YellowKey and GreenPlasma: Two New Windows Zero-Days Unveiled

Two novel Windows zero-day vulnerabilities dubbed YellowKey, which bypasses BitLocker drive encryption, and GreenPlasma, a local privilege escalation bug that targets a trusted Windows process called CTFMON, were recently publicly released. Nightmare-Eclipse (aka Chaotic Eclipse), a researcher who grew frustrated with Microsoft’s bug-reporting process, dropped both vulnerabilities simultaneously on GitHub, keeping true to his intent of releasing Windows vulnerabilities in waves.

These two new Windows vulnerabilities have critical implications for organizations when exploited and should be considered active threats. For one, YellowKey can enable any attacker with physical access and a USB device to take down BitLocker’s encryption and gain unfettered access to encrypted laptops in no time. Meanwhile, GreenPlasma allows threat actors to have full system-level privilege escalation without the need for credentials or admin rights via the exploitation of the CTFMON object and establishing an attacker-controlled memory section. As of writing, Microsoft has yet to release patches for both YellowKey and GreenPlasma.

These two new disclosures are on the heels of Nightmare-Eclipse’s previously released Microsoft Defender vulnerabilities, namely BlueHammer, RedSun, and UnDefend. Reports show that these vulnerabilities are being actively exploited in the wild, however, Microsoft has only released a patch for BlueHammer and has yet to release patches for the other two bugs.

Researchers have observed hands-on-keyboard intrusion activity using BlueHammer, RedSun, and UnDefend within days of their release and have attributed to infrastructure with Russia-geolocated source IPs. Ransomware operators and APT groups routinely integrate public LPE code within the same window. The operational window for YellowKey and GreenPlasma exploitation by third-party threat actors is deemed to be active.

YellowKey (BitLocker Bypass Vulnerability) Technical Analysis

YellowKey, which affects Windows 11 and Windows Server 2025, targets a weakness in how the Windows Recovery Environment (WinRE) handles volumes protected by BitLocker, a built-in security feature for Windows that enables full-volume encryption. To break encryption, YellowKey abuses a behavioral trust assumption in the recovery interface, allowing attackers to spawn an unrestricted shell with full access to the encrypted volume during the pre-boot recovery sequence. And because YellowKey doesn’t require software installation, existing credentials, or network access to break encryption, any machine that has a USB port and can be rebooted can be a target.

It’s also important to note that BitLocker is not merely a technical control; it is a regulatory compliance anchor for a significant portion of the enterprise Windows population. HIPAA, CMMC, FedRAMP, PCI-DSS, and SOC 2 frameworks all recognize encryption of data at rest as a qualifying protective measure, and BitLocker is the default implementation for most organizations meeting those obligations. If YellowKey cannot be patched quickly, organizations in regulated industries face a material compliance gap that cannot be closed by software updates alone.

Attack Mechanism

• An attacker prepares a USB drive containing the YellowKey exploit payload.

• The USB is inserted into a BitLocker encryption-enabled target machine.

• The attacker forces or waits for a reboot into the WinRE.

• A specific key combination is entered within the WinRE interface, triggering the exploit condition.

• A shell spawns with unrestricted access to the BitLocker-protected volume without requiring a decryption key.

YellowKey’s Impact

• Completely negates BitLocker as a data-at-rest protection control for physically accessible endpoints.

• Any Windows laptop, workstation, or server with a USB port and BitLocker enabled is potentially compromised by physical access alone with no credentials, no PIN, no TPM bypass required.

• Laptop theft scenarios become data breach scenarios. Organizations that have accepted physical theft risk on the assumption that BitLocker would protect data must reassess that posture immediately.

• Supply chain and insider threat vectors are substantially elevated. A device that is briefly unattended (hotel room, conference, courier) can be compromised without leaving forensic evidence of access.

• Particularly acute for public sector, healthcare, legal, and financial organizations with regulatory obligations tied to encryption of data at rest (HIPAA, CMMC, PCI-DSS, FedRAMP).
• Anecdotal evidence suggests that LEOs are already using this exploit to bypass hard drive protections for hard drives already in evidence for ongoing investigation and current legal cases.

GreenPlasma (CTFMON Arbitrary Section Creation Elevation of Privilege) Technical Analysis

GreenPlasma exploits a Windows component responsible for managing text input services called the CTFMON process (ctfmon.exe). Due to CTFMON running as SYSTEM in interactive user sessions, threat actors can abuse it for privilege escalation. When attackers use GreenPlasma, they can create an arbitrary memory section object within a namespace location that standard users should not be able to influence. This vulnerability affects Windows 10, Windows 11, and Windows Server (interactive sessions with CTFMON active).

It should be noted that Nightmare-Eclipse only released a partial public proof of concept (PoC) for GreenPlasma, withholding the final SYSTEM shell stage as a capture-the-flag (CTF) challenge. Despite this partial release, any researcher with moderate Windows internals knowledge can still weaponize this vulnerability.

Attack Mechanism

• The attacker, operating as a standard unprivileged user, executes the GreenPlasma payload.

• The payload uses Windows object manager primitives to plant an arbitrary memory section in a location CTFMON monitors or interacts with.

• A chain of Windows registry manipulations and permission boundary abuses is used to trick CTFMON into interacting with the attacker-controlled section.

• CTFMON, operating under SYSTEM privileges, interacts with the attacker-controlled memory. This allows the placement of malicious shellcode or a fake DLL in a region fully trusted by the OS.

• Notably, Nightmare-Eclipse released an intentionally incomplete version, withholding the final code required for a full SYSTEM shell, framing the gap as a capture-the-flag challenge with the comment: "If you're smart enough, you can turn this into a full privilege escalation as you can influence the newly created section to manipulate data."

GreenPlasma’s Impact

• If fully weaponized (which the existing partial PoC makes feasible for a skilled attacker), it provides SYSTEM-level access from any standard user account with no administrator rights required.

• Enables credential harvesting, persistence installation, lateral movement, and complete security control bypassing from a fully patched Windows machine.

• The CTFMON attack surface is present on every interactive Windows session. There is no special configuration or software required for exploitation.

• Combined with YellowKey, enables a comprehensive attack scenario: physical access yields disk contents, GreenPlasma escalates any low-privilege code execution to SYSTEM on any acquired or accessed machine.

A Holistic Look at the Exploit Chain: Unified Attack Scenarios

All five of the vulnerabilities that Nightmare-Eclipse released, when viewed as a unified collection of attack tools, span the full attack lifecycle — initial access, privilege escalation, defense evasion, and data access.

BlueHammer and RedSun provide two independent paths to SYSTEM from a standard user account. UnDefend blinds the most widely deployed endpoint protection product in enterprise Windows environments. Meanwhile, YellowKey defeats the most commonly relied-upon data-at-rest encryption control. And finally, GreenPlasma, even in its partial form, establishes a third escalation path that is independently completable by any researcher with Windows internals competency.

All five Nightmare-Eclipse exploits share a common characteristic: they do not break Windows. They use Windows against itself. They find trusted components, understand what those components trust, and place attacker-controlled data where the trusted component does not expect it. There is no memory corruption, no kernel exploit, no novel bypass of hardware security features.

In this section, we’ll tackle two primary attack scenarios that utilize all five bugs.

Full Remote Compromise (Network-Based)

• Initial Access: The attacker gains a foothold via compromised credentials (observed: FortiGate SSL VPN with stolen account), phishing, or other initial access vector. At this stage, access is low privilege (standard user).
• Privilege Escalation — Option A (BlueHammer/CVE-2026-33825): The attacker stages the BlueHammer payload in a user-writable directory (Pictures or Downloads subfolder). BlueHammer then exploits a time-of-check to time-of-use (TOCTOU) race in Microsoft Defender's threat remediation engine via oplock, redirecting a privileged SYSTEM write from a temp path to C:\Windows\System32 via NTFS junction. SAM hive access yields NTLM hashes. Pass-the-hash achieves SYSTEM. NOTE: BlueHammer is patched (CVE-2026-33825, April 2026 Patch Tuesday), however, unpatched systems remain vulnerable.
• Privilege Escalation — Option B (RedSun, unpatched): On patched systems where BlueHammer is blocked, RedSun provides an alternative code path. Attacker writes a crafted EICAR file, applies a Windows Cloud Files API placeholder tag, then uses NTFS junctions and oplocks to redirect Defender's cloud file rollback write into System32 (TieringEngineService.exe). System binary is overwritten and executed as SYSTEM. RedSun is unpatched and unaffected by the April Patch Tuesday fix.
• Privilege Escalation — Option C (GreenPlasma, partial PoC): On systems where neither BlueHammer nor RedSun succeeds (e.g., Defender disabled or cloud files unavailable), GreenPlasma provides a third escalation path via CTFMON section object abuse. As the PoC matures or is completed by third parties, expect this to become a primary escalation option.
• Defense Evasion (UnDefend, unpatched): Once SYSTEM is established, the attacker deploys UnDefend as a child of cmd.exe under Explorer with the -aggressive flag. In passive mode, UnDefend silently blocks Microsoft Defender’s signature and definition updates — the endpoint remains visually healthy while its detection capability stagnates. In aggressive mode (triggered on major platform updates), Microsoft Defender stops responding entirely. EDR consoles may report Defender as healthy despite complete degradation.
• Post-Exploit Operations: With SYSTEM access and Microsoft Defender degraded, the attacker proceeds to credential harvesting (SAM, LSASS, cached domain credentials), lateral movement using pass-the-hash or stolen credentials, persistence installation, and, if needed, tunneling via a secondary implant (BeigeBurrow/agent.exe observed in the wild). Standard recon commands observed: whoami /priv, cmdkey /list, net group.

Physical Access (Device Theft/Insider Threat)

• Physical Access Acquisition: The attacker obtains brief or sustained physical access to a BitLocker-protected Windows endpoint (theft, tailgating, insider, supply chain, unattended device).
• BitLocker Defeat (YellowKey): A USB containing the YellowKey payload is inserted. The device is rebooted into WinRE. The attacker enters the exploit key combination. A shell with unrestricted access to the encrypted volume spawns — all data on the drive is immediately accessible without any decryption key, TPM bypass, or PIN.
• Data Exfiltration or Implant Staging: With shell access to the unencrypted volume, the attacker can exfiltrate documents, credentials, certificate stores, VPN configs, and browser data directly. Alternatively, a persistent implant or modified executable can be placed on the drive before rebooting into the operating system.
• Privilege Escalation (GreenPlasma/RedSun): If the attacker needs code execution within the live OS (e.g., to access memory-resident credentials or establish network presence), a staged payload dropped via the YellowKey shell can be executed on the next user logon. GreenPlasma or RedSun then escalates the executing code to SYSTEM without triggering a UAC prompt or requiring user interaction.
• Persistent Access and Defense Suppression: UnDefend is deployed at SYSTEM to progressively blind Defender. The device appears normal to the user and to remote management consoles while exfiltration or tunneling operations proceed silently.

Security Recommendations

Immediately:

• PATCH: Apply April 2026 Patch Tuesday updates across all Windows endpoints and servers immediately if not already complete. This patches BlueHammer (CVE-2026-33825) — the only currently patched tool in the Nightmare-Eclipse suite. NOTE: This patch only applies to BlueHammer. Please keep an alert set to monitor for potential out-of-band patches before June's Update Tuesday. 

• USB/BOOT: Implement physical security controls for all Windows endpoints: disable USB boot in BIOS/UEFI firmware settings, enforce BIOS/UEFI passwords, and require TPM+PIN configuration for BitLocker on all laptops and portable media. USB boot disable is the most direct mitigation against YellowKey.

• ASR: Deploy or verify Attack Surface Reduction (ASR) rules to block execution from user-writable directories (Pictures, Downloads subfolders). This disrupts staging behavior observed in all confirmed Nightmare-Eclipse intrusions.

• DETECT: Alert on processes named UnDefend.exe, RedSun.exe, GreenPlasma.exe, YellowKey.exe, BlueHammer.exe, FunnyApp.exe, z.exe executed from user-writable paths. Add detection for renamed variants using behavioral signatures.

• BASELINE: Baseline SHA-256 hashes of C:\Windows\System32\TieringEngineService.exe and ctfmon.exe on all endpoints now. Any deviation should generate an immediate high-priority alert.
  
  

Short Term:

• VPN AUDIT: Audit VPN access logs for anomalous source geolocation, off-hours authentication, or concurrent sessions. The confirmed intrusion vector for prior Nightmare-Eclipse exploitation was compromised FortiGate SSL VPN credentials with Russia-geolocated source IPs.

• CTFMON: Review EDR telemetry for CTFMON anomalies: unexpected child processes, unusual memory section interactions, or CTFMON process crashes. These are behavioral indicators of GreenPlasma exploitation attempts.

• DEFENDER: Verify Microsoft Defender update status on all endpoints independently of console-reported health. UnDefend can cause Microsoft Defender to report healthy while signature updates are silently blocked. Cross-check definition dates against expected update frequency.

• HUNT: Hunt for BeigeBurrow/agent.exe tunneling behavior: outbound connections from process names inconsistent with their function, particularly following reconnaissance command execution (whoami /priv, cmdkey /list, net group).

• NDR: Ensure network detection and response (NDR) visibility is operating independently of endpoint agent health. If EDR is compromised via UnDefend, network-based detection is the primary fallback layer.
  
  

Within 30 days:

• ENCRYPTION: Evaluate layered encryption strategy that does not rely solely on BitLocker. Hardware-based encryption (Opal drives), pre-boot authentication with external tokens, or network-unlock dependencies add barriers that YellowKey's current implementation may not defeat.

• MONITORING: Establish a dedicated monitoring posture for Nightmare-Eclipse GitHub activity. Given the researcher's stated intention to release additional exploits at future Patch Tuesday cycles, proactive tracking of new repository creation or updates provides early warning.

• COMPLIANCE: Brief executive leadership and legal counsel on YellowKey's implications for regulatory compliance posture — specifically for organizations with HIPAA, CMMC, FedRAMP, or PCI-DSS obligations that treat BitLocker as a qualifying encryption control.

• IR PREP: Develop and test incident response playbooks specific to Nightmare-Eclipse tool chains: physical access + YellowKey, remote LPE via RedSun/GreenPlasma, and combined Defender degradation via UnDefend. Tabletop exercises against these scenarios will expose gaps before adversaries do.

Indicators of Compromise (IOCs)

The following IOCs cover both the new YellowKey and GreenPlasma disclosures and the prior Nightmare-Eclipse toolkit, as confirmed exploitation in the wild has consistently combined multiple tools from this release series.

File-Based IOCs

Behavioral/Process IOCs

Network/Infrastructure IOCs