Microsoft released its June 2026 Patch Tuesday updates on June 10 — the company’s largest-ever single-month rollout, addressing nearly 200 vulnerabilities. Within hours, the anonymous security researcher known as Nightmare-Eclipse (also tracked as Chaotic Eclipse or Dead Eclipse) published a new proof-of-concept exploit for an unpatched Windows Defender zero-day dubbed RoguePlanet, adding immediate urgency to an already tense months-long public feud with Microsoft.

How RoguePlanet Works

RoguePlanet exploits a Time-of-Check to Time-of-Use (TOCTOU) race condition in Microsoft Defender’s internal processing logic — specifically the brief timing window between when Defender verifies a file path and when it acts on it. An unprivileged local attacker can redirect a file operation being performed by Defender (which runs as SYSTEM) to attacker-controlled code, resulting in a command shell running with full SYSTEM-level privileges. This technique is similar to the one used in Nightmare-Eclipse’s earlier BlueHammer exploit (CVE-2026-33825), patched in April 2026, which redirected Defender’s SYSTEM-level writes via NTFS junction points into C:\Windows\System32.

The exploit can be triggered by opening a specially crafted .vhd(x) file or accessing a malicious SMB share. When successful, it spawns a command prompt running under SYSTEM — the highest privilege level on a Windows machine. Multiple independent researchers, including BleepingComputer and ThreatLocker, confirmed the exploit worked on fully patched Windows 11 systems with the June 2026 cumulative update (KB5094126) installed.

“The exploit is a race condition, so it’s a hit or miss. I have managed to get a 100% success rate on some machines while it struggled to work on others.” — Nightmare-Eclipse, via self-hosted repository

Reliability and Limitations

Because it relies on a race condition, RoguePlanet is not guaranteed to succeed in every run. The researcher acknowledged success rates vary significantly between machines. The proof-of-concept has been tested against Windows 11 Official and Canary builds as well as Windows 10 systems with the June 2026 security update applied. Critically, the exploit does not currently work against Windows Server instances in its present form — the researcher noted that standard users cannot mount ISO images in that environment — though Nightmare-Eclipse believes a redesign would likely extend functionality to Server configurations as well.

Microsoft’s mitigations shipped in May 2026 had closed some earlier attack paths, forcing Nightmare-Eclipse to spend considerable time reworking the exploit. Whether RoguePlanet is limited to local privilege escalation (LPE) or can be adapted for remote code execution (RCE) remains unclear.

Part of a Larger Campaign

RoguePlanet is the seventh zero-day in a sustained campaign by Nightmare-Eclipse that began in early April 2026. Prior disclosures include BlueHammer, RedSun, UnDefend, YellowKey (CVE-2026-45585, a BitLocker bypass), GreenPlasma (CVE-2026-45586, an elevation-of-privilege flaw), and MiniPlasma — a regression of an older vulnerability first addressed in 2020. Microsoft’s June Patch Tuesday fixed GreenPlasma, YellowKey, and MiniPlasma. Three earlier exploits — BlueHammer, RedSun, and UnDefend — were weaponized in real-world attacks and added to CISA’s Known Exploited Vulnerabilities catalog before patches were available.

The Dispute with Microsoft

The campaign is widely understood to be a retaliatory effort stemming from a breakdown in the researcher’s relationship with Microsoft. Nightmare-Eclipse has publicly stated that Microsoft deleted the MSRC (Microsoft Security Response Center) portal account they used to submit vulnerability reports, and that they received no bug bounty payments despite what they considered legitimate disclosures. The researcher has also claimed Microsoft told them directly that the company would “ruin their life.”

Microsoft responded with a May 27 MSRC blog post condemning the disclosures as uncoordinated and stating that putting proof-of-concept code for unpatched vulnerabilities in the hands of attackers is “never justifiable.” The company’s Digital Crimes Unit signaled that researchers enabling attacks — not just attackers themselves — could face legal consequences. GitHub and GitLab both subsequently disabled Nightmare-Eclipse’s accounts. However, following significant backlash from the broader infosec community, Microsoft later clarified that it had no intention of pursuing legal action against individuals conducting or publishing legitimate security research. Nightmare-Eclipse, posting on their own blog and on X (formerly Twitter), stated they were “still in court” with the company.

What Comes Next: July 14

Prior to releasing RoguePlanet, Nightmare-Eclipse had publicly signaled a major disclosure event on July 14, 2026 — the date of Microsoft’s next Patch Tuesday — warning the release would “make sure your bones are shattered that day.” The demanding rewrite of RoguePlanet reportedly exhausted the researcher, leading to an acknowledgment that the broader July 14 package may not be as comprehensive as originally planned. Nevertheless, the July 14 date has not been formally canceled, and security teams should treat it as an active threat horizon.

ThreatLocker’s CEO noted that organizations using application allowlisting can block RoguePlanet from executing as an effective interim control. Until Microsoft issues a dedicated fix, security professionals are advised to apply all available June 2026 patches, monitor MSRC advisories closely, and brief incident response teams ahead of the July 14 deadline.