Overview
- Huntress, which began seeing BlueHammer activity April 10, reported RedSun and UnDefend used in intrusions on Thursday.
- RedSun is a local privilege escalation that grants SYSTEM access on fully patched Windows 10, Windows 11, and Server when Defender is enabled, according to analyst Will Dormann.
- Microsoft fixed BlueHammer in Tuesday’s April security updates as CVE-2026-33825, but RedSun and UnDefend still lack patches, so vendors urge installing the April updates and using extra endpoint protections.
- One breach Huntress investigated involved a compromised SSLVPN user, with attackers dropping the RedSun and UnDefend executables into common folders, renaming them, and running reconnaissance commands before launching the exploits.
- Dormann says RedSun abuses the Cloud Files API and a race condition to overwrite TieringEngineService.exe so attacker code runs as SYSTEM, as the PoCs were publicly posted by a researcher protesting Microsoft’s response process and the company reiterated support for coordinated disclosure.