Anonymous researcher drops “BlueHammer” zero-day exploit for Windows on GitHub

• “BlueHammer” targets Windows Defender’s update mechanism and can elevate a local user to administrator—and in some cases SYSTEM—privileges.
• Enterprises now face an unpatched local privilege escalation affecting a widely deployed, SYSTEM-privileged component.

An anonymous security researcher has published a working zero-day exploit for Windows on GitHub, triggering urgent warnings from defenders and rapid interest from would-be attackers. The flaw, dubbed “BlueHammer,” targets Windows Defender’s update mechanism and can elevate a local user to administrator—and in some cases SYSTEM—privileges.

The exploit appeared on April 2, 2026, under the alias “deadeclipse666,” following a March 26 blog post threatening disclosure over a dispute with Microsoft. “Running that ‘whoami’ and seeing SYSTEM just hits different,” one GitHub user commented after testing the code. The repository quickly amassed more than 100 forks and nearly 300 stars.

Security researchers say the exploit is real. Justin Elzem, CTO at TrustedSEC, described the bug as a TOCTOU/symlink race in Defender’s signature updates, where a SYSTEM-privileged process follows paths a low-privilege user can redirect. Will Dormann, Senior Principal Vulnerability Analyst at Tharros, confirmed he achieved elevated privileges by running the proof-of-concept, noting the reliability varies and that Windows Server builds sometimes grant only admin, not SYSTEM.

While eight of 72 antivirus engines on VirusTotal flagged the shared FunnyApp.exe binary, experts warn the public C source code enables attackers to recompile countless variants and bypass signature-based detection. “With source in hand, hash-based defenses are largely moot,” one analyst said.

The leaker, who also posted on X and Blogger, accused Microsoft of breaking an agreement and “leaving me homeless,” vowing to dump code without detailed explanations.

In posts calling out the Microsoft Security Response Center (MSRC) and its leadership, the researcher thanked them “for making this possible,” and acknowledged the exploit “has a few bugs” that may be fixed later.

Microsoft said it supports coordinated vulnerability disclosure and investigates reported issues promptly, adding that video demonstrations are sometimes requested to assess impact but are not required. Some researchers contend MSRC’s processes have deteriorated. “MSRC used to be quite excellent to work with,” Dormann said, alleging staffing cuts and rigid triage have increased friction for reporters.

Enterprises now face an unpatched local privilege escalation affecting a widely deployed, SYSTEM-privileged component. Defenders are urging immediate hardening and monitoring: restrict execution from user-writable paths via WDAC/AppLocker, watch for junction/symlink creation and anomalous activity by msmpeng.exe, and prepare for behavior-focused detection as attackers spin up polymorphic variants. A fix from Microsoft is pending.