a decades-old plaintext-authentication protocol. The campaign runs in parallel to, not in place of, the GRU's separate DNS-hijacking operation named in April.
CISA
CISA
CISA's Known Exploited Vulnerabilities catalogue added seven CVEs between 5 and 14 July, none from a headline security vendor, capped by the 18-year-old Cisco IOS bug CVE-2008-4128. BOD 26-04's risk-tiered listing rules make that slowdown as much a policy artefact as a threat-intensity read.
Nidec
Nidec
Nidec faces a $2m demand from Blackfield after the crew breached a server at its supplier Chaun Choung Technology rather than Nidec's own network. The attack reached Nidec's data without touching its own perimeter at all, the same supply-chain route World Leaks used against Tata Electronics.
Tata Electronics
Tata Electronics
Tata Electronics restricted remote access to its purchase-order systems and hired a forensic consultant after World Leaks posted 630GB of its files, including purported Apple and Tesla design material, to a leak site. The exposed value sits on its customers' balance sheets, not its own, which is what makes it hard to price.