A lone researcher has once again turned the tables on Microsoft. Hours after the company’s May 2026 Patch Tuesday rollout fixed 120 flaws but no zero-days, an anonymous figure known as Nightmare-Eclipse or Chaotic Eclipse dropped proof-of-concept code for two more unpatched vulnerabilities. One cracks BitLocker wide open. The other hands attackers SYSTEM privileges with relative ease.
YellowKey and GreenPlasma mark the latest escalation in what security observers call a personal campaign of retaliation. The researcher claims Microsoft violated an agreement, left him homeless, and forced his hand. “I never wanted to reopen a blog and a new GitHub account to drop code,” he wrote in an earlier post. “But someone violated our agreement and left me homeless with nothing. They knew this will happen and they still stabbed me in the back anyways, this is their decision not mine.”
Short. Direct. And backed by action. This marks the fifth such disclosure from the same source this year. Previous releases included BlueHammer, patched by Microsoft, and RedSun plus UnDefend, which remain open. Real-world attackers wasted little time weaponizing those earlier proofs.
YellowKey stands out. It bypasses BitLocker encryption on Windows 11, Windows Server 2022, and Windows Server 2025. No kernel exploits. No complex malware. The attacker prepares a USB drive with specially crafted files in a hidden FsTx directory, plugs it in, forces a reboot into the Windows Recovery Environment, and enters a specific key sequence. A command shell appears. The protected volume sits fully unlocked.
The researcher called it “one of the most insane discoveries I ever found.” He went further. The vulnerable component appears only in the recovery image, bears the same name as something in normal Windows installs, yet lacks the bypass trigger there. “Why? I just can’t come up with any explanation other than the fact that this was intentional.” He stopped short of proving a planted backdoor. Experts remain skeptical of that claim but acknowledge the bug’s severity.
Rik Ferguson, VP of security intelligence at Forescout, put it plainly. If the claims hold, “a stolen laptop stops being a hardware problem and becomes a breach notification.” (The Register)
Gavin Knapp, cyber threat intelligence principal lead at Bridewell, added context on organizational risk. YellowKey represents “a huge security problem for organizations using BitLocker.” Mitigation exists but requires discipline: enable a BitLocker PIN plus BIOS password lock. (The Register)
But. The exploit works even against TPM-plus-PIN setups in some configurations, the researcher later clarified. He withheld the full TPM variant PoC. “I think what’s out there is already bad enough.” Independent testers confirmed the base version functions, though key presses can prove finicky. Kevin Beaumont and Will Dormann both validated core behavior. Dormann dissected the mechanism: Windows replays NTFS transaction logs from the FsTx directory during recovery boot, deletes winpeshl.ini, and launches cmd.exe against an unlocked volume. (BleepingComputer)
GreenPlasma takes a different path. It targets ctfmon.exe, the SYSTEM-level process behind text input and accessibility features present in every interactive Windows session. The partial exploit creates an arbitrary memory section object in a location writable by SYSTEM but normally off-limits to standard users. Registry and permission tricks then lure ctfmon into interacting with attacker-controlled memory. Shellcode or fake DLLs follow.
The researcher released it incomplete on purpose. A challenge. “If you’re smart enough, you can turn this into a full privilege escalation as you can influence the newly created section to manipulate data.” Security researcher Het Mehta outlined the chain: arbitrary section creation, registry manipulation, and trust assumptions by services and even kernel drivers. (Cybernews)
Escalation meets real-world speed.
Previous drops from this researcher moved fast into attacker toolkits. Huntress documented active exploitation of earlier Nightmare-Eclipse code within hours. The pattern repeats. Organizations now face immediate exposure on laptops, shared workstations, and any device where physical access or initial foothold exists.
Knapp warned how privilege escalations like GreenPlasma fit larger attacks. “These elevation of privilege vulnerabilities are often weaponized during post-exploitation to enable threat actors to discover and harvest credentials and data, before moving laterally to other systems, prior to end goals such as data theft and/or ransomware deployment.” No mitigation exists today beyond waiting for Microsoft. (The Register)
Microsoft responded to questions about the latest leaks with a standard statement. The company investigates reported issues and updates devices “to protect customers as soon as possible.” It stressed support for coordinated vulnerability disclosure, “a widely adopted industry practice that helps ensure issues are carefully investigated and addressed before public disclosure.” The firm also noted it silently fixed RedSun without assigning a CVE. (BleepingComputer)
Yet the researcher shows no sign of stopping. His blog and GitHub repositories carry clear threats. “Next Patch Tuesday will have a big surprise for you Microsoft.” A dead man’s switch sits ready with additional material. “The fire will go as long as you want, unless you extinguish it or until there is nothing left to burn.” He has delivered on every prior warning.
And the scope may widen. Recent actions, he says, forced a “difficult decision to drag other companies into this. Be prepared to answer questions.”
Security teams already track the aliases Nightmare-Eclipse and Chaotic Eclipse across GitHub and Blogspot. Forks of earlier code proliferated quickly. Community attention remains high. Some speculate the researcher once worked inside Microsoft. Rumors only. No confirmation exists.
The timing feels deliberate. Patch Tuesday announcements create a window of distraction. Researchers and defenders focus on the official list. Then these drops land. Five bugs so far. More promised. BlueHammer received a CVE and patch. Others linger. RedSun, for instance, survived quietly fixed without public credit or identifier in some cases.
This situation exposes tensions in how vendors handle independent reports. The researcher alleges broken agreements and dismissive treatment. Microsoft champions coordinated disclosure. Both sides claim the high ground. Customers sit in the middle, exposed while the dispute plays out in public.
Defenders hold limited options right now. For BitLocker, add PINs and BIOS passwords where feasible. Restrict physical access and USB boot on sensitive devices. Monitor for unusual recovery environment activity. Watch endpoints for signs of ctfmon abuse. But these steps buy time only. Patches must come.
The researcher insists the conflict ends when Microsoft “resolve[s] the situation responsibly.” Until then, the disclosures continue. Organizations cannot treat this as abstract drama between one individual and one vendor. The code runs on millions of production systems. The exploits work today.
Watch the next Patch Tuesday closely. The promised surprise may arrive without invitation. And this time the stakes include not just Windows but potentially partners dragged into the fray. The pattern holds. Promises kept. Code dropped. Systems fall.