BlueHammer CVE-2026-33825: Ransomware Gangs Exploit Windows Defender in Live Attacks

Retool's new app builder is where AI-generated code ships safely
Building apps with AI is easy. Getting them to production safely is another story.
Ransomware gangs are actively exploiting CVE-2026-33825 — the Microsoft Defender privilege escalation flaw known as BlueHammer — to gain SYSTEM-level access and deploy ransomware across organizations running every current Windows version, according to CISA's Known Exploited Vulnerabilities catalog updated this week. The attack chain pairs BlueHammer's TOCTOU race condition with UnDefend, a Defender bypass tool, and BeigeBurrow, a Go-based C2 tunneling agent, to escalate privileges, degrade antimalware coverage, dump credentials, and stage ransomware deployment in a single kill chain that starts from one compromised endpoint.
BlueHammer CVE-2026-33825 is a time-of-check to time-of-use (TOCTOU) race condition in Windows Defender's file remediation engine. When Defender detects a malicious file and initiates cleanup, the exploit places a batch opportunistic lock on the operation, pausing Defender at the critical moment. During that pause, the attacker creates an NTFS junction point redirecting Defender's target path from an attacker-controlled temp directory to C:\Windows\System32. When Defender resumes, it writes the attacker's payload to System32 with SYSTEM privileges, granting full OS control without requiring admin credentials.
This campaign is active now. Huntress researchers documented a real intrusion in April 2026 where attackers entered via a compromised FortiGate SSL VPN, deployed BlueHammer and UnDefend to gain SYSTEM access and weaken Defender, then pivoted laterally before staging ransomware. CISA's July 2026 KEV update confirms the pivot from targeted intrusions to ransomware-scale campaigns. Windows Defender runs on every managed Windows endpoint. CVSS 7.8 understates the operational impact: a local privilege escalation that reliably achieves SYSTEM is a ransomware pre-condition, not a moderate inconvenience. Apply Microsoft's April 2026 cumulative update today.
How Does the BlueHammer Ransomware Attack Chain Work?
CVE-2026-33825 exploits a time-of-check to time-of-use (TOCTOU) race condition in Windows Defender Antivirus's threat remediation engine — the privileged component that cleans up detected malicious files. Defender's remediation process runs under SYSTEM privileges to handle files that unprivileged processes cannot delete. The vulnerability exists because Defender checks the target file path at the start of the remediation operation but executes the privileged file write at a later execution step, creating a race window between check and use.
The BlueHammer exploit triggers Defender's detection by placing a crafted file that matches a Defender threat signature. At the moment Defender prepares its privileged write to remove the file, the exploit places a Windows opportunistic lock (oplock) on the file, pausing the remediation thread. During this pause, the attacker creates an NTFS junction point redirecting the target directory from the attacker-controlled temp location to C:\Windows\System32. When the oplock releases, Defender follows the junction and writes the attacker's payload to System32 under SYSTEM privileges, achieving arbitrary file write at the highest OS privilege level.
From that SYSTEM-level write, the full ransomware chain proceeds: UnDefend is dropped and executed to disrupt Defender's signature update pipeline through directory monitoring and file locking, progressively weakening antimalware coverage. BeigeBurrow, a Go-based multiplexed reverse tunnel agent, establishes covert C2 connectivity to attacker-controlled infrastructure. Huntress documented the exact chain in a confirmed intrusion: BeigeBurrow connecting to 78[.]29[.]48[.]29 (Russia) via the domain staybud[.]dpdns[.]org. From that foothold, the attacker runs standard post-exploitation — credential enumeration, lateral movement, and ransomware staging. The full kill chain from Defender trigger to SYSTEM shell executes in minutes on an unpatched endpoint.
Which Windows Versions Are Vulnerable to CVE-2026-33825?
CVE-2026-33825 affects every supported version of Microsoft Windows: Windows 10 (all supported builds), Windows 11 (all supported builds), Windows Server 2016, Windows Server 2019, Windows Server 2022, and Windows Server 2025. The vulnerability resides in the Microsoft Defender Antivirus platform, which ships as a core OS component in all these releases. Any endpoint running Defender with a platform version predating Microsoft's April 2026 Patch Tuesday update is vulnerable.
Microsoft patched CVE-2026-33825 on April 14, 2026 as part of the April 2026 Patch Tuesday cumulative release — 12 days after the public proof-of-concept was released by researcher Nightmare-Eclipse. CISA added the vulnerability to its KEV catalog on April 22, 2026, issuing a mandatory patch deadline of May 7, 2026 for federal civilian agencies. That deadline passed more than 50 days ago. CISA's July 2026 KEV update adding the ransomware classification is the first formal confirmation that non-federal organizations are now being targeted.
The scope extends beyond traditional Windows workstations. Windows Server 2016 through 2025 running Defender on-premises or in cloud VMs are equally vulnerable. Azure VMs running Windows Server have Defender active by default. Organizations that rely on Defender ATP policies without verifying the underlying platform version are exposed. The patch is a standard Windows Update component — delivered as part of the cumulative update rollup, requiring no separate download. Organizations with deferred or paused update policies must enable and force the April 2026 cumulative update across all affected endpoints now.
Briefings like this, every morning before 9am.
Threat intel, active CVEs, and campaign alerts, distilled for practitioners. 50,000+ subscribers. No noise.
BlueHammer Ransomware: Active Targeting Evidence
CISA's July 2026 KEV update flagging CVE-2026-33825 as exploited in ransomware campaigns follows documented real-world intrusion evidence from Huntress. The Huntress intrusion began with compromised FortiGate SSL VPN credentials used to gain initial access from multiple geographies simultaneously — consistent with credential stuffing using infostealer-obtained VPN data, the same pattern observed in the broader FortiBleed credential exposure campaign active across 194 countries in June 2026.
The attacker staged BlueHammer, RedSun, and UnDefend in user-writable paths: the Pictures folder and short Downloads subfolders. This staging location is deliberate — user-writable paths generate less EDR scrutiny than %TEMP% or %AppData%. The initial BlueHammer execution was detected by Huntress on April 10, 2026, eight days after the public PoC release, placing it among the fastest commodity exploit adoptions observed this year. This rapid adoption pattern is consistent with CISA's June 2026 mandatory patch advisory covering Windows Defender and Langflow, which flagged Defender patches as immediately actionable.
No specific ransomware family has been attributed to the CVE-2026-33825 campaign by CISA. The toolkit — BlueHammer for privilege escalation, UnDefend for AV degradation, BeigeBurrow for C2 tunneling — is consistent with an affiliate-model ransomware operation where a broker supplies the toolkit and affiliates provide initial access. This structure matches Qilin, Akira, and Scattered Spider operations documented in 2026. Targeting is opportunistic rather than vertical-specific: any Windows organization with an internet-facing VPN and delayed patch cycles is a viable target.
“An exploit for CVE-2026-33825 exists in the wild. Organizations must apply the patch to all Windows systems running Microsoft Defender immediately.”
CISA Known Exploited Vulnerabilities Catalog, July 2026
TTPs Breakdown: How Threat Actors Operate the BlueHammer Kill Chain
The BlueHammer ransomware kill chain maps directly to MITRE ATT&CK. Initial access uses valid accounts (T1078) via compromised VPN credentials — bypassing perimeter controls because the attacker presents legitimate credentials. The Huntress intrusion showed simultaneous FortiGate VPN logins from Russia (78[.]29[.]48[.]29) and Singapore (212[.]232[.]23[.]69) using the same account within minutes, a behavioral signal detectable as impossible travel in most SIEM deployments.
Privilege escalation is the critical pivot. BlueHammer exploits Defender's remediation engine via TOCTOU (T1068), using Windows oplocks and NTFS junctions to redirect privileged file writes. Defender emits an alert during exploitation ("Exploit:Win32/DfndrPEBluHmr.BZ"), but the attacker follows immediately with UnDefend execution, disrupting Defender's signature pipeline (T1562.001 — Impair Defenses: Disable or Modify Tools). Once Defender is degraded, endpoint detection coverage narrows.
BeigeBurrow establishes the C2 channel (T1090 — Proxy; T1071 — Application Layer Protocol) using multiplexed reverse tunneling via the yamux protocol over HTTPS, producing traffic that resembles normal web egress. The C2 domain staybud[.]dpdns[.]org resolved to Switzerland-based infrastructure (179[.]43[.]140[.]214) in the documented intrusion. Standard post-exploitation reconnaissance follows (T1087 — Account Discovery): whoami /priv, cmdkey /list, net group. This identical sequence appeared in EDR-evasion ransomware toolkits documented earlier in 2026, confirming the TTPs are shared across multiple active campaigns. The time from initial VPN access to first BlueHammer execution was under 90 minutes in the Huntress case.
CVE-2026-33825 Indicators of Compromise
The indicators below originate from the April 2026 BlueHammer intrusion documented by Huntress. Threat actors rotate infrastructure between campaigns — treat any match as a high-confidence signal requiring immediate investigation. Block the listed IPs and domain at the network perimeter and search for the file hash across all managed endpoints. Report any match to your incident response team and isolate the affected endpoint before resuming operations.
Additional behavioral indicators to hunt: processes executing from C:\Users[username]\Pictures\ or short subdirectory paths under Downloads; binaries named FunnyApp.exe, RedSun.exe, undef.exe, z.exe, or agent.exe on Windows endpoints; and the Defender alert "Exploit:Win32/DfndrPEBluHmr.BZ" in your EDR console. Any single match from this list warrants a full endpoint investigation and review of connected accounts.
Subscribe to unlock Indicators of Compromise
Free subscribers unlock full IOC lists, Sigma detection rules, remediation steps, and every daily briefing.
How to Remediate CVE-2026-33825 Before Your Network Is Compromised
The patch for BlueHammer CVE-2026-33825 is available in Microsoft's April 2026 cumulative update, released 78 days ago. Apply it today. The steps below cover individual endpoints, enterprise environments, and detection controls to enable while patching is in progress.
Subscribe to unlock Remediation & Mitigation steps
Free subscribers unlock full IOC lists, Sigma detection rules, remediation steps, and every daily briefing.
Why BlueHammer CVE-2026-33825 Ransomware Matters for Your Organization
Privilege escalation vulnerabilities that reliably reach SYSTEM are ransomware force multipliers. An attacker who gains any foothold — a phished credential, a compromised VPN account, an exposed service account — can immediately escalate to SYSTEM via BlueHammer if the April 2026 patch is absent. That SYSTEM context enables credential dumping from LSASS, disabling AV via UnDefend, lateral movement through PsExec or WMI, and encrypting file servers from a process context that most endpoint controls cannot interrupt.
BlueHammer's operational danger is its reliability. TOCTOU exploits using Windows oplocks and NTFS junctions work consistently across all supported Windows versions because the race condition is in the Defender platform itself, not a version-specific memory allocation bug. A proof-of-concept that works on Windows 10 also works on Windows Server 2025. This cross-version reliability makes CVE-2026-33825 a high-value commodity for ransomware affiliates operating across diverse target environments without needing to customize the toolkit per OS version.
The patch has been available since April 14, 2026 — 78 days before today. Organizations still running unpatched Defender are exposed to a technique with a public PoC, a confirmed CISA ransomware classification, and documented real-world deployment in under 90 minutes from initial VPN compromise. BlueHammer CVE-2026-33825 ransomware campaigns will continue until patching eliminates the attack surface. The attack vector — privilege escalation followed by AV bypass — defines the difference between a contained intrusion and full network ransomware deployment. Patch today, confirm coverage across cloud and on-premises Windows before end of business, and monitor the IOCs above for any sign that an attacker is already present.
The bottom line
BlueHammer CVE-2026-33825 ransomware campaigns are confirmed active by CISA, targeting Windows organizations with delayed patching across Windows 10, 11, and Server 2016 through 2025. Three key takeaways: apply Microsoft's April 2026 cumulative update to every Windows endpoint today — the patch has been available for 78 days and active ransomware exploitation is confirmed by CISA; block BeigeBurrow C2 indicators (78.29.48.29, staybud.dpdns.org) at your network perimeter and hunt for the BeigeBurrow hash a2b6c7a9c4490df70de3cdbfa5fc801a3e1cf6a872749259487e354de2876b7c in your EDR; and audit VPN authentication logs for impossible-travel logins — the documented BlueHammer intrusion began with simultaneous FortiGate logins from Russia and Singapore. Close this BlueHammer CVE-2026-33825 exposure window before end of business today.
This analysis is generic — the platform version scores threats like this against your own stack.
Frequently asked questions
What is BlueHammer CVE-2026-33825 in Windows Defender?
BlueHammer (CVE-2026-33825) is a CVSS 7.8 local privilege escalation vulnerability in Microsoft Defender Antivirus's threat remediation engine, affecting all supported Windows versions. The flaw is a time-of-check to time-of-use (TOCTOU) race condition: Defender checks a target file path at one execution point but performs its privileged file write at a later step, creating a race window. An attacker exploits this window using a Windows opportunistic lock to pause Defender's execution, then inserts an NTFS junction that redirects Defender's SYSTEM-level write from a temp directory to C:\Windows\System32, achieving arbitrary file write with full system privileges.
How are ransomware groups exploiting CVE-2026-33825?
Ransomware groups gain initial access via compromised VPN credentials, then stage BlueHammer, UnDefend, and BeigeBurrow in user-writable directories. BlueHammer escalates the attacker to SYSTEM via the TOCTOU race. UnDefend degrades Defender's signature pipeline to reduce antimalware coverage. BeigeBurrow establishes a covert multiplexed C2 tunnel using the yamux protocol over HTTPS, connecting to attacker infrastructure. From SYSTEM access, the attacker runs credential enumeration, moves laterally using PsExec or WMI, and deploys ransomware. CISA confirmed this use in ransomware campaigns in July 2026 with an updated KEV catalog entry.
Is my Windows system patched against BlueHammer?
The patch for CVE-2026-33825 was released on April 14, 2026 as part of the April 2026 Patch Tuesday cumulative update. To verify, open Settings > Windows Update and check the installed update history for the April 2026 cumulative update. On Windows Server, run Get-HotFix in PowerShell or query your endpoint management console. If the April 2026 or any subsequent monthly cumulative update is not installed, the system is vulnerable. CISA set a mandatory May 7, 2026 patch deadline for federal civilian agencies — that deadline has now passed by more than 50 days.
How does the BlueHammer TOCTOU race condition work?
TOCTOU stands for time-of-check to time-of-use. Windows Defender's remediation engine first checks the target file path to verify it is the malicious file to remove, then performs a privileged write at a later execution step. BlueHammer inserts a Windows oplock between these two steps, pausing Defender's execution thread. During that pause, the exploit creates an NTFS junction point redirecting the target path to C:\Windows\System32. When the oplock releases, Defender resumes, follows the junction, and writes the attacker's payload to System32 under SYSTEM privileges. Researcher Nightmare-Eclipse published a working proof-of-concept on April 2, 2026.
What is UnDefend and how is it used with BlueHammer?
UnDefend is a tool that targets Windows Defender's signature update pipeline, disrupting antimalware protection through directory monitoring and file locking techniques. In the BlueHammer attack chain, UnDefend deploys after BlueHammer achieves SYSTEM access. Its purpose is to progressively weaken Defender's detection capabilities, preventing it from flagging subsequent malicious activity including lateral movement tools and ransomware staging. UnDefend, BlueHammer, and RedSun were all published by researcher Nightmare-Eclipse in a 13-day window in April 2026, giving ransomware affiliates a complete privilege escalation and AV degradation toolkit.
How do I detect BlueHammer exploitation on my network?
Detection relies on three primary signals. First, look for the Defender alert Exploit:Win32/DfndrPEBluHmr.BZ in your EDR console — Defender flags the exploit attempt during the TOCTOU race. Second, monitor for executables running from unusual user-writable paths such as C:\Users\[username]\Pictures\ or short-named Downloads subdirectories, where BlueHammer operators deliberately stage their tools. Third, inspect VPN authentication logs for impossible-travel patterns — simultaneous successful logins from geographically distant IPs. In the documented Huntress intrusion, logins from Russia, Singapore, and Switzerland appeared within minutes on the same account.
What is BeigeBurrow and how does it enable ransomware deployment?
BeigeBurrow is a Go-based multiplexed reverse tunnel agent that provides ransomware operators with covert command-and-control connectivity after BlueHammer achieves SYSTEM access. It uses the yamux multiplexing protocol to create multiple logical channels over a single TCP connection that mimics normal HTTPS traffic, complicating network-level detection. In the documented BlueHammer intrusion, BeigeBurrow connected the compromised endpoint to attacker infrastructure at 78.29.48.29 (Russia) via the domain staybud.dpdns.org. Once the C2 channel is active, the operator can issue arbitrary commands, dump credentials, and stage ransomware payloads across the network.
Which sectors are targeted by BlueHammer ransomware campaigns?
CISA's KEV classification does not specify target sectors. The Huntress-documented intrusion does not disclose the victim industry. Initial access via compromised FortiGate VPN credentials indicates opportunistic targeting based on VPN exposure and delayed patching rather than sector-specific selection. Any organization running Windows endpoints with internet-facing VPN infrastructure that has not applied the April 2026 cumulative update is a viable target. Healthcare, manufacturing, and financial services represent the highest-volume ransomware targets in 2026 based on published attack data, but BlueHammer's cross-platform reach makes all Windows-dependent organizations at risk.
Sources & references
- CISA Known Exploited Vulnerabilities Catalog: CVE-2026-33825
- BleepingComputer: CISA Windows BlueHammer Flaw Now Exploited by Ransomware Gangs
- Huntress: Nightmare-Eclipse Tooling Seen in Real-World Intrusion
- Picus Security: BlueHammer and RedSun CVE-2026-33825 Explained
- Microsoft MSRC: CVE-2026-33825 Advisory
Free resources
Critical CVE Reference Card 2025–2026
25 actively exploited vulnerabilities with CVSS scores, exploit status, and patch availability. Print it, pin it, share it with your SOC team.
Ransomware Incident Response Playbook
Step-by-step 24-hour IR checklist covering detection, containment, eradication, and recovery. Built for SOC teams, IR leads, and CISOs.
Get threat intel before your inbox does.
50,000+ security professionals read Decryption Digest for early warnings on zero-days, ransomware, and nation-state campaigns. Free, daily, no spam.
Unsubscribe anytime. We never sell your data.

Founder & Cybersecurity Evangelist, Decryption Digest
Cybersecurity professional with expertise in threat intelligence, vulnerability research, and enterprise security. Covers zero-days, ransomware, and nation-state operations for 50,000+ security professionals every morning.
Win a $2,495 Black Hat pass.
Full-access to Black Hat USA 2026 in Las Vegas. Subscribe free to enter.
