Hours after Microsoft pushed its largest Patch Tuesday on record this June, a single researcher dropped another proof-of-concept exploit. RoguePlanet targets a race condition inside Windows Defender. It spawns a command prompt running as SYSTEM on fully updated Windows 10 and Windows 11 machines. The disclosure fits a now-familiar rhythm.
Nightmare Eclipse, who also posts as Chaotic Eclipse, has released at least seven such tools since early April 2026. Each one turns a Microsoft defensive component into an attack vector. BlueHammer came first. Then RedSun. UnDefend followed. YellowKey, GreenPlasma, MiniPlasma, and now RoguePlanet. The pace has security teams questioning the durability of patches and the wisdom of public escalation.
“The exploit is a race condition, so it’s a hit or miss,” the researcher wrote in notes accompanying the GitHub release. Success rates vary. Some systems yield reliable results. Others resist. Still, independent testers confirmed the code works. BleepingComputer reported that researchers reproduced the privilege escalation shortly after publication.
The exploit abuses how Defender handles certain operations. Earlier versions of RoguePlanet reportedly allowed remote code execution over SMB shares. A May update from Microsoft appears to have closed that path. What remains is local privilege escalation. An attacker with basic user access can climb to full system control. No additional software required. Just the built-in antivirus engine working against the host.
This isn’t the first time Nightmare Eclipse has struck right after Patch Tuesday. The pattern repeats. Microsoft fixes two of the researcher’s earlier bugs in the June update. Hours later, RoguePlanet appears. The Hacker News documented the timing and noted the exploit functions on machines that received the latest cumulative updates.
Why the grudge? Public statements from the researcher point to frustration with Microsoft’s vulnerability intake process. Reports were dismissed. Demands for video proof went unmet. Microsoft once threatened the individual with legal action. The response backfired. Disclosures accelerated. The Next Web traced the feud, noting the researcher published RoguePlanet as the seventh Windows zero-day in a matter of months.
Enterprise defenders face a difficult calculation. Patch early. Test thoroughly. Yet new bypasses surface anyway. Some of the earlier tools, such as GreenPlasma and YellowKey, received fixes in June. Others linger. Barracuda’s analysis listed six prior releases by the same actor and described the campaign as driven by personal grievance. Barracuda Blog highlighted how the researcher targets Defender, BitLocker, and core Windows subsystems rather than bypassing them.
Dark Reading placed the latest release in context. For the second month running, an exploit followed Patch Tuesday. The June update fixed 206 CVEs, a record. RoguePlanet makes that number feel incomplete. Dark Reading quoted the researcher’s GitHub notes on the race condition’s unpredictability and observed no sign the campaign will slow.
Help Net Security captured the immediate aftermath. Microsoft shipped fixes for nearly 200 vulnerabilities. Within hours the new zero-day appeared. The publication noted that initial development targeted remote code execution. A prior Defender patch changed the math. Help Net Security reported the exploit now focuses on local privilege escalation to SYSTEM.
ThreatLocker’s threat intelligence team replicated the PoC on patched systems. Their analysis called RoguePlanet the researcher’s eighth project in three months. The tool abuses Defender functionality to achieve the escalation. ThreatLocker Blog emphasized that the vulnerability survived the June Patch Tuesday.
Cybernews framed the release as a repeated “sucker punch.” The researcher, banned from one GitHub account, simply created another under MSNightmare. RoguePlanet joined a growing list. Cybernews detailed the researcher’s history of public protest against Microsoft’s disclosure practices.
SecurityWeek highlighted the race condition in Defender that leads directly to local privilege escalation. The publication linked the PoC repository and noted the researcher’s blog post on the exploit’s history. SecurityWeek confirmed the tool works post-update.
So what does this mean for organizations? Administrators cannot assume that Patch Tuesday clears the board. Defensive layers like Defender require constant scrutiny. Third-party tools that monitor for anomalous process creation or unexpected SYSTEM shells gain new relevance. The researcher drained significant effort developing RoguePlanet. A planned mass disclosure for July 14 has been postponed. The pause offers little comfort. The next release could arrive without warning.
Microsoft issued a statement to BleepingComputer acknowledging the report and reiterating support for coordinated disclosure. The company has patched several of the earlier bugs. Others remain open. The cycle continues. Each new exploit forces security teams to revisit assumptions about built-in protections.
Nightmare Eclipse operates alone. Motivation appears personal. Impact spreads wide. Enterprises running Windows at scale now treat these PoCs as live threats. BlueHammer saw real-world use within weeks of release. Huntress and other firms documented intrusions leveraging the earlier tools. RoguePlanet could follow the same path.
The researcher’s blog post on RoguePlanet offers a quick history. It describes early success with remote execution that later narrowed. The current version focuses on local access yet still delivers the highest possible privileges. Success depends on timing the race condition. On some hardware the window aligns perfectly. On others it does not. That variability does not diminish the finding. A working path to SYSTEM from a standard user account changes the risk equation.
Defenders who once viewed Defender as the final gate now see it as a potential doorway. The irony registers. The product designed to stop malware hands attackers the keys. Microsoft has improved its bounty program and disclosure channels in recent years. This campaign tests those changes in public view.
Analysts expect the researcher to continue. Previous promises of larger dumps have been scaled back only because development proved exhausting. The individual shows deep knowledge of Windows internals. Each release demonstrates familiarity with Defender’s update mechanisms, cloud integration points, and file-handling logic.
Organizations should accelerate adoption of application control, behavioral monitoring, and least-privilege enforcement. They cannot rely solely on Microsoft’s update cadence. The gap between patch release and exploit publication has shrunk to hours. That leaves little margin for testing and deployment.
RoguePlanet adds one more data point to an uncomfortable trend. Windows security depends on layers. When one layer can be turned against the system, the others must compensate. Security teams that treat these disclosures as isolated incidents miss the larger signal. A motivated individual with time and skill can surface serious flaws at will.
The coming weeks will reveal whether Microsoft assigns a CVE, issues an out-of-band fix, or absorbs the finding into a future update. In the meantime, the PoC circulates freely. Red teams test it. Blue teams hunt for indicators. And the researcher, for now, rests after a draining project. The feud shows no signs of ending. Neither does the stream of working exploits.
WebProNews is an iEntry Publication