RedSun
RedSun is a publicly released Windows local privilege escalation exploit/tool that abuses a logic flaw in Microsoft Defender’s file remediation and cloud file rollback path to achieve SYSTEM-level code execution from an unprivileged user context. The content describes RedSun as exploiting missing reparse point validation in Defender’s remediation workflow, allowing an attacker to redirect Defender’s privileged write operation into C:\Windows\System32 via a junction or mount point and place an attacker-controlled binary there. Reported tradecraft includes use of the Windows Cloud Files API, batch OPLOCKs, Volume Shadow Copy Service activity as a synchronization signal, and execution of a malicious TieringEngineService.exe via the Storage Tiers Management Engine COM server to obtain SYSTEM execution. The exploit was reported as confirmed on Windows 11 25H2 Build 26200.8246 with real-time protection enabled, and multiple sources in the content state it does not require administrative rights, a UAC bypass, or a kernel exploit. RedSun is associated with the researcher alias Chaotic Eclipse, also referred to as Nightmare-Eclipse, and Microsoft linked it to CVE-2026-41091 in June 2026 Patch Tuesday coverage. Other content states RedSun remained unpatched as of May 2026. Huntress reported in-the-wild use of RedSun alongside BlueHammer and UnDefend in a live intrusion that began with compromised FortiGate VPN credentials; observed execution included RedSun.exe from a user Downloads directory, though Huntress stated the privilege escalation attempt did not appear to succeed in that case. High-confidence observables and artifacts mentioned in the content include execution of RedSun.exe, attempted overwrite of TieringEngineService.exe in System32, use of the named pipe \pipe\REDSUN, and abuse of Defender remediation behavior to execute attacker-planted binaries as SYSTEM.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Vulnerabilities exploited
2 CVEs Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.
CVE-2026-41091 – Microsoft Defender Elevation of Privilege Vulnerability ... Microsoft connects these four CVEs to specific items disclosed by the Chaotic Eclipse researcher earlier this month ... respectively, these touch MiniPlasma, RedSun, YellowKey, and GreenPlasma ... Appendix B: Exploitation detected CVE-2026-41091 Microsoft Defender Elevation of Privilege Vulnerability. | Microsoft connects these four CVEs to specific items disclosed by the Chaotic Eclipse researcher earlier this month – respectively, these touch MiniPlasma, RedSun, YellowKey, and GreenPlasma.
The newly published exploit, dubbed “RedSun,” was uploaded to a public GitHub repository by the researcher.
Techniques & procedures
22 distinct techniques documented for this family, organized by ATT&CK tactic.
Initial Access
2 techniques
Initial Access
Execution
5 techniques
Execution
Upon execution in the SYSTEM context, the payload duplicates a privileged token, assigns it to the active user session, and spawns an interactive console (conhost.exe), granting the attacker full administrative control.
That fix didn't stop attackers from exploiting BlueHammer, as well as targeting RedSun and UnDefend after Nightmare-Eclipse's disclosure of those exploits.
RedSun then calls the Storage Tiers Management engine COM object, which runs locally as SYSTEM. This subsequently executes C:\Windows\System32\TieringEngineService.exe which is a copy of RedSun.
Persistence
1 technique
Persistence
Privilege Escalation
5 techniques
Privilege Escalation
CVE-2026-41091 – Microsoft Defender Elevation of Privilege Vulnerability ... CVE-2026-45586 – Windows Collaborative Translation Framework (CTFMON) Elevation of Privilege Vulnerability ... CVE-2026-41091 Microsoft Defender Elevation of Privilege Vulnerability Exploitation detected
Threat actors were observed deploying the tools under disguised filenames such as FunnyApp.exe, gaining initial access through compromised FortiGate VPN credentials before pivoting to Defender exploits for privilege escalation.
Upon execution in the SYSTEM context, the payload duplicates a privileged token, assigns it to the active user session, and spawns an interactive console (conhost.exe), granting the attacker full administrative control.
Stealth
8 techniques
Stealth
Threat actors were observed deploying the tools under disguised filenames such as FunnyApp.exe, gaining initial access through compromised FortiGate VPN credentials before pivoting to Defender exploits for privilege escalation.
the engine's remediation logic attempts to "restore" or overwrite the file to neutralize the threat.
First, it POSIX-deletes the original EICAR file... The flags FILE_DISPOSITION_DELETE (0x1) and FILE_DISPOSITION_POSIX_SEMANTICS (0x2) remove the file’s name from the directory immediately while the handle remains open.
Threat actors were observed deploying the tools under disguised filenames such as FunnyApp.exe, gaining initial access through compromised FortiGate VPN credentials before pivoting to Defender exploits for privilege escalation.
Upon execution in the SYSTEM context, the payload duplicates a privileged token, assigns it to the active user session, and spawns an interactive console (conhost.exe), granting the attacker full administrative control.
LaunchTierManagementEng activates the Storage Tiers Management COM object with CLSCTX_LOCAL_SERVER, which causes Windows to launch TieringEngineService.exe as SYSTEM because that is how the service is registered.
Defense Impairment
1 technique
Defense Impairment
Credential Access
1 technique
Credential Access
Discovery
1 technique
Discovery
Command and Control
2 techniques
Command and Control
Impact
1 technique
Impact
IOCs tracked for this family
5 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Recent activity
10 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Named item tied to CVE-2026-41091 in the Chaotic Eclipse disclosures; Sophos lists detection as ATK/RedSun-A.
A Windows Defender exploit tool that abuses the cloud file rollback mechanism to execute attacker-planted binaries with SYSTEM privileges.
Referenced as RedSun in a Splunk attack simulation dataset for privilege escalation within an attack range environment.
A named component of the Nightmare-Eclipse tooling set observed in a live intrusion.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.