The ongoing war of attrition between Microsoft’s Security Response Center and the rogue security researcher known as Nightmare Eclipse reached a fever pitch in mid-June 2026.
The Unrelenting Zero-Day Campaign
Driven by personal grievance and a dismayed view of Microsoft’s vulnerability disclosure process, the researcher operating under the pseudonyms Nightmare Eclipse, Chaotic Eclipse, and the GitHub handle MSNightmare launched a continuous campaign of zero-day releases. Operating across GitHub and self-hosted mirrors like git.projectnightcrawler.dev, this malicious actor dropped consecutive, unpatched vulnerabilities targeting deep Windows defense mechanisms. This retaliatory campaign specifically weaponized Microsoft Defender’s remediation loops and the Windows Recovery Environment (WinRE) to achieve devastating system compromises.
The Project Nightcrawler & MSNightmare Timeline
Mid-May 2026 The Catalyst Update
Microsoft rolled out mitigations that closed off a remote code execution (RCE) attack path that Nightmare Eclipse had been exploiting, which involved tricking victims into opening .vhd(x) files on remote SMB servers. This forced the researcher into a grueling manual rewrite, pivoting the exploit codebase toward local privilege escalation (LPE).
June 9 – June 10, 2026 The RoguePlanet Release
On June 9, just as Microsoft shipped Patch Tuesday updates fixing the researcher's older GreenPlasma and YellowKey vulnerabilities (CVE-2026-45586 and CVE-2026-50507), Nightmare Eclipse retaliated. They published RoguePlanet, a zero-day exploiting a race condition in Microsoft Defender to achieve local privilege escalation to SYSTEM. Pushed to GitHub and mirrored on self-hosted infrastructure, the exploit was validated by security researchers to work on fully updated Windows 11 and Windows 10 machines, completely bypassing the newly applied patches.
June 11, 2026 The GreatXML Drop
Not even 48 hours after RoguePlanet, Nightmare Eclipse dropped another critical zero-day exploit codenamed GreatXML under the MSNightmare handle. Hosted natively via Project Nightcrawler, GreatXML relies on structural design interactions within the offline components of Windows rather than live memory corruption bugs, turning Defender's offline scanner into a BitLocker backdoor.
June 16 – June 18, 2026 Industry Validation and Tracking
By June 16, Microsoft officially published the RoguePlanet vulnerability, assigning it a CVSS severity score of 7.8 and tracking identifier CVE-2026-50656. Nightmare Eclipse provided documentation proving that the RoguePlanet race-condition functions identically regardless of whether Microsoft Defender’s real-time protection is toggled on or off. Concurrently, security operations firms like Cyderes published exhaustive technical analyses verifying the GreatXML exploit chain on production machines.
Key Metrics and Attack Surfaces
- The RoguePlanet Exploit: Tracked as CVE-2026-50656, this CVSS 7.8 vulnerability targets the Microsoft Malware Protection Engine, allowing attackers to obtain a command shell running with SYSTEM privileges.
- Defender Independence: The RoguePlanet proof-of-concept works regardless of whether Defender's real-time protection is enabled or disabled, rendering simple toggling ineffective as a mitigation strategy.
- The GreatXML Bypass: Abuses the interaction between Windows Recovery Environment (WinRE) and Defender's Offline Scan to grant unrestricted shell access to BitLocker-encrypted volumes without requiring a decryption key.
Deep Technical Teardown of the Exploits
Rather than bypassing endpoint security, Nightmare Eclipse's exploits weaponize the very tools designed to protect the system. RoguePlanet (CVE-2026-50656) exploits a race condition within the Microsoft Malware Protection Engine. The attack begins when a low-privileged user executes a binary that creates a temporary workspace and stages a malicious payload disguised as `wermgr.exe`, attaching an NTFS alternate data stream to it. The payload writes an EICAR-like file to trigger an on-access scan by `MsMpEng.exe`. To win the race condition during the scan, RoguePlanet utilizes opportunistic oplocks, directory junctions, and volume shadow copy paths. By executing a lightning-fast junction swap while Defender is actively scanning, the exploit redirects Defender into overwriting the legitimate, highly privileged system executable (`C:\Windows\System32\wermgr.exe`) with the malicious payload. Once executed, this grants an immediate command shell with full SYSTEM privileges.
Conversely, GreatXML serves as a persistent post-compromise mechanism that completely disables BitLocker disk protection. It exploits a design-level interaction between the Windows Recovery Environment (WinRE), Windows answer file automation, and the state left behind by a Microsoft Defender Offline Scan. An attacker with administrator rights can plant a specifically engineered `unattend.xml` configuration file and a modified `Recovery` folder structure directly onto the root of the recovery partition. The next time the system boots into WinRE—which can be triggered from the lock screen via `Shift + Restart`—the environment processes the planted XML file without verifying its digital signature. This action spawns an unrestricted command prompt shell, granting direct access to read or modify files on the BitLocker-encrypted drives, bypassing the need for a recovery key.
Authoritative References and Threat Intelligence
RoguePlanet Analysis: Morphisec Blog on CVE-2026-50656
GreatXML Verification: Cyderes Howler Cell Enterprise Defenses
Timeline & Exploits overview: SecurityWeek Archives