Cyber Threat Brief — April 7 2026
⚠️ This report is AI-generated. Always validate findings.
1. BlueHammer Windows LPE Zero-Day — Unpatched, Public PoC
TL;DR: Disgruntled researcher “Chaotic Eclipse” published a working Windows local privilege escalation PoC on April 3 that abuses Windows Defender’s IMpService RPC to redirect SYSTEM-context file ops via NTFS junctions, yielding SAM hashes and SYSTEM. No patch; Microsoft acknowledged but did not coordinate fix.
What’s New:
- PoC at
github.com/Nightmare-Eclipse/BlueHammer; reattempt fork atgithub.com/0xjustBen/BlueHammerwith stabilization fixes confirmed working on Windows 10/11 client - Chain: connects to Defender’s internal
IMpServiceRPC, calls signature-update method, races a TOCTOU using Windows Cloud Files API (cfapi) callbacks and Volume Shadow Copy structures as sync primitives, then redirects viaNtCreateSymbolicLinkObject/NtSetInformationFilejunctions - End state: read access to
%SystemRoot%\System32\config\SAMandSYSTEMhives → offline hash extraction → SYSTEM-equivalent persistence - Reliability bugs but “good enough”; Will Dormann independently confirmed working exploit
- Server SKUs only escalate to admin (not SYSTEM); workstation impact is full SYSTEM
- No CVE assigned; Microsoft has issued no patch or workaround as of April 7
Actionable Intel
| Artifact | Type | ATT&CK | Log Source | Action |
|---|---|---|---|---|
RPC calls to Defender IMpService interface from non-Defender processes | Behavioral | T1559 / T1068 | Sysmon EID 17/18 (named pipe / RPC), ETW Microsoft-Windows-RPC | Hunt — baseline legitimate MsMpEng.exe callers; alert on others |
NTFS junction/symlink creation under C:\ProgramData\Microsoft\Windows Defender\ or C:\Windows\System32\config\ | File | T1564.009 | Sysmon EID 11/15, EDR file events, fsutil reparsepoint audits | Alert — any junction created in these paths is high-fidelity |
MsMpEng.exe opening or writing files outside %ProgramFiles%\Windows Defender\ and definition update dirs | Process I/O | T1574.001 | Sysmon EID 11, EDR file telemetry | Hunt — Defender writing to user-controlled paths |
Process accessing \Device\HarddiskVolumeShadowCopyN\ from non-VSS context | File | T1006 | Sysmon EID 11, EDR | Alert — VSS handle abuse outside backup tooling |
Handle open on SAM/SYSTEM registry hive files (not reg save) | File | T1003.002 | Sysmon EID 11, Object Access auditing (Event 4663) | Alert — SAM hive read by non-SYSTEM/backup process |
cfapi.dll (CfRegisterSyncRoot, CfConnectSyncRoot) loaded by non-OneDrive/non-cloud-storage process | Module load | T1055 | Sysmon EID 7 | Hunt — anomalous Cloud Files API consumers |
New repos: Nightmare-Eclipse/BlueHammer, 0xjustBen/BlueHammer | Tooling | — | Threat intel feeds | Block downloads at proxy; flag in repo monitoring |
Detection
| Source | Rule | Gap |
|---|---|---|
| Splunk ESCU | SAM Database File Access Attempt (covers hive reads), Msmpeng Application DLL Side Loading (adjacent) | Need: IMpService RPC anomaly, junction creation under Defender paths, cfapi callback abuse |
| Elastic | Suspicious Access to LSASS Handle From an Unknown Source (adjacent) | Need: SAM/SYSTEM hive open detection, Defender MsMpEng.exe anomalous file writes |
| Sigma | Potential Mpclient.DLL Sideloading Via Defender Binaries (proc_creation_win_mpcmdrun_dll_sideload_defender), Image Load Side Load Windows Defender (adjacent — different vector) | Need: Defender RPC client process anomaly, NTFS reparse point creation in protected dirs |
Mitigation until patch: Restrict SeCreateSymbolicLinkPrivilege (Group Policy: Create symbolic links) to Administrators only — already default on most builds but verify; enable Attack Surface Reduction rule “Block abuse of exploited vulnerable signed drivers” and audit Defender tamper protection state.
Sources: BleepingComputer · Security Affairs · SecurityOnline · TechNadu · Cyber Security News · PoC repo (Nightmare-Eclipse) · PoC reattempt (0xjustBen)
Status Updates
- CVE-2026-35616 (Fortinet FortiClient EMS): CISA added to KEV April 6 with April 9 federal remediation deadline (3-day fuse — unusually short). No public PoC or IOC set yet; restrict EMS management plane to trusted IPs and apply Fortinet hotfix immediately. Original brief.
- CVE-2026-5281 (Chrome Dawn): CISA KEV deadline still April 15; no new exploitation telemetry. Verify fleet updates to 146.0.7680.178+. Original brief.
- CVE-2026-20127 (Cisco Catalyst SD-WAN): Metasploit module remains public; no new ITW campaigns reported. Five Eyes hunt guide still the best detection reference. Original brief.
- CVE-2026-4681 (PTC Windchill): No vendor patch; CISA ICS advisory ICSA-26-085-03 unchanged. Original brief.
- CVE-2025-47813 / 47812 (Wing FTP): Continued opportunistic exploitation; no new IOCs. Original brief.