Vengeful researcher drops Microsoft zero-days for a third time: “It will never stop”

Published: 13 May 2026
Last updated: 14 May 2026
zero day windows exploit
Image by Cybernews.
Listen to this article

A skilled security researcher who went rogue after claiming Microsoft left him “homeless with nothing” has released a third wave of Windows zero-day vulnerabilities, timing the drop just after Patch Tuesday. The “most insane” exploit bypasses BitLocker encryption, while the other zero-day escalates any user to SYSTEM privileges.

It's becoming a tradition: after Windows Patch Tuesday, the vindictive researcher, going by the aliases “Chaotic Eclipse” and “Nightmare Eclipse,” drops a critical Windows exploit, leaving millions of systems vulnerable to attackers.

The hacker first released the Windows Defender privilege escalation exploit on April 2nd, 2026, followed by another exploit on April 15th, both granting the highest (SYSTEM) privileges to attackers.

ADVERTISEMENT

This time, “Defender has been spared,” but the researcher dropped an exploit that might seem hard to believe – a vulnerability bypassing BitLocker encryption entirely.

All the attacker needs is to plug a USB stick containing an exploit into a targeted Windows computer with BitLocker protection turned on, reboot into Windows Recovery Environment, enter a specific key combination, and a shell will spawn with unrestricted access to the supposedly protected volume.

jurgita justinasv Izabelė Pukėnaitė vilius Ernestas Naprys Gintaras Radauskas
Don't miss our latest stories on Google News. Add us as your Preferred Source on Google
Follow us

“This is one of the most insane discoveries I've ever found. It almost feels like a backdoor, but what do you know, maybe I’m just insane,” the hacker writes.

“Now, why would I say this is a backdoor?”

The researcher suspects that the vulnerable component was intentionally planted in the recovery environment and isn’t documented anywhere.

The Cybernews community is talking about this. Be a part of the conversation.

ADVERTISEMENT

“The exact same component is also present with the exact same name in a normal Windows installation, but without the functionalities that trigger the BitLocker bypass issue. Why? I just can’t come up with any explanation other than the fact that this was intentional.”

The disgruntled researcher said that only Windows 11, Windows Server 2022, and Windows Server 2025 are affected, not Windows 10. They named the exploit “Yellow key.”

The exploit is publicly available on GitHub. Cybernews has not tested it. However, a threat researcher who goes by the alias KevTheHermit on X confirmed that it works, even though the required key presses are “a bit hit or miss.”

The second zero-day flaw is a privilege escalation vulnerability dubbed “GreenPlasma.” It targets the CTFMON (ctfmon.exe) process, which runs as SYSTEM in every interactive session and is responsible for text input features.

Security researcher Het Mehta, who analyzed the exploit, explained that it plants an arbitrary memory section and tricks CTFMON into interacting with it by manipulating a chain of Windows registry tricks and permission rules. This gives the attacker control over a piece of memory that the system fully trusts, allowing malicious shell code or fake DLL libraries to be planted.

Nightmare-Eclipse, however, deliberately released an incomplete version of the exploit, lacking the final puzzle piece that would grant a full SYSTEM shell, framing it as a capture-the-flag challenge.

“If you’re smart enough, you can turn this into a full privilege escalation as you can influence the newly created section to manipulate data,” the exploit’s documentation reads on GitHub.

“Lots of services (and even kernel mode drivers) blindly trust certain paths since a standard user is normally not supposed to have write access to them.”

ADVERTISEMENT

More threats made: “It will never stop”

The anonymous researcher threatens to release further and more severe exploits, saying that the next Patch Tuesday will be “a big surprise for you, Microsoft.”

“Your recent actions made me take the difficult decision to drag other companies into this. Be prepared to answer questions,” the rogue researcher said in a blog post.

“And remember, I never failed to deliver a promise.”

The researcher repeatedly accused Microsoft of escalating the conflict and warned that the public disclosures would continue as long as the company refuses to “resolve the situation responsibly.”

”The fire will go as long as you want, unless you extinguish it or until there is nothing left to burn.”

On April 25th, on the same blog, the researcher warned Microsoft of some sort of a “dead man switch,” likely referring to a mechanism designed to trigger automatically. The researcher claims it took “forever to deploy,” and “it will take you a lot of time to patch what will be published” if it trips.

“In the off chance, you decide that you want to proceed with whatever funny ideas you have in your head. I'm recommending that you do not do it,” the post reads.

As previously reported by Cybernews, the anonymous individual holds personal grudges against Microsoft, claiming the company “violated our agreement and left me homeless with nothing.”

ADVERTISEMENT
Data leak research job ad

Unlock more exclusive Cybernews content on YouTube.

Share
Post
Share
Share
Share
More from Cybernews
Nadella scoffs at AI giants as Microsoft may host China’s DeepSeek
Cruel cyber training in Canada: testing if exhausted employees would fall for a 'day off' scam
Cloudflare gives AI agents temporary accounts to deploy websites without human logins
Developers giving attackers a free ride after hundreds of iPhone AI apps found exposing credentials
This tiny European country is pioneering digital ID for AI agents
Canadian lender TD tells some employees it will use software to monitor their work
ADVERTISEMENT