Security
Security pros warn YellowKey claim could make stolen laptops a much bigger problem
The anonymous security researcher who has already maliciously exposed three Windows zero-days this year has revealed two more, dropping them just after Microsoft’s monthly Patch Tuesday update.
Nightmare-Eclipse, or Chaotic Eclipse, depending on which of their aliases you prefer, released details about YellowKey and GreenPlasma – respectively a BitLocker bypass and a privilege escalation flaw, handing SYSTEM access to attackers.
Experts speaking to The Register warned that both vulnerabilities present serious security concerns, especially since Nightmare-Eclipse released substantial technical information about exploiting them.
Nightmare-Eclipse described YellowKey as “one of the most insane discoveries I ever found.” They provided the files, which have to be loaded onto a USB drive, and if the attacker completes the key sequence correctly, they are granted unrestricted shell access to a BitLocker-protected machine.
When it comes to claims like these, we usually exercise some caution, as this bug requires physical access to a Windows PC. However, seeing that BitLocker acts as Windows’ last line of defense for stolen devices, bypassing the technology grants thieves the ability to access encrypted files.
Rik Ferguson, VP of security intelligence at Forescout, said: “If [the researcher’s claim] holds up, a stolen laptop stops being a hardware problem and becomes a breach notification.”
Despite the physical access requirement, Gavin Knapp, cyber threat intelligence principal lead at Bridewell, told The Register that YellowKey remains “a huge security problem for organizations using BitLocker.”
Citing information shared in cyber threat intelligence circles, he added that YellowKey can be mitigated by implementing a BitLocker PIN and a BIOS password lock.
Nightmare-Eclipse hinted at YellowKey also acting as a backdoor, allegedly injected by Microsoft, although the people we spoke to said this was impossible to verify based on the information available.
The researcher also published partial exploit code for GreenPlasma, rather than a fully formed proof of concept exploit (PoC).
Ferguson noted attackers need to take the code provided by the researcher and figure out how to weaponize it themselves, which is no small task: in its current state it triggers a UAC consent prompt in default Windows configurations, meaning a silent exploit remains a work in progress.
Knapp warned that these kinds of privilege escalation flaws are often used by attackers after they gain an initial foothold in a victim’s system.
“These elevation of privilege vulnerabilities are often weaponized during post-exploitation to enable threat actors to discover and harvest credentials and data, before moving laterally to other systems, prior to end goals such as data theft and/or ransomware deployment,” he said.
“Currently, there is no known mitigation for GreenPlasma. It will be important to patch when Microsoft addresses the issue.”
Four, five… and more?
YellowKey and GreenPlasma are the latest in a series of five Microsoft zero-day bugs the researcher has exposed this year.
When Nightmare-Eclipse released BlueHammer (CVE-2026-32201, 6.5) – patched by Microsoft in April – they were described as a disgruntled researcher who has since been rumored to be a former Microsoft employee.
According to their maiden blog post under the Chaotic Eclipse alias, the bug leak began after an alleged violation of trust.
“I never wanted to reopen a blog and a new GitHub account to drop code,” they wrote. “But someone violated our agreement and left me homeless with nothing. They knew this will happen and they still stabbed me in the back anyways, this is their decision not mine.”
In early April, the researcher leaked proof-of-concept code for Windows Defender exploits they called RedSun and UnDefend – another admin privilege escalation bug and denial-of-service flaw, respectively – as well as BlueHammer.
Both RedSun and UnDefend remain unfixed, and according to Huntress, the proof-of-concept code released was quickly picked up and abused in real-world attacks.
Ferguson described the exposure of YellowKey and GreenPlasma as the latest in an escalating, retaliatory campaign against Microsoft, and warned of more coming.
“Prior releases include BlueHammer and RedSun, both of which attracted serious community attention and real forks,” he said.
“The same post linking yesterday’s releases warns of another Patch Tuesday surprise and hints at future RCE disclosures. They claim to have a dead man’s switch with more ready to go. This researcher has followed through on every prior threat.” ®
