Microsoft threatens legal action against researcher Nightmare Eclipse for exploit disclosure

Microsoft’s Digital Crimes Unit is considering criminal action against a security researcher who has been publicly releasing proof-of-concept exploit code for unpatched Windows vulnerabilities. The researcher, operating under the name Nightmare Eclipse, has dropped six zero-day exploits between early April and mid-May 2026, targeting core Windows components including Windows Defender and BitLocker.

Three of those exploits were confirmed as being used in real-world attacks shortly after going public. Microsoft issued emergency patches and CISA added the vulnerabilities to its Known Exploited Vulnerabilities catalog.

Six exploits, six weeks, and a very public grudge

The vulnerabilities carry names that read like a cyberpunk novel: BlueHammer (CVE-2026-33825), RedSun (CVE-2026-41091), UnDefend (CVE-2026-45498), YellowKey (CVE-2026-45585), GreenPlasma, and MiniPlasma. Several enable local privilege escalation to SYSTEM level. Others facilitate bypassing BitLocker, Microsoft’s full-disk encryption tool.

Nightmare Eclipse posted the exploit code on GitHub and GitLab, bypassing the standard coordinated vulnerability disclosure process. Some of their posts suggest they are a disgruntled former Microsoft employee. Their stated motivations include mistreatment by Microsoft’s Security Response Center, denied bug bounties, and deleted accounts.