A controversial security researcher has once again shaken the cybersecurity world by releasing a fresh wave of Windows zero-day vulnerabilities — just days after Microsoft’s Patch Tuesday updates. Operating under the aliases “Chaotic Eclipse” and “Nightmare Eclipse,” the individual is rapidly becoming known for a pattern of retaliatory disclosures that leave enterprises scrambling.
This latest release marks the third consecutive round of exploit drops in recent weeks, escalating an already tense situation between the researcher and Microsoft.
A Pattern of Timed Exploit Releases
The researcher has been strategically releasing vulnerabilities immediately after Patch Tuesday — a timing that maximizes risk, as organizations assume systems are safe after applying updates.
The campaign began in early April with a Windows Defender privilege escalation flaw, followed by another critical vulnerability just weeks later. Both exploits enabled attackers to gain SYSTEM-level access — the highest level of privilege in Windows environments.
Now, in the latest drop, the focus has shifted to something even more alarming: a BitLocker bypass vulnerability.
The “Yellow Key” BitLocker Bypass
The newly disclosed exploit, dubbed “Yellow Key,” targets BitLocker — Microsoft’s built-in disk encryption feature designed to protect sensitive data even if a device is physically compromised.
According to the researcher, the exploit allows attackers to bypass BitLocker entirely with a surprisingly simple method:
- Insert a specially crafted USB device
- Boot into the Windows Recovery Environment
- Trigger a specific key sequence
- Gain unrestricted access to the encrypted drive
If validated at scale, this would fundamentally undermine one of the core protections used in enterprise environments to safeguard data at rest.
The researcher described the discovery as “one of the most insane” vulnerabilities they have encountered, even suggesting it resembles a potential backdoor due to the unexplained presence of certain system components.
Notably, the vulnerability appears to affect Windows 11, Windows Server 2022, and Server 2025, while older systems such as Windows 10 remain unaffected.
Second Exploit Targets SYSTEM Privileges
Alongside the BitLocker bypass, the researcher also released another zero-day — a privilege escalation vulnerability called “GreenPlasma.”
This exploit targets the Windows CTFMON (ctfmon.exe) process, which operates with SYSTEM privileges and handles text input services across user sessions.
Security analysis reveals that the exploit works by:
- Injecting a malicious memory section
- Manipulating Windows registry and permission rules
- Forcing the trusted system process to interact with attacker-controlled memory
This creates an opportunity for attackers to execute arbitrary code with SYSTEM-level access, effectively giving them full control over the affected system.
Interestingly, the researcher intentionally released an incomplete version of the exploit, framing it as a “capture-the-flag” challenge for the security community — leaving enough clues for skilled attackers to weaponize it further.
A Personal Conflict Driving Public Exploits
What makes this situation particularly unusual is the motivation behind it. Unlike typical cybercriminal campaigns, this series of disclosures appears to be driven by a personal dispute.
The researcher claims that Microsoft “violated an agreement” and left them “homeless with nothing.” Since then, they have been openly targeting the company through public vulnerability disclosures.
Their messaging has grown increasingly aggressive, with repeated warnings that the exploit releases will continue indefinitely.
“It Will Never Stop” — Escalation Threats Continue
In recent statements, the researcher has warned that future disclosures could become even more damaging.
They hinted at:
- A “dead man’s switch” mechanism that could automatically release additional vulnerabilities
- Plans to involve other companies in upcoming disclosures
- A promise that future Patch Tuesdays will bring “big surprises”
This raises serious concerns not only for Microsoft but for the broader cybersecurity ecosystem, as uncontrolled disclosure of zero-day vulnerabilities can quickly be weaponized by threat actors.
Public Exploits Increase Enterprise Risk
Unlike responsibly disclosed vulnerabilities, these exploits have been released publicly, with working proofs of concept shared on platforms such as GitHub.
While some security researchers have begun validating parts of the exploits, the broader risk lies in the fact that:
- Attackers can immediately begin testing and weaponizing vulnerabilities
- Organizations may not yet have patches available
- Detection signatures and mitigations lag behind public disclosure
This creates a dangerous window of exposure where systems are vulnerable without adequate defenses.
A New Kind of Insider Threat
The incident highlights an emerging risk in cybersecurity — the “rogue researcher” scenario, where skilled individuals use their expertise as leverage in personal or professional disputes.
While responsible disclosure has long been the standard, cases like this show how quickly that model can break down when trust between researchers and vendors collapses.
What Organizations Should Do Now
Given the nature of these vulnerabilities, organizations should act with urgency:
- Restrict physical access to sensitive systems (especially for BitLocker-protected devices)
- Monitor unusual behavior in recovery environments
- Enforce strict privilege and process monitoring
- Track threat intelligence updates related to these exploits
Even partial exploit disclosures can be enough for attackers to develop working attacks.
Final Thought
This ongoing conflict represents more than just another set of vulnerabilities — it’s a shift in how critical security risks can emerge.
When zero-days are released not for profit, but out of retaliation, the rules change.
And as the researcher warned:
“It will never stop.”
