Friday, 29 May 2026

Announcing Bitskrieg

 -----BEGIN PGP SIGNED MESSAGE-----

Hash: SHA512


Soooo, something extremely funny is happening.


After the recent events, multiple researchers reached out to me and some just literally gave me free vulnerabilities...

One of them was JonasLyk, he did most work, I just did the emotional support part. But he found a way to violate secure boot trust, it's not a full secure boot bypass but it breaks the guarantees secure boot is supposed provide. We believe this be used to compromise confidential virtual machines but we're not really sure if that's possible since we don't have access to such technologies.

One thing we're sure of, is it fully bypasses bitlocker.


The bug will be released sometime in June ;)

-----BEGIN PGP SIGNATURE-----


iHUEARYKAB0WIQRJTvAf/AWVhAKEeb7FFoRCS0/SbAUCahqAywAKCRDFFoRCS0/S

bHA+AQCILdI4RpsBgQlBXMj+AiDQAD7pY66DzWb20jqqAh1FTQEAiGtNbE8T337u

wzeziu45/o+T4PdtQw+3sTInYFf56A8=

=V+4y

-----END PGP SIGNATURE-----


at 37 comments:

 

at 5 comments:

Thursday, 28 May 2026

7

 


at 12 comments:

Sunday, 24 May 2026

Welp

 Unsigned message because not important but tomorrow will be one of the hardest days in my life.

Wish me luck.

at 34 comments:

Saturday, 23 May 2026

July 14th

-----BEGIN PGP SIGNED MESSAGE-----

Hash: SHA512


Okay,


So let me get this straight, when I actively asked you to communicate with me, you refused, humiliated me and made sure to insult me in front of people.

You defame me in public with your CVE-2026-45585 advisory even though you literally deleted the Microsoft account I used to report bugs to you with and I got zero pennies from doing so and I still happily did like an idiot.

Now you take the courtesy to flag my github account and wipe it out of the public, just like that ? You are proving to everyone that you actively escalating this conflict but I'm done begging you.

I might sound like crazy idiot who is whinning around but I have proof for every single word I said, I just can't release it yet. Why ? Microsoft still has chains in my hands, it's been like this for years and I just can't stay silent anymore. I hope I can release the documents soon.


Mark this date July 14th, I will make sure your bones are shattered that day. Nothing will be released this June (or maybe I will release smtg, depending on circumstances).


Also,

CVE-2026-45498 is UnDefend

CVE-2026-41091 is RedSun



New GitLab account,

https://gitlab.com/nightmare-eclipse

-----BEGIN PGP SIGNATURE-----


iHUEARYKAB0WIQRJTvAf/AWVhAKEeb7FFoRCS0/SbAUCahGg+gAKCRDFFoRCS0/S

bBMIAPsEczivsL71pbJizJHHlNNOf9guPAFFshJhhkwrDrwZ5wD/Vz6Z+d6vSvhQ

uVrEh4lPM84Q8+J56RLa50Zp46QLkAY=

=8wON

-----END PGP SIGNATURE-----


at 17 comments:

Wednesday, 20 May 2026

Dear Microsoft,

-----BEGIN PGP SIGNED MESSAGE-----

Hash: SHA512


Regarding CVE-2026-45585,


"Microsoft is aware of a security feature bypass vulnerability in Windows publicly referred to as "YellowKey". The proof of concept for this vulnerability has been made public violating coordinated vulnerability best practices."


Saying that I violated CVD best practices is a defamation of my personal reputation, you already told me you will defaming me and doing it in public will not help dissolve this conflict.

You intentionally revoked my access to my MSRC account that I used to report vulnerabilities to you, when I asked you, you went ahead and completely wiped the account from existance despite multiple attempts from asking for an explanation. All of those requests went unanswered by the MSRC leadership.


I'm taking your statement very personally.


-----BEGIN PGP SIGNATURE-----


iHUEARYKAB0WIQRJTvAf/AWVhAKEeb7FFoRCS0/SbAUCag3sIAAKCRDFFoRCS0/S

bGSGAQDELxy4ZBT4kvHoIHtyX0FEbGZdTaksQOrOLwLVOWRYhQEAgvaD1GeSyK2+

oWRzWr9CNANzXZMKgRBkUFoQG9Tv1AA=

=WRSl

-----END PGP SIGNATURE-----


at 1 comment:

Friday, 15 May 2026

MiniPlasma, a powerful LPE

-----BEGIN PGP SIGNED MESSAGE-----

Hash: SHA512


This one is accidental, I didn't even think cldflt.sys had that vulnerability. Turns out CVE-2020-17103 patch is just not present at all ?


The new PoC was tested against fully patched Windows 11 and Windows Server 2025 and managed to flawlessly spawn a SYSTEM shell.


https://github.com/Nightmare-Eclipse/MiniPlasma

-----BEGIN PGP SIGNATURE-----


iHUEARYKAB0WIQRJTvAf/AWVhAKEeb7FFoRCS0/SbAUCaggLWQAKCRDFFoRCS0/S

bHKSAP4/bkKYCDTKZvq5WoUsWKuYgWBvlfun8KYJtNgYREezVAEAj8cg30Pjcjcu

REzr4eniahPoc6bleEEos0PwVOUa5AA=

=oct9

-----END PGP SIGNATURE-----


at 5 comments:

Thursday, 14 May 2026

Important updates regarding YellowKey and GreenPlasma

-----BEGIN PGP SIGNED MESSAGE-----

Hash: SHA512


Recently two researchers had interesting discoveries regarding YellowKey and GreenPlasma,


The YellowKey is caused by the binary "autofstx.exe" which propagates all present volumes for transaction files, a researcher (unsure if they want to be named) told me that this binary is also present in windows update WinRE images and I think they will definitely have the same vulnerability as well. However, I'm unsure if it's possible to trigger the controlled file deletion when windows is updating. If it's true, then it means disabling WinRE is not a solution for the problem, which also means it's a good thing that I kept the PIN+TPM PoC a secret.


Regarding GreenPlasma, I'm unaware if anyone managed to make a full exploit yet but people are trying hard to make it work as it obviously violate a windows security boundary. The thing is, another researcher noticed one of my techniques to write in a protected registry key in HKCU (which isn't a security boundary) but they also told me that hypothetically speaking, this technique could be used to write in another user's hive which is obviously an EoP.

This technique that I used was inspired by a google project zero finding :

https://project-zero.issues.chromium.org/issues/42451192

After reading this issue, I attempted to figure out how Microsoft patched the issue but I never found out how ? At that point I was a bit too tired so i thought maybe it's something I missed and it's definitely patched. To my surprise, this researcher that reached regarding this thing, have managed to re-reproduce the issue in a fully patched windows 11 machine + windows insider preview. Which means this was an elevation of privileges vulnerability that was sitting in plain sit for god long knows how long.


I have not tested if either YellowKey or GreenPlasma news are true but I believe they are, I uploaded CVE-2020-17103 PoC directly project zero to github in case project zero decides to remove it. It will still be there in github.

-----BEGIN PGP SIGNATURE-----


iHUEARYKAB0WIQRJTvAf/AWVhAKEeb7FFoRCS0/SbAUCagY6/AAKCRDFFoRCS0/S

bKCyAP4+yIbtuhyKUm84UHUZmJ3R7H51ySfYfaDdg4RO7aUxhAEA8uv36AM1norC

qnuG00ATch/ugDM8lNHPqM4ywZ6Kxg4=

=rzJa

-----END PGP SIGNATURE-----


at 1 comment:

Wednesday, 13 May 2026

We're doing silent patches now huh, also a quick note about YellowKey

-----BEGIN PGP SIGNED MESSAGE-----

Hash: SHA512


I just noticed that Microsoft silently patched the RedSun vulnerability, no CVE, no nothing, just a silent patch. Not surprised they never admit their mistakes but considering it was under active exploitation, having zero advisory is insane.


Now regarding YellowKey, lots of you are wondering how does one even find such backdoor ?

I'll tell you how, it took me more time trying to get it to work than the amount of sleep I had in two years combined. No AI involved, no help in any shape or form. I could have made some insane cash selling this but no amount of money will stand between me and my determination against Microsoft.

Funny thing is, no one and I say again NO ONE has managed to figure out how YellowKey works, the real root cause is still not unknown by the general public. I think it will take a while even for MSRC to find the real root cause of the issue. I just never managed to understand why this vulnerability is sooo well hidden.

Second thing is, No, TPM+PIN does not help, the issue is still exploitable regardless, I asked myself this question, can it still work in a TPM+PIN environment ? Yes it does, I'm just not publishing the PoC, I think what's out there is already bad enough.


I can't wait when I will be allowed to disclose the full story, I think people will find my crashout very reasonable and it definitely won't be a good look for Microsoft.


-----BEGIN PGP SIGNATURE-----


iHUEARYKAB0WIQRJTvAf/AWVhAKEeb7FFoRCS0/SbAUCagRfWwAKCRDFFoRCS0/S

bDlGAP42z1Tck5TFPhaUbrC7WHcDwzr/ajAPLfj2ttXKfph30gEAm0KIZyf874gb

WAAGxop9J4RtzHIcQG6iPd1UqmWxhwM=

=xXqu

-----END PGP SIGNATURE-----


at 7 comments:

Tuesday, 12 May 2026

Two more public disclosures, it will never stop

-----BEGIN PGP SIGNED MESSAGE-----

Hash: SHA512


Here are the links, yes, two vulnerabilities this time. Defender has been sparred because I know Microsoft will tighten the strings if I target one specific component too often. Don't ask how I know.


https://github.com/Nightmare-Eclipse/YellowKey

https://github.com/Nightmare-Eclipse/GreenPlasma


Microsoft has chosen to make this worst instead of resolving the situation like adults, they pulled every childish game possible. My patience is running out you're making everyone else paying for it.


I hope you at least attempt to resolve the situation responsibly, I'm not sure what type of reaction you expected from me when you threw more gas on the fire after bluehammer. The fire will go as long as you want, unless you extinguish it or until there nothing left to burn.


Your recent actions made me take the difficult decision to drag other companies into this, be prepared to answer questions.

Next patch tuesday will have a big surprise for you Microsoft. And remember, I never failed to deliver a promise.


-----BEGIN PGP SIGNATURE-----


iHUEARYKAB0WIQRJTvAf/AWVhAKEeb7FFoRCS0/SbAUCagNlvwAKCRDFFoRCS0/S

bCvjAQDVurDgXRdoE76+lSAsucc7bYTesGTQlhejiisdJD8oAwD+LK4GXV+apocq

pvzD/Ikz+6NV3PZD0TyDy7odM0KmKgI=

=5WrI

-----END PGP SIGNATURE-----


at 1 comment: