Hackers have broken into at least one organization using Windows vulnerabilities published online by a disgruntled security researcher over the last two weeks, according to a cybersecurity firm.

On Friday, cybersecurity business Huntress remarked in a series of posts on X that its researchers have seen hackers taking advantage of three Windows security flaws, dubbed BlueHammer, UnDefend, and RedSun. 

It’s unclear who the target of this attack is, and who the hackers are.

BlueHammer is the only bug among the three vulnerabilities being exploited that Microsoft has patched so far. A fix for BlueHammer was rolled out earlier this week. 

It seems the hackers are exploiting the bugs by using exploit code that the security researcher published online. 

Earlier this month, a researcher who goes by Chaotic Eclipse published on their blog what they commented was code to exploit an unpatched vulnerability in Windows. The researcher alluded to some conflict with Microsoft as the motivation behind publishing the code. 

“I was not bluffing Microsoft and I’m doing it again,” they wrote. “Huge thanks to MSRC leadership for making this possible,” they added, referring to Microsoft’s Security Response Center, the company’s team that investigates cyberattacks and handles reports of vulnerabilities.

Meet your next investor or portfolio startup at Disrupt

Your next round. Your next hire. Your next breakout opportunity. Find it at TechCrunch Disrupt 2026, where 10,000+ founders, investors, and tech leaders gather for three days of 250+ tactical sessions, powerful introductions, and market-defining innovation. Register now to , where 10,000+ founders, investors, and tech leaders gather for three days of 250+ tactical sessions, powerful introductions, and market-defining innovation. Register now to save up to $410. This also touches on aspects of software update.

Days later, Chaotic Eclipse published UnDefend, and then earlier this week published RedSun. The researcher published code to exploit all three vulnerabilities on their GitHub page. 

All three vulnerabilities affect the Microsoft-made antivirus Windows Defender, allowing a hacker to gain high-level or administrator access to an affected Windows computer.

TechCunch could not reach Chaotic Eclipse for comment.

In response to a series of specific questions, Microsoft’s communications director Ben Hope remarked in a statement that the firm supports “coordinated vulnerability disclosure, a widely adopted industry practice that helps ensure issues are carefully investigated and addressed before public disclosure, supporting both customer protection and the security research community.” Furthermore, experts in mobile apps note the continued relevance.

This is a case of what the cybersecurity industry calls “full disclosure.” When researchers find a flaw, they can report it to the affected software maker to help them fix it. At that point, usually the firm acknowledges receipt, and if the vulnerability is legitimate, the enterprise works to patch it. Often, the firm and researchers agree on a timeline that establishes when the researcher can publicly explain their findings. 

Sometimes, for a variety of reasons, that communication breaks down and researchers publicly disclose details of the bug. In some cases, in part to prove the existence or severity of a flaw, researchers go a step further and publish “proof-of concept” code capable of abusing that bug.

When that happens, cybercriminals, government hackers, and others can then take the code and employ it for their attacks, which prompts cybersecurity defenders to rush to deal with the fallout. 

“With these being so easily available now, and already weaponized for easy employ, for better or for worse I think that ultimately puts us in another tug-of-war match between defenders and cybercriminals,” John Hammond, one of the researchers at Huntress who has been tracking the case, told TechCrunch. 

“Scenarios like these cause us to race with our adversaries; defenders frantically try to protect against ill-intended actors who rapidly take advantage of these exploits… especially now as it is just ready-made attacker tooling,” commented Hammond.

Topics