"One of the most insane discoveries I ever found," wrote the anonymous researcher known as Nightmare‑Eclipse (also Chaotic Eclipse), announcing two fresh Windows zero‑days immediately after Microsoft's monthly Patch Tuesday.
YellowKey: a BitLocker bypass that runs from USB with physical access
The researcher published technical details and files for YellowKey, which they describe as a BitLocker bypass that requires files loaded onto a USB drive and physical access to the target machine. According to the publication, if an attacker completes the key sequence correctly they are granted "unrestricted shell access to a BitLocker‑protected machine." The Register noted the usual caveat — the exploit requires physical access — but warned that because "BitLocker acts as Windows' last line of defense for stolen devices," bypassing it could turn a stolen laptop into a reportable data breach. Rik Ferguson, VP of security intelligence at Forescout, said: "If [the researcher's claim] holds up, a stolen laptop stops being a hardware problem and becomes a breach notification."
GreenPlasma: privilege escalation with partial code and a UAC barrier
The researcher also published partial exploit code for GreenPlasma, described as a privilege escalation flaw that hands SYSTEM access to an attacker. The code released was incomplete: experts told The Register it currently triggers a UAC consent prompt in default Windows configurations, meaning a fully silent exploit still requires additional work. Ferguson observed that attackers would need to take the researcher’s partial code and "figure out how to weaponize it themselves," a non‑trivial task but a feasible one for capable adversaries. Gavin Knapp, cyber threat intelligence principal lead at Bridewell, warned that "these elevation of privilege vulnerabilities are often weaponized during post‑exploitation to enable threat actors to discover and harvest credentials and data, before moving laterally to other systems." Knapp added that "currently, there is no known mitigation for GreenPlasma. It will be important to patch when Microsoft addresses the issue."
The leak campaign: five zero‑days and claims of retaliation
YellowKey and GreenPlasma are the latest in a sequence of disclosures from the same anonymous researcher. The Register reports that the researcher had already exposed three Windows zero‑days earlier this year; with the two new releases, that brings the total to five. Earlier disclosures included BlueHammer (CVE‑2026‑32201, 6.5), which Microsoft patched in April, and two other releases—RedSun and UnDefend—whose proof‑of‑concept code remains unfixed. In their maiden blog post under the Chaotic Eclipse alias the researcher said the leak campaign began after "someone violated our agreement and left me homeless with nothing," claiming retaliation: "I never wanted to reopen a blog and a new GitHub account to drop code... they still stabbed me in the back anyways, this is their decision not mine."
Real‑world consequences: prior PoCs were weaponized quickly
Security firms tracking the earlier disclosures told The Register that RedSun and UnDefend PoCs were "quickly picked up and abused in real‑world attacks." Huntress reported that the published proof‑of‑concept code had attracted abuse in the wild. Ferguson characterized the recent releases as part of an "escalating, retaliatory campaign against Microsoft," noting the researcher had warned of another Patch Tuesday surprise, hinted at future remote code execution disclosures, and claimed to hold a "dead man's switch" with more material ready. Ferguson said: "This researcher has followed through on every prior threat."
What this means for technologists, enterprises, and adversaries
- Technologists and security teams: Expect to prioritize patch validation and watch for weaponized forks of the published PoCs; Knapp warned GreenPlasma currently has no mitigation and urged patching once Microsoft addresses it. For YellowKey, threat intel shared in the community suggested mitigations can include implementing a BitLocker PIN and a BIOS password lock.
- Enterprises and procurement leaders: Organizations using BitLocker face a specific exposure because the researcher’s YellowKey claim, if valid, would undermine the last‑line encryption protections on stolen devices. Ferguson noted such an outcome could convert a hardware loss into a formal breach notification.
- Adversaries and threat actors: The partial GreenPlasma code and the full YellowKey materials provide a foothold that determined actors can attempt to weaponize; historically, the earlier PoCs drew rapid operational use, according to Huntress.
The immediate facts are stark: two new detailed disclosures arrived just after Patch Tuesday, one known Microsoft CVE (BlueHammer, CVE‑2026‑32201) was patched in April, and two earlier PoCs (RedSun and UnDefend) remain unfixed and have been observed in attacks. The researcher claims a broader stockpile and has signaled further releases. Whether Microsoft will rapidly close the remaining issues and how quickly threat actors can convert partial code into silent exploits are the concrete next measures for defenders to watch.
Original story: The Register




