Exploits Turn Windows Defender into Attacker Tool

Three proof-of-concept exploits targeting Windows Defender are being used in active attacks. BlueHammer (CVE-2026-33825) exploits a TOCTOU race condition in Defender's signature update workflow to gain SYSTEM-level access; Microsoft patched it in April 2026. RedSun targets TieringEngineService.exe via a similar race condition and works on fully patched Windows 10/11 and Server 2019+ systems with no CVE or patch yet. UnDefend, deployed after SYSTEM access is achieved, silently degrades Defender's threat intelligence updates while falsely reporting the endpoint as healthy. Huntress Labs observed targeted hands-on intrusions using all three exploits, with attackers staging binaries in low-noise directories like Pictures and Downloads. Mitigations include applying April 2026 updates, enforcing MFA on VPN/remote access, blocking execution from user-writable directories, and adding a detection layer outside Defender's trust boundary.