MiniPlasma, a powerful LPE

-----BEGIN PGP SIGNED MESSAGE-----

Hash: SHA512

This one is accidental, I didn't even think cldflt.sys had that vulnerability. Turns out CVE-2020-17103 patch is just not present at all ?

The new PoC was tested against fully patched Windows 11 and Windows Server 2025 and managed to flawlessly spawn a SYSTEM shell.

https://github.com/Nightmare-Eclipse/MiniPlasma

-----BEGIN PGP SIGNATURE-----

iHUEARYKAB0WIQRJTvAf/AWVhAKEeb7FFoRCS0/SbAUCaggLWQAKCRDFFoRCS0/S

bHKSAP4/bkKYCDTKZvq5WoUsWKuYgWBvlfun8KYJtNgYREezVAEAj8cg30Pjcjcu

REzr4eniahPoc6bleEEos0PwVOUa5AA=

=oct9

-----END PGP SIGNATURE-----

Important updates regarding YellowKey and GreenPlasma

-----BEGIN PGP SIGNED MESSAGE-----

Hash: SHA512

Recently two researchers had interesting discoveries regarding YellowKey and GreenPlasma,

The YellowKey is caused by the binary "autofstx.exe" which propagates all present volumes for transaction files, a researcher (unsure if they want to be named) told me that this binary is also present in windows update WinRE images and I think they will definitely have the same vulnerability as well. However, I'm unsure if it's possible to trigger the controlled file deletion when windows is updating. If it's true, then it means disabling WinRE is not a solution for the problem, which also means it's a good thing that I kept the PIN+TPM PoC a secret.

Regarding GreenPlasma, I'm unaware if anyone managed to make a full exploit yet but people are trying hard to make it work as it obviously violate a windows security boundary. The thing is, another researcher noticed one of my techniques to write in a protected registry key in HKCU (which isn't a security boundary) but they also told me that hypothetically speaking, this technique could be used to write in another user's hive which is obviously an EoP.

This technique that I used was inspired by a google project zero finding :

https://project-zero.issues.chromium.org/issues/42451192

After reading this issue, I attempted to figure out how Microsoft patched the issue but I never found out how ? At that point I was a bit too tired so i thought maybe it's something I missed and it's definitely patched. To my surprise, this researcher that reached regarding this thing, have managed to re-reproduce the issue in a fully patched windows 11 machine + windows insider preview. Which means this was an elevation of privileges vulnerability that was sitting in plain sit for god long knows how long.

I have not tested if either YellowKey or GreenPlasma news are true but I believe they are, I uploaded CVE-2020-17103 PoC directly project zero to github in case project zero decides to remove it. It will still be there in github.

-----BEGIN PGP SIGNATURE-----

iHUEARYKAB0WIQRJTvAf/AWVhAKEeb7FFoRCS0/SbAUCagY6/AAKCRDFFoRCS0/S

bKCyAP4+yIbtuhyKUm84UHUZmJ3R7H51ySfYfaDdg4RO7aUxhAEA8uv36AM1norC

qnuG00ATch/ugDM8lNHPqM4ywZ6Kxg4=

=rzJa

-----END PGP SIGNATURE-----

We're doing silent patches now huh, also a quick note about YellowKey

-----BEGIN PGP SIGNED MESSAGE-----

Hash: SHA512

I just noticed that Microsoft silently patched the RedSun vulnerability, no CVE, no nothing, just a silent patch. Not surprised they never admit their mistakes but considering it was under active exploitation, having zero advisory is insane.

Now regarding YellowKey, lots of you are wondering how does one even find such backdoor ?

I'll tell you how, it took me more time trying to get it to work than the amount of sleep I had in two years combined. No AI involved, no help in any shape or form. I could have made some insane cash selling this but no amount of money will stand between me and my determination against Microsoft.

Funny thing is, no one and I say again NO ONE has managed to figure out how YellowKey works, the real root cause is still not unknown by the general public. I think it will take a while even for MSRC to find the real root cause of the issue. I just never managed to understand why this vulnerability is sooo well hidden.

Second thing is, No, TPM+PIN does not help, the issue is still exploitable regardless, I asked myself this question, can it still work in a TPM+PIN environment ? Yes it does, I'm just not publishing the PoC, I think what's out there is already bad enough.

I can't wait when I will be allowed to disclose the full story, I think people will find my crashout very reasonable and it definitely won't be a good look for Microsoft.

-----BEGIN PGP SIGNATURE-----

iHUEARYKAB0WIQRJTvAf/AWVhAKEeb7FFoRCS0/SbAUCagRfWwAKCRDFFoRCS0/S

bDlGAP42z1Tck5TFPhaUbrC7WHcDwzr/ajAPLfj2ttXKfph30gEAm0KIZyf874gb

WAAGxop9J4RtzHIcQG6iPd1UqmWxhwM=

=xXqu

-----END PGP SIGNATURE-----

Two more public disclosures, it will never stop

-----BEGIN PGP SIGNED MESSAGE-----

Hash: SHA512

Here are the links, yes, two vulnerabilities this time. Defender has been sparred because I know Microsoft will tighten the strings if I target one specific component too often. Don't ask how I know.

https://github.com/Nightmare-Eclipse/YellowKey

https://github.com/Nightmare-Eclipse/GreenPlasma

Microsoft has chosen to make this worst instead of resolving the situation like adults, they pulled every childish game possible. My patience is running out you're making everyone else paying for it.

I hope you at least attempt to resolve the situation responsibly, I'm not sure what type of reaction you expected from me when you threw more gas on the fire after bluehammer. The fire will go as long as you want, unless you extinguish it or until there nothing left to burn.

Your recent actions made me take the difficult decision to drag other companies into this, be prepared to answer questions.

Next patch tuesday will have a big surprise for you Microsoft. And remember, I never failed to deliver a promise.

-----BEGIN PGP SIGNATURE-----

iHUEARYKAB0WIQRJTvAf/AWVhAKEeb7FFoRCS0/SbAUCagNlvwAKCRDFFoRCS0/S

bCvjAQDVurDgXRdoE76+lSAsucc7bYTesGTQlhejiisdJD8oAwD+LK4GXV+apocq

pvzD/Ikz+6NV3PZD0TyDy7odM0KmKgI=

=5WrI

-----END PGP SIGNATURE-----

Remember this...

 -----BEGIN PGP SIGNED MESSAGE-----

Hash: SHA512

In the off chance, you decide that you want to proceed with whatever funny ideas you have in your head. I'm recommending you that you do not do it, the dead man switch was active before this even started.

So if you decide to try me, everyone else will pay for it and this time it will be extremely. It will take you a lot of time to patch what will be published if the dead man switch is detonated.

Also if you somehow think I'm stupid, no, the dead man switch is insanely sophisticated it took me forever to deploy it and ensure it works properly before actually making it live and no it's not located at my place ;)

Don't say I did not warn you and again, I'm not bluffing. I deliver every promise I make.

-----BEGIN PGP SIGNATURE-----

iHUEARYKAB0WIQRJTvAf/AWVhAKEeb7FFoRCS0/SbAUCae2SbQAKCRDFFoRCS0/S

bKaBAQDDtPDgIaQz4ui3IPieeIgxswkLd4iBtYnYC7pXJsrE1gEAqgswfsI2NpYh

JYt5z6GkJtttQccLB7Mr3EFCJKb8TgE=

=BhrQ

-----END PGP SIGNATURE-----

Public disclosure, a response for CVE-2026-33825 patch

 -----BEGIN PGP SIGNED MESSAGE-----

Hash: SHA512

Here is the code, enjoy

https://github.com/Nightmare-Eclipse/RedSun

Now to address what some media articles wrote, first of all, I want to talk about MSRC official response regarding BlueHammer

"Microsoft has a customer commitment to investigate reported security issues and update impacted devices to protect customers as soon as possible. We also support coordinated vulnerability disclosure, a widely adopted industry practice that helps ensure issues are carefully investigated and addressed before public disclosure, supporting both customer protection and the security research community."

This is a very generic response, almost as if they don't care and they don't. Why ? Because MSRC was fully aware of this public disclosure, a case was filled but was dismissed by them and they are also aware that this one will be disclosed but again, they are ignorant.

Normally, I would go through the process of begging them to fix a bug but to summarize, I was told personally by them that they will ruin my life and they did and I'm not sure if I was the only who had this horride experience or few people did but I think most would just eat it and cut their losses but for me, they took away everything. They mopped the floor with me and pulled every childish game they could. It was soo bad at some point I was wondering if I was dealing with a massive corporation or someone who is just having fun seeing me suffer but it seems to be a collective decision.

And one other thing, they do everything but support the research community, I won't disclose details but they sabotage people a lot. I mean just look at the past, Microsoft is the only major company who had a track of multiple vulnerabilities being publicly disclosed just because the researchers were soo upset by how MSRC treated them.

Unfortunately, the folks who have the capacity to stop those disclosures, not only don't care but also seems to push harder for worst exploits to be released, I didn't want to be evil but they are actively poking me to start releasing RCEs which I will be doing at some point...

I will personally make sure that it gets funnier every single time Microsoft releases a patch.

-----BEGIN PGP SIGNATURE-----

iHUEARYKAB0WIQRJTvAf/AWVhAKEeb7FFoRCS0/SbAUCaeAVxQAKCRDFFoRCS0/S

bKhnAP0XAkiRbMSdNupqgko9pahmFysxzkc2H4MspCVhpHc/BAD/bZPbGNwCvzzn

jFuRMhitmdMCHoauBOH0jRiaDwA8mwE=

=9Ffz

-----END PGP SIGNATURE-----

Funny DOS tool

-----BEGIN PGP SIGNED MESSAGE-----

Hash: SHA512

New tool as promised, this is a 0day (kinda), Microsoft will definitely try to mitigate this but it will be a lower priority.

This tool, while stupid, is quite dangerous cause if paired with bluehammer, your machine is basically a hole, anyone can run anything with administrator privileges and windows defender can't really do much about it.

Considering that's the whole purpose of an antivirus, you're better off removing it lol.

https://github.com/Nightmare-Eclipse/UnDefend

-----BEGIN PGP SIGNATURE-----

iHUEARYKAB0WIQRJTvAf/AWVhAKEeb7FFoRCS0/SbAUCadwnHgAKCRDFFoRCS0/S

bF90APwKGUbQx/hnjQW5OoAOupa3pkDbmlm+ovQ9ANigb7yPTgD/Zg9BRfR57nM4

Uq3bu1KXpYwp15EuYq56SH6f/M1VFQQ=

=KcQc

-----END PGP SIGNATURE-----