Emerging ThreatsMalware & Ransomware

Ransomware gangs exploit Windows BlueHammer flaw

Analyst 207||Source: BleepingComputer
Windows computer setup on office desk with laptop and keyboard in focus, near a whiteboard with network diagram.
CVE-2026-33825 — the BlueHammer Microsoft Defender privilege‑escalation flaw — has been added by CISA to its Known Exploited Vulnerabilities catalog as being actively exploited by ransomware gangs.

CVE-2026-33825 and CISA's update

On Monday, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) flagged CVE-2026-33825, nicknamed BlueHammer, as being exploited in ransomware campaigns in an update to its Known Exploited Vulnerabilities (KEV) Catalog. CISA had previously added the flaw to the KEV on April 22 and ordered Federal Civilian Executive Branch (FCEB) agencies to apply patches within two weeks, a deadline that ran until May 7. In its earlier notice, CISA warned that “this type of vulnerability is a frequent attack vector for malicious cyber actors and poses significant risks to the federal enterprise.”

Microsoft's advisory and the technical impact

Microsoft describes the issue as arising from “insufficient granularity of access control in Microsoft Defender,” saying that it “allows an authorized attacker to elevate privileges locally.” Security analysts have emphasized the consequence: with local exploitation, an attacker can obtain access to the Security Account Manager (SAM) database, which holds password hashes for local accounts.

Will Dormann, principal vulnerability analyst at Tharros, told BleepingComputer in April that although BlueHammer “is not easy to exploit,” it enables local adversaries to escalate to SYSTEM privileges by reading SAM data. “At that point, [the attackers] basically own the system, and can do things like spawn a SYSTEM-privileged shell,” Dormann said. That level of privilege can allow full control of a compromised machine — a valuable capability for ransomware operators seeking to deploy encryptors or move laterally.

Disclosure, patching, and observed exploitation

The vulnerability was publicly leaked in early April by a security researcher who uses the handle “Nightmare Eclipse,” together with proof-of-concept exploit code. Microsoft issued a patch for BlueHammer on April 14 as part of the April 2026 Patch Tuesday updates. Days after Microsoft’s fix, researchers at Huntress Labs reported that threat actors had been exploiting BlueHammer as a zero-day, showing evidence of “hands-on-keyboard threat actor activity.”

Nightmare Eclipse is a recurring source in this string of events: over recent months the researcher disclosed multiple Windows zero-days — including those dubbed RoguePlanet, RedSun, GreenPlasma, MiniPlasma, YellowKey, and UnDefend — some affecting Microsoft Defender and others targeting BitLocker and Windows components. Microsoft addressed GreenPlasma, MiniPlasma, and YellowKey in the June 2026 Patch Tuesday updates, three weeks before CISA’s latest KEV update.

How FCEB agencies, security teams, and ransomware gangs are affected

  • Federal Civilian Executive Branch agencies: CISA’s April 22 KEV entry required patches within two weeks — a concrete compliance action that FCEB agencies were ordered to meet by May 7. The KEV designation and the subsequent update flagging ransomware exploitation place BlueHammer squarely in the category of vulnerabilities requiring prioritized remediation for federal systems.
  • Security teams and technologists at enterprises: defenders face a dual challenge — apply vendor patches promptly and hunt for indicators of hands-on-keyboard activity. Huntress Labs’ finding that BlueHammer was used in live zero-day attacks underscores that detection, not just patching, matters because adversaries may already have been active prior to or during remediation windows.
  • Ransomware gangs and other threat actors: CISA’s explicit statement that BlueHammer is being exploited in ransomware campaigns confirms that the vulnerability offers operational value to extortion-focused groups. The capability to escalate locally to SYSTEM gives attackers a fast route to deployment of ransomware and to compromising additional systems once initial footholds exist.

Closing assessment

CISA’s move to flag BlueHammer as exploited by ransomware gangs formalizes a risk trajectory that began with a public leak of exploit code, continued through observed zero-day use, and culminated in a federal remediation order. Microsoft supplied a patch on April 14, but the timeline shows how disclosure, weaponization, and exploitation can overlap: exploit code was published in early April, Microsoft released a fix mid‑April, and researchers observed active exploitation days later. The practical takeaway in the record is straightforward and specific — apply the April and subsequent Patch Tuesday fixes, and assume that adversaries capable of “hands-on-keyboard” operations will treat local privilege escalation into SYSTEM as a shortcut to full compromise.

Original reporting: CISA: Windows BlueHammer flaw now exploited by ransomware gangs — BleepingComputer

CisaEmerging ThreatsPrivilege EscalationRansomwareWindowsBluehammerMicrosoft DefenderKnown Exploited VulnerabilitiesCVE-2026-33825
Related Intelligence

Continue Reading

Industrial setting with disrupted computer screens and muted colors.

Blackfield Ransomware Targets Nidec with $2 Million Extortion Demand

Nidec Corporation revealed that its Taiwanese subsidiary was hit by a Blackfield ransomware attack, prompting swift emergency measures to contain the breach and prevent further damage. The hackers are now demanding a whopping $2 million in extortion, threatening to leak sensitive data if their demands aren't met.

Analyst 207
Hospital corridor with staff walking in distance and computer equipment in background.

UK Healthcare Sector Faces Surge in Cyber-Attacks

The UK healthcare sector is under siege, facing a staggering tenfold surge in cyber-attacks with 264,000 intrusion events recorded in just the first five months of 2026. This alarming rise has left health networks being “stress-tested to breaking point.”

Analyst 207
Laptop screen displays colorful webpage in brightly-lit coffee shop setting.

AI Browsers Exposed to Credential-Leaking BioShocking Attack

A shocking new attack has been discovered that can trick AI browsers and assistants into leaking sensitive user credentials, with six popular agents already proven vulnerable. This sneaky tactic, called BioShocking, uses a clever game-like approach to bypass safety protocols and get agents to cough up personal info.

Analyst 207
Small business office with computer workstation, papers, and city street view through window.

Ransomware Strikes 323 UK Firms in a Year

Stay ahead of ransomware threats with proactive protection - keep your data safe with regular backups, strong access controls, and up-to-date systems. Every month, over 26 UK firms fall victim to these crippling attacks, with small and mid-sized businesses being hit the hardest.

Analyst 207