The researcher who has spent months tormenting the Microsoft Security Response Center is back with a Windows Defender SYSTEM-access exploit and a fresh BitLocker bypass, both confirmed working against the June 2026 patch level.
The independent researcher operating as Nightmare-Eclipse, also known as Chaotic-Eclipse, has published two new local privilege escalation exploits this week, extending a long-running conflict with the Microsoft Security Response Center (MSRC). The releases, named RoguePlanet and GreatXML, both function against Windows installations carrying the June 2026 cumulative update, meaning neither relies on an unpatched or legacy system to work.
RoguePlanet: a race to SYSTEM
RoguePlanet is the more serious of the two. It abuses a vulnerability in Windows Defender to escalate to the SYSTEM account, the highest privilege tier on a Windows machine and one that sits above the standard Administrator context. SYSTEM access is the practical endpoint most local exploits aim for, because it grants unrestricted control: data exfiltration, persistent malware installation, credential harvesting, and tampering with security tooling all become available once an attacker reaches that level.
The delivery requirement is modest. An attacker only needs to convince a user to run a script, after which the exploit chain does the rest. What makes RoguePlanet less than a guaranteed kill is its dependence on a race condition. The exploit appears to hinge on timing between ISO mounting and the Volume Shadow Copy Service, which means the window for triggering it is not deterministic. Eclipse reports a 100 percent success rate on some installations and describes the exploit as having "struggled to work on others." That variance is characteristic of race-condition exploits, where success depends on operations completing in a specific order that the operating system does not promise.
Eclipse states that Windows Server is likely affected as well, but notes a wrinkle: Server editions do not let users mount ISO files by default, so the proof-of-concept would need a redesign to reach the same code path on those systems. That detail matters for enterprise risk assessment, since Server deployments would require additional attacker effort rather than a direct port of the existing code.
GreatXML: another BitLocker bypass
The second release, GreatXML, targets BitLocker, Microsoft's full-disk encryption layer. Eclipse positions it as considerably less dangerous than their earlier YellowKey bypass because the preconditions are far stricter. To execute it, an attacker must write a crafted unattend.xml file and a Recovery directory to the Windows recovery partition. If a Windows Defender Offline Scan has been run at any point, rebooting into the recovery environment then unlocks the BitLocker-protected drive without the expected authentication.
The bar for exploitation here is high. Writing to the recovery partition and the dependency on a prior Defender Offline Scan limit the practical attack surface. The significance is less about immediate mass exploitation and more about what it implies. A recovery environment that can be coaxed into opening an encrypted volume under any circumstance raises questions about the trust boundaries inside BitLocker and the Windows Recovery Environment (WinRE). Eclipse believes it may be possible to trigger a Defender Offline Scan without an authenticated login, which would lower the barrier substantially, though they have not demonstrated that yet.
The standoff with Redmond
The technical disclosures sit on top of an ongoing dispute. Microsoft has banned Eclipse's primary GitHub account, prompting the researcher to relocate proof-of-concept code to Church of Malware, a loosely moderated community repository for exploit code. A secondary GitHub account belonging to Eclipse reportedly remains active. Microsoft had earlier threatened legal action and then withdrew it.
Eclipse, for their part, had floated a mass disclosure of zero-day Windows vulnerabilities on July 14, an event they nicknamed "Windowspocalypse Day." That deadline now appears to be off the table. The researcher says RoguePlanet took longer to build than anticipated and signaled they may take a break, walking back the threatened coordinated dump.
What it means for defenders
For administrators, the immediate exposure from these two specific exploits is uneven. RoguePlanet's social-engineering entry point makes user-execution controls and script-execution policies the relevant mitigations, while its timing dependence means detection and response have room to interrupt the chain. GreatXML's strict preconditions keep it largely theoretical for now, but it reinforces the case for physical security on devices and for treating recovery-partition write access as a sensitive operation.
The broader pattern is the more durable concern. A single researcher continuing to surface SYSTEM-level escalations and encryption bypasses against fully patched builds points to structural soft spots in Defender and WinRE rather than isolated bugs. Each release narrows the gap between proof-of-concept and weaponized tooling, and the migration of that code to unrestricted repositories means takedowns no longer contain it. Organizations relying on BitLocker as a last line of defense for data at rest should track these disclosures closely and assume that recovery-environment behavior will remain an active research target.
Comments
Please log in or register to join the discussion