Windows Defender on HackingPassion.com : root@HackingPassion.com-[~]

GreatXML Turns Windows Defender's Offline Scan Into a BitLocker Bypass

Fri, 12 Jun 2026 10:51:38 +0200

Nightmare-Eclipse is back again, this time with a BitLocker bypass called GreatXML that runs straight through Microsoft’s own antivirus. On a Windows machine that has run a Defender offline scan even once, the recovery mode hands over a command shell with full access to the encrypted drive, while BitLocker still reports the disk as locked and protected. Microsoft has no patch for it. He published GreatXML the day after RoguePlanet, right after the June Patch Tuesday where Microsoft had just fixed his first BitLocker bypass, the largest Patch Tuesday yet at close to 200 fixes in a single day.

RoguePlanet Windows Defender Zero Day Hands Any User Full SYSTEM Control

Wed, 10 Jun 2026 12:01:36 +0200

Nightmare-Eclipse is back, with a new exploit called RoguePlanet. Windows 10 and 11 have a new zero-day that lets a user with no rights take complete control of a fully updated machine, and Microsoft has no patch for it. He dropped it on Patch Tuesday, June 9th, a few hours after Microsoft shipped its largest Patch Tuesday yet, nearly 200 fixes in a single day.

Some of those fixes closed his own earlier bugs. So while Microsoft was busy sealing the gaps he had already found, he opened a new one in public. For weeks he had been vague about whether anything was coming in June, switching between yes and no, and then he just did it.

GhostTree Makes Windows Defender Stop Scanning With Two Lines of Code

Thu, 21 May 2026 12:22:26 +0200

GhostTree makes Windows Defender stop scanning. Two lines of code, no admin rights, and malware sitting right next to it goes completely undetected. A Varonis researcher published it today, confirmed it works, and Microsoft’s first response was that this does not count as a security issue. Then they patched it anyway.

Windows lets you create a folder that points to another folder. The operating system follows that pointer as if the destination is real. Most applications and scanners follow junctions transparently unless they explicitly check for reparse points, which most do not. The feature has been built in for decades and has a perfectly legitimate purpose: backward compatibility, keeping old software happy when file locations change. The Windows name for it is an NTFS junction. The part that matters for this attack: any standard user account can create one. No admin rights needed. Write access to a folder is enough, and most users already have that in their own profile and in shared directories.

RedSun and UnDefend: Two Unpatched Windows Defender Zero-Days

Sun, 19 Apr 2026 10:57:14 +0200

Two unpatched Windows Defender zero-days have been actively exploited since April 16th, and both of them work on fully patched Windows 10, Windows 11, and Server 2019 and later, including machines that installed this month’s Patch Tuesday updates. One of them makes Defender write the attacker’s payload into System32 by itself, then stands back and lets Windows run it as SYSTEM. The other blocks Defender from receiving any new virus definitions and lies to the EDR management console about it, showing green checkmarks on machines that are already fully compromised. 😏

Windows Defender Is Being Used to Hack Windows

Fri, 10 Apr 2026 11:15:27 +0200

Windows Defender, the built-in antivirus running on every Windows machine, has a zero-day exploit with full source code sitting on GitHub. No patch, no CVE, and confirmed working on fully updated Windows 10 and 11. A researcher who says Microsoft went back on their word just handed every attacker paying attention a privilege escalation that takes any low-privileged account straight to NT AUTHORITY\SYSTEM. On Windows Server the result is different but still serious: a standard user ends up with elevated administrator access. 😏