An anonymous security researcher, who feels stabbed in the back, has put on a grey hat and dropped a dangerous zero-day Windows privilege escalation exploit on GitHub.
Run the FunnyApp.exe, and you’re a Windows admin. An unknown individual just dropped a zero-day exploit for elevating privileges on Windows. The bug is unpatched. The leaker suggests the situation could’ve been easily avoided if Microsoft had acted differently.
“Running that ‘whoami’ and seeing SYSTEM just hits different,” one of the GitHub users said about the working unpatched exploit.
Eight of 72 cybersecurity vendors on VirusTotal have already flagged the file as malicious. However, with publicly available proof-of-concept C code, cybercriminals can recompile countless malicious variants with other unique hashes, evading signature-based detection.
Security researchers confirm that the local privilege escalation exploit is valid.
Justin Elzem, CTO at TrustedSEC, explains that the flaw targets Windows Defender, which has the highest SYSTEM privileges.
"This is a TOCTOU (time-of-check to time-of-use)/symlink race condition in Windows Defender's signature update mechanism – a classic pattern where a privileged service (WD running as SYSTEM) follows a file path that a low-privilege user can redirect mid-operation using junctions and object manager symlinks,” Elzem posted on X.
Will Dormann, Senior Principal Vulnerability Analyst at Tharros, confirmed the POC by running the code and achieving System privileges.
However, the export notes that the code is not 100% reliable.
“On the Server platform, it merely goes from non-admin to elevated admin. Rather than SYSTEM,” Dormann said.
The GitHub repository already has over 100 forks and nearly 300 stars, meaning that potential attackers might already be taking advantage of it.
Leaker angry at Microsoft
The exploit was posted by a new account on GitHub. The individual behind it also posted on X and Blogger, expressing their anger with the tech giant.
The first post on blogspot, released on March 26th, was threatening:
“I never wanted to reopen a blog and a new GitHub account to drop code. But someone violated our agreement and left me homeless with nothing. They knew this would happen, and they still stabbed me in the back anyways, this is their decision not mine,” the leaker using the alias “deadeclipse666” posted.
The actual exploit was published on April 2nd, 2026. It took some time for the public to notice.
“I was not bluffing Microsoft and I'm doing it again. Unlike previous times, I'm not explaining how this works, y'all geniuses can figure it out,” the grey hat posted.
He specifically called out Microsoft Security Response Center (MSRC) and its Vice President of Engineering, sending “huge thanks” for making this possible.
The leaker dubbed the exploit “BlueHammer.” They acknowledge that the code has a “few bugs” that could prevent it from working, and suggest they might fix them later.
The posts hint at a prior relationship with Microsoft that went sour, potentially a formal or informal bug bounty or responsible disclosure arrangement with the company.
“Microsoft has a customer commitment to investigate reported security issues and update impacted devices to protect customers as soon as possible. We also support coordinated vulnerability disclosure, a widely adopted industry practice that helps ensure issues are carefully investigated and addressed before public disclosure, supporting both customer protection and the security research community,” a Microsoft spokesperson told Cybernews.
Have thoughts about this topic? Others do, too. Join them in the discussion.
Dormann acknowledged that MSRC’s practices are shifting and not for the better.
“MSRC used to be quite excellent to work with. But to save money, Microsoft fired the skilled people, leaving flowchart followers. I wouldn’t be surprised if Microsoft closed the case after the reporter refused to submit a video of the exploit, since that's apparently an MSRC requirement now.”
Microsoft explains that MSRC “on occasion” requests videos to help better understand and assess the impact, but video demonstrations are not a requirement for vulnerability disclosure submissions.
Updated on April 7th [2:30 p.m. GMT] with a statement from Microsoft.
Unlock more exclusive Cybernews content on YouTube.
Your email address will not be published. Required fields are marked