Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
1 CVE Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.
CVE-2026-45586 – Windows Collaborative Translation Framework (CTFMON) Elevation of Privilege Vulnerability ... Microsoft judges two of them (CVE-2026-45585, CVE-2026-45586) as more likely to be exploited within the next 30 days. | Microsoft connects these four CVEs to specific items disclosed by the Chaotic Eclipse researcher earlier this month – respectively, these touch MiniPlasma, RedSun, YellowKey, and GreenPlasma.
9 distinct techniques documented for this family, organized by ATT&CK tactic.
As for GreenPlasma, it's supposed to get an attacker full system-level access ... by manipulating the CTFMon process into placing a crafted memory section object ... in any Windows' Object Manager section the SYSTEM user has write access to, bypassing regular access controls.
CVE-2026-41091 – Microsoft Defender Elevation of Privilege Vulnerability ... CVE-2026-45586 – Windows Collaborative Translation Framework (CTFMON) Elevation of Privilege Vulnerability ... CVE-2026-41091 Microsoft Defender Elevation of Privilege Vulnerability Exploitation detected
As for GreenPlasma, it's supposed to get an attacker full system-level access ... by manipulating the CTFMon process into placing a crafted memory section object ... in any Windows' Object Manager section the SYSTEM user has write access to, bypassing regular access controls.
CVE-2026-50507 is a Windows BitLocker bypass that can only be exploited by attackers who have physical access to target devices. (This is believed to be the vulnerability exploited by Nightmare Eclipse’s “GreenPlasma” exploit.) CVE-2026-45585, another Windows BitLocker bypass, has also received a fix. Microsoft acknowledged ... this is the fix for the vulnerability exploited by Nightmare Eclipse’s “YellowKey” exploit.
3 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Named item tied to CVE-2026-45586 in the Chaotic Eclipse disclosures; Sophos lists detection as Troj/GrPlasma-A.
A Windows local privilege escalation exploit/tool that abuses a predictable shared memory object path during the UAC secure desktop switch by pre-planting a symbolic link, allowing a low-privileged process to obtain a handle to a SYSTEM-created section object and redirect execution flow to spawn a payload.
A proof-of-concept technique for privilege escalation through Windows object manager behavior, creating attacker-controlled section objects in trusted namespaces via symbolic links and CTF-related namespace interactions.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.