RoguePlanet Is Patched. The Protagonist Still Has No Name

Saturday, July 11, 2026 | Jonathan Lockhart

Estimated reading time: 13–15 minutes

When we last checked in on the Nightmare-Eclipse saga, the score stood at seven publicly released Windows exploits, approximately ten weeks of increasingly operatic correspondence, and zero confirmed facts about the person writing it.

Things have changed.

Microsoft has patched RoguePlanet. The exploit count has risen to eight. The promised July 14 mass disclosure was canceled, apologized for, partially replaced by a new and less specific promise of “interesting” July findings, and followed almost immediately by another BitLocker-related exploit that the researcher said was discovered by accident.

The anonymous researcher has migrated from Blogger to a self-hosted platform, reappeared on GitHub under the exquisitely subtle name “MSNightmare,” and begun examining the code Microsoft added to stop the previous exploit.

What has not changed is the attribution.

Nobody has publicly identified the researcher. Nobody has verified the rumored Microsoft employment. Nobody has produced the confidently reported September 2022-to-June 2025 employment record. Nobody has independently confirmed the alleged agreement, humiliation, homelessness, account deletion, unpaid vulnerability submissions, or multiyear campaign of mistreatment described in the researcher’s posts.

The technical record has expanded considerably.

The biography remains a collaborative work of fiction.

RoguePlanet gets a CVE, a patch and several new adjectives

On July 8, Microsoft released an out-of-band update for the Microsoft Malware Protection Engine addressing RoguePlanet, now tracked as CVE-2026-50656.

The vulnerability affects Malware Protection Engine versions earlier than 1.1.26060.3008. Microsoft classifies it as a local elevation-of-privilege flaw caused by improper link resolution before file access. A low-privileged authenticated attacker who successfully exploits it can obtain SYSTEM-level execution on the local Windows machine.

Microsoft assigned the vulnerability a CVSS score of 7.8, using a vector that treats attack complexity as low. NIST currently scores it at 7.0 because its independent assessment treats the complexity as high. This is not a contradiction so much as a reminder that CVSS vectors contain judgment calls, particularly when a race condition behaves reliably on some systems and poorly on others.

The researcher’s own RoguePlanet documentation says exactly that. The proof of concept reportedly achieved near-perfect reliability on some Windows 10 and Windows 11 installations while struggling on others. Successful execution produces a command shell running as SYSTEM.

The exploit was publicly released on June 9, shortly after Microsoft’s June Patch Tuesday update. Microsoft acknowledged it on June 16 and supplied the fixed engine on July 8.

That is a month-long public exposure window with functional exploit code available.

It is also not a remotely exploitable vulnerability by itself. RoguePlanet requires an attacker to have already obtained local execution as a standard user. Its value lies in converting a limited foothold into highly privileged control. In a real intrusion, that could enable credential access, security-control tampering, persistence, lateral movement and destruction of local telemetry.

Microsoft’s advisory says systems on which Defender has been disabled are not in an exploitable state because the vulnerable engine is not active. That should not be mistaken for a recommended mitigation. Disabling the endpoint security product to protect it from an endpoint security vulnerability is roughly equivalent to preventing automobile theft by removing the automobile.

The operational answer is to verify that the engine is at version 1.1.26060.3008 or later.

The exploitation report that does not report exploitation

RoguePlanet’s exploitation status remains unresolved, but not in the dramatic way some coverage suggests.

Microsoft says it has not detected exploitation. CISA has not added CVE-2026-50656 to the Known Exploited Vulnerabilities catalog. The CVE record identifies public proof-of-concept exploitation, not confirmed malicious exploitation.

Qualys complicated the picture with a June 18 ThreatPROTECT entry whose page title and URL described RoguePlanet as “exploited in attacks.” Dark Reading correctly observed that Qualys supplied no incident details.

The current Qualys text does not identify a campaign, victim, malware family, intrusion set, forensic artifact or independent source for that claim. The page, updated July 9, now describes the public exploit and the Microsoft patch but provides no evidence demonstrating malicious use.

That is not sufficient to classify RoguePlanet as confirmed in-the-wild exploitation.

There is a meaningful distinction between:

  • a working exploit;
  • an exploit reproduced by other researchers;
  • exploit code incorporated into offensive tooling;
  • attempted exploitation observed in telemetry; and
  • successful exploitation confirmed during an intrusion.

The first two are established for RoguePlanet. The remaining categories are not publicly demonstrated.

The confusion is understandable because earlier Nightmare-Eclipse disclosures did move rapidly into real intrusions. BlueHammer, RedSun and UnDefend were observed in attack activity after public exploit release, and their corresponding CVEs entered CISA’s KEV catalog.

But exploitation is not hereditary. RoguePlanet does not inherit confirmed exploitation merely by sharing an author with three exploited predecessors.

The seven-exploit count lasted approximately one day

Our previous count also needs updating.

The original sequence consisted of BlueHammer, RedSun, UnDefend, YellowKey, GreenPlasma and MiniPlasma. RoguePlanet brought the total to seven.

Then, one day later, GreatXML made eight.

GreatXML is a BitLocker and Windows Recovery Environment abuse chain centered on a malicious unattend.xml file. It exploits the interaction among WinRE, Microsoft Defender Offline Scan, Windows setup automation and the state of the recovery partition.

Calling it a “BitLocker bypass” is technically defensible but operationally incomplete.

The public proof of concept does not remotely defeat BitLocker encryption from an unprivileged starting position. An attacker must first obtain sufficient privileges to modify the recovery partition and plant the required files. The demonstrated chain also depends on a Defender Offline Scan having been run on the machine previously. Once prepared, a later boot into WinRE can produce a highly privileged command environment with access to the protected volume.

That makes GreatXML interesting as a post-compromise persistence and data-access mechanism. An attacker who briefly obtains administrative control could prepare the recovery environment, lose conventional access during incident response, and potentially regain access later through WinRE.

ThreatLocker and Cyderes both reproduced meaningful parts of the technique on patched Windows 11 systems. Public reporting continued to describe GreatXML as having no CVE and no Microsoft patch, and this review found no subsequent Microsoft advisory assigning it one.

It is not the effortless universal BitLocker annihilation suggested by some headlines.

It is still an ugly trust-boundary failure involving components explicitly intended to protect or recover the system.

The July 14 apocalypse was canceled for health reasons

Dark Reading reports that Nightmare-Eclipse “threatened to make sure your bones are shattered on July 14” but later backed off that date.

That is substantially accurate, provided we preserve the chronology.

On May 23, the researcher published a PGP-signed post accusing Microsoft of refusing communication, humiliating and publicly insulting them, defaming them through the YellowKey advisory, deleting the Microsoft account used for vulnerability reporting, and failing to pay for earlier reports.

The post then instructed Microsoft to mark July 14, promising that its “bones” would be shattered.

None of the allegations preceding that threat were accompanied by the promised documentary evidence. The researcher said proof existed but could not yet be released because Microsoft still had “chains” on them.

On June 9, the researcher withdrew the planned mass disclosure. RoguePlanet had required more work than anticipated and had severely exhausted them. The researcher apologized for causing panic and said the “big thing” would not happen.

A day later, GreatXML appeared.

Then, on June 22, the researcher announced that the break was apparently over and suggested July would contain “interesting and possibly insanely controversial findings.” The post said the next disclosure would not include a complete exploit but enough code to demonstrate the underlying defect.

So the July 14 mass dump was genuinely canceled.

The broader promise of further July disclosures was not.

As of July 11, the threatened calendrical apocalypse has become more of a floating appointment.

What the record actually establishes about motive

This brings us to the question Dark Reading’s coverage raises, perhaps unintentionally: what do we really know about the researcher’s motivation?

The answer depends on which proposition is being tested.

Do the researcher’s publications contain retaliatory language directed at Microsoft?

Absolutely.

The first BlueHammer post said, “I was not bluffing Microsoft,” thanked MSRC leadership sarcastically and implied that previous interactions had already occurred. Later posts accused Microsoft of betrayal and humiliation. The July 14 message plainly threatened retaliatory disclosure. Releases were repeatedly timed near Patch Tuesday, maximizing the period during which functional exploit code was public but no targeted patch was available.

It is therefore reasonable to infer that retaliation is part of the public persona and release strategy.

But that is not the same as proving the underlying grievance.

The researcher claims that Microsoft violated an agreement, left them homeless, deleted their reporting account, withheld compensation, publicly defamed them and refused direct communication.

Those claims may be true.

They may be partly true.

They may omit substantial context.

They may be a dramatized explanation for conduct motivated by something else.

They may even be part of the persona itself.

No publicly released MSRC correspondence, contract, employment document, bounty determination, account record or third-party testimony currently resolves the question.

We know what Nightmare-Eclipse says happened.

We do not know that it happened as described.

That distinction has almost entirely disappeared from secondary reporting.

“Disgruntled” becomes a personnel file

Rob Wright’s July 9 Dark Reading article opens by describing Nightmare-Eclipse as “a disgruntled security researcher with a vendetta against the software giant.”

This is evocative. It is also attribution by adjective.

“Disgruntled” is probably a safe inference from the posts. Few contented people promise to shatter a corporation’s bones.

“Vendetta” is stronger. It suggests not merely retaliatory conduct but a settled personal motive, and it invites readers to accept the researcher’s conflict narrative as the explanation for the campaign.

The evidence supports this narrower formulation:

An anonymous researcher has repeatedly described the disclosures as retaliation for alleged mistreatment by Microsoft.

That sentence distinguishes observed conduct, claimed motive and unverified cause.

Dark Reading’s formulation merges all three.

The article goes on to say the dispute began in April when BlueHammer was released “out of frustration” with MSRC. But the April 2 post says the researcher was doing it “again” and thanks named MSRC leadership for “making this possible.” That indicates an earlier history whose beginning and substance remain unknown.

April is when the public campaign became visible.

It is not necessarily when the dispute began.

Similarly, saying the researcher “swore revenge” is a reasonable interpretation of the July 14 threat, but it should still be presented as an interpretation. The underlying source is the anonymous researcher’s own rhetoric, not an independently established account of motive.

Wright links to Dark Reading’s earlier coverage, which links to the researcher’s posts and quotes industry commentators interpreting them. By the July article, those interpretations have hardened into narration.

The source chain therefore looks like this:

The anonymous researcher makes allegations about Microsoft.

Security vendors describe the campaign as a grudge or personal vengeance.

News outlets report that vendors describe it that way.

Later news articles state the grudge and vendetta as characteristics of the actor.

At no point does new evidence enter the chain.

The adjectives simply acquire seniority.

The legal-threat portion of the story requires similar precision.

On May 27, Microsoft published an MSRC statement condemning the six initial disclosures. It said public release of unpatched proof-of-concept code was never justifiable and added that Microsoft’s Digital Crimes Unit would continue bringing cases against malicious actors and those enabling criminal activity, coordinating with law enforcement where necessary.

The security community understandably interpreted this as a warning aimed at Nightmare-Eclipse and potentially at other full-disclosure researchers.

Dark Reading described it as Microsoft threatening criminal prosecution.

After widespread criticism, Microsoft clarified that it did not intend to pursue individuals merely for conducting or publishing security research. It said legal action would be reserved for unlawful malicious activity causing actual harm.

Microsoft therefore did issue language that sounded threatening in context and then publicly narrowed it.

Calling the original statement a “legal threat” is defensible shorthand.

Reporting that Microsoft unambiguously threatened to prosecute this specific researcher would be stronger than the available record supports.

Microsoft’s statement named the vulnerabilities but not Nightmare-Eclipse. It condemned the disclosures and invoked the Digital Crimes Unit. It did not announce a filed case, identify a statute, confirm a referral or say that an investigation of the researcher was underway.

The distinction matters because the story has frequently evolved from “Microsoft used language widely interpreted as threatening” into “Microsoft initiated legal action,” which is not the same thing.

Microsoft’s silence does not verify the researcher’s story

Microsoft has also not publicly confirmed several claims central to the emerging biography.

It has not confirmed that Nightmare-Eclipse was an employee.

It has not confirmed that the researcher was a contractor.

It has not confirmed an agreement.

It has not confirmed deleting the researcher’s Microsoft account.

It has not confirmed withholding earned bounty payments.

It has not confirmed that MSRC personnel threatened to ruin the researcher’s life.

Microsoft’s silence does not disprove those claims.

It does not verify them either.

The company did say that the six original vulnerabilities were not submitted through its official channels before public release. That statement may refer only to those specific vulnerabilities. It does not resolve whether the researcher previously submitted other vulnerabilities, maintained an MSRC account, had earlier dealings with Microsoft or entered some separate agreement.

The public record leaves room for a real and serious disclosure breakdown.

It does not tell us exactly what that breakdown was.

The former-Microsoft theory remains exactly where we left it

No new evidence has appeared supporting the claim that the researcher worked full-time at Microsoft from September 2022 through June 2025.

Brian Krebs reported only that Nightmare-Eclipse claimed to be a former Microsoft employee and that Microsoft had not confirmed the claim.

The Register described former employment as rumor and asked Microsoft whether the researcher was a current or former employee. Microsoft did not answer.

The technical work demonstrates substantial knowledge of Windows internals, Defender, WinRE, BitLocker and Microsoft’s patching behavior. That supports the conclusion that the researcher is highly capable.

It does not establish where that capability was acquired.

Reverse engineers, vulnerability researchers, red-team operators, former contractors, current employees, former employees, malware developers, consultants and determined independent researchers can all develop deep familiarity with proprietary systems.

“Insider-level knowledge” is a compliment disguised as an attribution method.

It is not an employment record.

The MSNightmare GitHub profile’s claimed Microsoft affiliation is equally probative. GitHub profile fields are entered by account holders. Listing “Microsoft” beneath a repository devoted to embarrassing Microsoft is more plausibly a joke than a human-resources disclosure.

The recurring PGP-signed posts do provide some evidence that the same cryptographic persona controls multiple messages across the campaign.

A stable key can authenticate continuity of authorship.

It cannot authenticate a birth certificate.

The singular pronoun remains an assumption too

Coverage almost universally refers to Nightmare-Eclipse as one person.

That may be correct. The consistent writing style, recurring signing key, continuous narrative and focused technical interests all support a single principal operator.

But the public evidence does not exclude a small group sharing an identity, a primary researcher receiving vulnerabilities from others, or collaborators contributing analysis and exploit development.

The researcher has explicitly said that other people supplied vulnerabilities. That does not prove collective operation, but it complicates the clean image of a solitary genius working without food, water or sleep in a room lit entirely by IDA Pro.

Nor has the researcher’s gender been established. Some articles use “he,” others use singular “they.” The latter is the only defensible choice without identification or self-description.

We know the voice.

We do not know the speaker.

The researcher is still examining the patch

On July 9, after Microsoft released the fixed engine, Nightmare-Eclipse published new observations about Defender.

The post claimed that Defender would cache an arbitrarily large Zone.Identifier alternate data stream under certain conditions, potentially enabling local disk exhaustion. It also claimed that Microsoft’s new defense-in-depth changes introduced an eight-byte information leak visible to drivers, though the researcher had not yet found a way for a standard user to retrieve the leaked data.

These are researcher claims, not independently validated vulnerabilities. They have no CVE identifiers and should not yet be described as confirmed security defects.

They are nevertheless significant for the story.

The researcher did not take the patch as closure. They immediately began diffing the new engine, studying the mitigation and looking for secondary consequences.

That tells us something real about technical method: sustained reverse engineering, familiarity with mpengine.dll, close attention to engine updates and a willingness to probe the patch itself.

It still tells us nothing reliable about a name, résumé, nationality or former employer.

The person remains hidden behind the work.

What we can responsibly say now

As of July 11, the defensible public assessment is this:

An unidentified researcher or small collaborating cluster operating through the Nightmare-Eclipse persona has released eight Windows-focused exploit tools since April: BlueHammer, RedSun, UnDefend, YellowKey, GreenPlasma, MiniPlasma, RoguePlanet and GreatXML.

Several early disclosures were subsequently associated with malicious exploitation. RoguePlanet has a public working proof of concept but no publicly confirmed in-the-wild exploitation.

Microsoft fixed RoguePlanet on July 8 in Malware Protection Engine version 1.1.26060.3008. GreatXML has been independently reproduced under meaningful preconditions but remains without a publicly identified Microsoft CVE or advisory in the sources reviewed.

The persona has repeatedly expressed hostility toward Microsoft and has explicitly framed disclosures as a response to alleged mistreatment. Retaliatory intent is therefore a reasonable assessment.

The truth and completeness of the underlying grievance remain unverified.

The researcher’s identity, employment history, gender, location and relationship with Microsoft remain unknown.

No amount of technical ability converts those unknowns into facts.

The attribution industrial complex discovers psychology

The first phase of the Nightmare-Eclipse attribution cycle tried to invent a person.

The second phase is inventing a psychology.

Former Microsoft employee. Disgruntled insider. Humiliated bug hunter. Homeless researcher. Vengeful genius. Malicious actor. Lone crusader. Vendetta.

Some of these descriptions may eventually prove accurate. Several are plausible readings of the persona’s own publications.

But plausibility is not attribution.

The same industry that transformed “claims to be a former employee” into a three-year employment record is now transforming “says Microsoft mistreated them” into an independently established motive.

The technical story does not require this.

Eight exploit releases are real.

The patches are real.

The public proof-of-concept code is real.

The earlier malicious exploitation is real.

The disclosure-policy dispute is real.

Microsoft’s ill-considered Digital Crimes Unit language is real.

The ongoing risk to organizations running outdated Defender engines is real.

Those facts are enough.

The protagonist does not need an invented résumé or an amateur psychological evaluation to become interesting.

Microsoft has now supplied RoguePlanet with a CVE, a severity score, an affected-version range and a fixed engine number.

The attribution industrial complex has supplied its author with everything except a name.

Source references

Microsoft Security Response Center advisory for CVE-2026-50656 and Malware Protection Engine deployment guidance.

National Vulnerability Database record and July 8 change history for CVE-2026-50656.

Microsoft MSRC, “A Shared Responsibility: Protecting Customers Through Coordinated Vulnerability Disclosure,” May 27, 2026.

Dark Reading, Rob Wright, “Microsoft Reins in RoguePlanet Zero-Day Threat,” July 9, 2026.

Dark Reading’s April, May and June reporting on BlueHammer, the disclosure dispute and RoguePlanet.

Nightmare-Eclipse PGP-signed posts dated April 2, May 23, June 9, June 15, June 22 and July 9.

MSNightmare RoguePlanet repository documentation.

CISA Known Exploited Vulnerabilities catalog, reviewed July 11, 2026.

Qualys ThreatPROTECT entry for CVE-2026-50656, originally published June 18 and updated July 9.

The Register reporting on RoguePlanet, GreatXML, the canceled July 14 disclosure and Microsoft’s July 8 fix.

Cyderes Howler Cell and ThreatLocker technical analyses of GreatXML.

SOCRadar analysis of RoguePlanet’s enterprise risk and post-compromise utility.


Jonathan Lockhart is a cybersecurity researcher and investigative journalist at bordercybergroup.com.

If you would like to support our work — useful, well-researched, ad-free cybersecurity intelligence — subscribe, comment, or buy us a coffee! Thanks.