New Windows zero-day exploit RoguePlanet targets Microsoft Defender on fully patched systems

A zero-day exploit called RoguePlanet dropped on June 10, 2026, the same day Microsoft rolled out its monthly Patch Tuesday updates. The timing was not a coincidence.

The proof-of-concept code targets a race condition vulnerability in Microsoft Defender, capable of granting SYSTEM-level shell access on fully patched Windows 10 and Windows 11 machines.

Who’s behind it and why it matters

The researcher behind RoguePlanet operates under the aliases Chaotic Eclipse and Nightmare-Eclipse, publishing work through deadeclipse666.blogspot.com and the GitHub account MSNightmare.

RoguePlanet is at least the sixth zero-day proof-of-concept released by the same person since early April 2026. The prior releases include exploits named BlueHammer (assigned CVE-2026-33825), RedSun, UnDefend, YellowKey, GreenPlasma, and MiniPlasma. That’s roughly one new zero-day every ten days across a two-month stretch.

The campaign has been described as retaliatory. The researcher apparently takes issue with how Microsoft handles vulnerability disclosures, and the cadence of releases, particularly the timing of RoguePlanet alongside Patch Tuesday, reinforces that framing.

Microsoft responded on the same day by pushing Defender definition update 1.453.20.0, which adds detection and quarantine capability for the exploit code. Security experts noted that the detection is rudimentary and could be bypassed with minor modifications to the code.

As of the disclosure date, there have been no reported instances of RoguePlanet being actively exploited in the wild. The success rate on patched systems is described as variable.

The crypto angle: wallet files and private keys at risk

SYSTEM-level access on a Windows machine means an attacker can read any file, modify any process, and access any credential store. A SYSTEM shell on a compromised machine can access wallet files, browser-stored credentials, clipboard data, and locally stored private keys without any additional exploits needed.

There are no confirmed reports linking RoguePlanet specifically to cryptocurrency theft. Nobody has documented a case where this exploit was used to drain wallets or exfiltrate seed phrases.

What this means for crypto holders on Windows

Microsoft’s definition update provides a baseline layer of detection, but experts noted the ease of bypass means it shouldn’t be treated as a reliable safeguard.

For institutional crypto operations running Windows infrastructure, the pattern of six zero-days from one researcher in roughly two months suggests the attack surface around Microsoft Defender is deeper than the patching cycle can keep up with. Each release arrives calibrated to coincide with or immediately follow Microsoft’s fixes. Third-party endpoint detection and response tools, network segmentation, and privilege escalation monitoring become more important when the built-in security layer has a demonstrated pattern of being targeted and bypassed.

Disclosure: This article was edited by Editorial Team. For more information on how we create and review content, see our Editorial Policy.