Full Report
Since April 2026, LevelBlue SpiderLabs’ Cyber Threat Intelligence team has tracked a series of public zero-day disclosures targeting Microsoft Windows, attributed to an anonymous actor operating under the names Chaotic Eclipse and Nightmare Eclipse. The activity spans multiple areas of the Windows security model, including recent disclosures such as GreenPlasma, MiniPlasma, and YellowKey.
Analysis Summary
# Threat Actor: Chaotic Eclipse (also known as Nightmare Eclipse)
## Attribution & Identity
* **Identification:** An anonymous actor or group specializing in the discovery and public disclosure of Windows zero-day vulnerabilities.
* **Aliases:** Nightmare Eclipse.
* **Known Associations:** Operates via a public GitHub profile (as seen in Figure 2 of the source) to distribute proof-of-concept (PoC) artifacts and exploit code.
## Activity Summary
Since April 2026, the actor has been tracking and disclosing a series of critical vulnerabilities targeting the Microsoft Windows security model. Recent high-profile activities include:
* **YellowKey Campaign:** Disclosure of a zero-day BitLocker security feature bypass (CVE-2026-45585).
* **GreenPlasma Campaign:** Disclosure of a privilege escalation vulnerability involving Windows internals (Object Manager).
* **MiniPlasma Campaign:** Revisiting and exploiting kernel vulnerabilities within the Cloud Files filter driver (`cldapi.dll`).
## Tactics, Techniques & Procedures
* **Physical Security Feature Bypass:** Exploiting the Windows Recovery Environment (WinRE) to bypass BitLocker protections without passwords or recovery keys.
* **Privilege Escalation:** Leveraging Windows Object Manager symbolic links and CTF-related namespaces to place arbitrary memory section objects in protected locations.
* **Kernel Exploitation:** Targeting the Cloud Files filter driver for kernel-mode elevation.
* **Living-off-the-Land (LotL):** Utilizing native Windows functionality rather than custom malware to achieve SYSTEM-level access.
* **MITRE ATT&CK IDs (Associated):**
* T1078 (Valid Accounts - via BitLocker bypass to SYSTEM)
* T1202 (Indirect Command Execution)
* T1068 (Exploitation for Privilege Escalation)
* T1552.001 (Credentials in Files - targeting decrypted volumes)
## Targeting
* **Sectors:** Likely targeting high-value portable assets, government/diplomatic devices (relevant to border inspections), and supply chain providers.
* **Geography:** Global (Public disclosures affect all Windows users globally).
* **Victims:** Users of Windows 11, Windows Server 2022, and Windows Server 2025.
## Tools & Infrastructure
* **Malware/Payloads:**
* **YellowKey:** A payload/technique requiring a standard USB device and physical access.
* **GreenPlasma:** PoC code targeting `BaseNamedObjects` and the Windows Object Manager.
* **MiniPlasma:** Exploit targeting `cldapi.dll` and `CfAbortOperation`.
* **Infrastructure:**
* **GitHub:** Used for distributing PoC artifacts and source code.
* **Social Media:** Used to telegraph future disclosures (e.g., TPM+PIN bypasses).
## Implications
Chaotic Eclipse represents a strategic shift in physical access threats. By lowering the barrier to entry—removing the need for specialized hardware like TPM sniffers—the actor has made SYSTEM-level compromise of encrypted devices viable for a broader range of threats, including opportunistic thieves and insider threats. The chaining of these zero-days (YellowKey for access, GreenPlasma for persistence/escalation) represents a comprehensive threat to the Windows ecosystem.
## Mitigations
* **Patch Management:** Prioritize the installation of Microsoft security updates for **CVE-2026-45585** as they become available.
* **WinRE Hardening:** Follow official Microsoft guidance to secure or disable the Windows Recovery Environment (WinRE) on high-risk portable devices.
* **Physical Security:** Implement strict physical access controls and tamper-evident packaging for sensitive hardware.
* **Monitoring (YARA):** Utilize the provided YARA rule to scan for indicators of MiniPlasma and GreenPlasma, specifically monitoring for unusual strings like `CTF.AsmListCache`, `CfAbortOperation`, and unauthorized objects in `\BaseNamedObjects\`.
* **Configuration:** Explore TPM+PIN configurations, although the actor has indicated these may be the subject of future disclosures.