The latest escalation around Nightmare-Eclipse is no longer just about disclosures of Windows vulnerabilities. After losing access to GitHub and then GitLab, the security researcher has shifted his activity to a personal blog while directing fresh pressure at Microsoft with a warning tied to 14 July.
His name has also appeared under the aliases Chaotic Eclipse and Dead Eclipse. The attention around him intensified after he published six Windows zero-day disclosures in six weeks, each paired with weaponized proof-of-concept material for six different flaws.
What Microsoft has already patched
Among the six issues, three have already been fixed by Microsoft. BlueHammer, tracked as CVE-2026-33825, was addressed in the 14 April Patch Tuesday release, while RedSun and UnDefend were patched out of band on 21 May as CVE-2026-41091 and CVE-2026-45498.
Those emergency fixes came after Huntress confirmed that all three were already being exploited in real attacks. CISA later added the same three CVEs to its Known Exploited Vulnerabilities catalog and required federal agencies to patch CVE-2026-41091 and CVE-2026-45498 before 3 June.
The unresolved trio
Three other flaws remain unpatched: YellowKey, GreenPlasma, and MiniPlasma. MiniPlasma has drawn special attention because it targets the Windows Cloud Filter driver and can elevate a standard account to SYSTEM on Windows 11 with the May 2026 update installed.
BleepingComputer and several independent researchers confirmed that the exploit works without modification. That verification pushed MiniPlasma beyond a theoretical proof of concept and into a tool that has already been shown to run in a real environment.
Why the platform bans matter
The takedown sequence began after Microsoft was accused of flagging and removing GitHub repositories around 23 May 2026. Nightmare-Eclipse then moved to GitLab, but that account was also suspended on 26-27 May for hosting weaponized zero-day exploit code.
With both major code-sharing platforms closed off, the researcher shifted publication to a personal blog. That route offers a narrower reach, but it still allows direct distribution of binaries and source code as long as the site remains active.
A warning aimed at 14 July
In a signed post, the researcher addressed Microsoft directly and marked 14 July as a key date. He wrote, “Mark this date, July 14th. I will make sure your bones are shattered that day.”
He also said no new disclosure was planned for June, while leaving room to change course later. In an earlier post, he had already warned that he would escalate to remote code execution issues if Microsoft continued to ignore his reports.
The broader security concern
Barracuda Networks said Nightmare Eclipse’s exploit chain has already been seen in confirmed network intrusions. That chain combines privilege escalation through BlueHammer, RedSun, or MiniPlasma with Defender suppression through UnDefend.
The pattern shows how one flaw can be paired with another to expand attacker control inside Windows environments. For now, attention remains fixed on what may appear on 14 July, especially because previous warnings were followed by actual exploit releases.
Source: www.notebookcheck.net
