On June 10, 2026, the researcher known as Chaotic Eclipse (also operating under the alias Nightmare Eclipse) released another Windows local privilege escalation PoC, dubbed RoguePlanet. This marks the latest entry in a series of Windows zero-day discoveries from the same researcher that we have been tracking and analyzing over recent months.
We have been tracking Chaotic Eclipse's releases for months now. We first covered BlueHammer, RedSun, and UnDefend back in April, then we covered the May wave of YellowKey, GreenPlasma, and MiniPlasma and now there is another. RoguePlanet lands in the Windows Defender corner of that catalogue, next to BlueHammer, RedSun and UnDefend. And like their earlier releases, it again turns on a TOCTOU (time-of-check-to-time-of-use) race — the same class of timing flaw the researcher has reached for repeatedly across the series.
RoguePlanet is a local privilege escalation exploit (standard user → NT AUTHORITY\SYSTEM) that weaponizes Windows Defender's own threat-remediation path as the privileged file-write primitive, with Windows Error Reporting as the SYSTEM execution sink. It's a classic TOCTOU file-operation race, made deterministic with oplocks and redirected with NTFS junctions.
The root cause of RoguePlanet is a time-of-check to time-of-use (TOCTOU) gap in how Defender's remediation handles file paths. Defender resolves the location of the flagged file when it inspects it, and resolves the path again when it later restores or moves the file. There is a small time gap between the check and the act. That gap is the vulnerability.
Between those two moments the filesystem will transparently follow any junction (an NTFS directory reparse point, a pointer that the filesystem follows automatically) it encounters. RoguePlanet changes what the path points to in that window. From Defender's perspective it cleaned a file in a temporary folder and put it back where it belonged; in reality the destination was redirected underneath it.
What turns this from an unreliable race into a dependable one is the oplock. A normal TOCTOU window is a matter of microseconds and a gamble against the scheduler. An oplock (opportunistic lock) is a legitimate file-caching feature that lets a process ask the filesystem to pause the next program that touches a file and notify the holder first. Defender freezes exactly when it reaches the file and resumes only once the swap is done. The shadow copy plays the matching role on the other side: because remediation deterministically produces a snapshot, the exploit gets a clean signal for when Defender has arrived instead of polling blindly.
Finally, once the attacker's binary is sitting in System32 as wermgr.exe, no further exploitation is needed to run it elevated. Windows already ships a scheduled task whose job is to launch that exact binary as SYSTEM. The exploit simply calls it.
It writes an ISO image the exploit carries embedded in itself out to %TEMP%\RP_<guid>, then OpenVirtualDisk / AttachVirtualDisk mounts it read-only with no drive letter. The ISO carries a file called wermgr.exe. The point of a read-only mounted volume is to have an immutable "source of truth" copy that Defender can scan but nothing can tamper with mid-race.
Then it stages a file named wermgr.exe whose contents are the EICAR test string (a harmless industry-standard test string that every antivirus is built to recognize as bad). EICAR is guaranteed to trip Defender as a known-bad threat, which is the whole trigger. The file is named after the real System32\wermgr.exe (Windows Error Reporting Manager) and placed in a System32-mirroring directory. It also tacks on a :WDFOO alternate data stream.
RoguePlanet loads MpClient.dll and resolves Defender's undocumented RPC client functions (MpManagerOpen, MpScanStart, MpScanResult, MpThreatOpen, MpThreatEnumerate, MpCleanOpen, MpCleanStart). It programmatically asks MsMpEng.exe (running as SYSTEM) to scan the staged EICAR file, confirm it's known bad, and clean it. That cleanup is the SYSTEM-privileged file operation the exploit hijacks.
Remediation produces a fresh Volume Shadow Copy and RoguePlanet enumerates \Device\ in the object-manager namespace for HarddiskVolumeShadowCopy*, snapshots the list, then re-scans to catch the new shadow copy that appears during remediation. It grabs a handle to the staged file's :WDFOO stream through that snapshot path and places an oplock on it. The oplock is the race-determinism mechanism: placed on the file Defender is about to touch, it fires a break callback that pauses Defender's operation at exactly the right moment, handing the exploit a reliable window to do the swap.
With Defender paused on the broken oplock, the exploit performs the switch. RoguePlanet then turns the attacker-controlled System32 folder into a junction by setting an IO_REPARSE_TAG_MOUNT_POINT reparse point on it, redirecting it to a privileged target, the real C:\Windows, or the mounted device.
This is standard path-redirection: SYSTEM thinks it is writing into the temp directory, and the junction silently sends the write elsewhere.
On machines with more than three CPUs, the exploit also runs its "Poseidon" threads throughout this stage, PoseidonGeneratorThread feeding random bytes to several PoseidonThread writers that hammer temp files. They produce nothing useful on their own; they exist purely to add scheduling and I/O noise that widens and stabilizes the timing window. It is reliability engineering, not part of the logic.
The exploit watches the attacker-controlled landing directory and waits for Defender to write its restored file there, recording the file's path. Once it appears, the exploit deletes the reparse point on the System32 junction (FSCTL_DELETE_REPARSE_POINT), opens the restored file, reads its own executable image off disk and overwrites the restored file with that copy. The file Defender just "restored" is now the exploit's own binary.
It then renames the handles into their final positions and lays down a last junction, this time on the working directory itself, pointing it at the real C:\Windows. With the working directory now aliasing C:\Windows, the planted binary sits where the path resolves to the genuine System32\wermgr.exe, a location the user could never have written to directly. The embedded ISO is then detached.
The exploit creates a named pipe, \\.\pipe\RoguePlanet, and runs the built-in scheduled task \Microsoft\Windows\Windows Error Reporting\QueueReporting, which executes wermgr.exe as NT AUTHORITY\SYSTEM. Because the planted binary now occupies that path, Windows runs the attacker's copy instead of the legitimate one. The exploit waits for the SYSTEM copy to connect back on the pipe.
The planted wermgr.exe, now running as SYSTEM, connects back over the named pipe and reads the original caller's session with GetNamedPipeServerSessionId(). It then runs the token sequence duplicating its SYSTEM token, retargeting it to the user's session and launching conhost.exe.The result is an interactive SYSTEM console on the logged-in user's desktop, with no credentials and no UAC prompt.
<!--SYSMON EVENT ID 11 : File Create -->
<Rule groupRelation="or">
<TargetFilename condition="end with">\wermgr.exe</TargetFilename>
</Rule>
<!--SYSMON EVENT ID 17 : Pipe Events-->
<PipeName condition="is">\RoguePlanet</PipeName>
RoguePlane stages all of its components under the user's %TEMP% directory (C:\Users\<user>\AppData\Local\Temp\RP_<guid>\). It drops an embedded ~896 KB ISO image, then writes an EICAR test file disguised as wermgr.exe (plus a :WDFOO alternate data stream) inside that staging folder as the bait used to trigger Defender's remediation engine.
This alert detects files being written to commonly-abused staging locations (C:\ProgramData, %AppData%\Local, %AppData%\Roaming, C:\Users\Public, and \Temp directories), filtering out known-benign writers such as Visual Studio Installer, Windows Defender (MsMpEng/MpCmdRun/MsSense), OneDrive setup, and Azure agents.
norm_id=WindowsSysmon event_id=11
path IN ["C:\ProgramData*","*\AppData\Local*","*\AppData\Roaming*","C:\Users\Public*"]
-"process" IN ["*\Microsoft Visual Studio\Installer\*\BackgroundDownload.exe", "C:\Windows\system32\cleanmgr.exe", "*\Microsoft\Windows Defender\*\MsMpEng.exe", "C:\Windows\SysWOW64\OneDriveSetup.exe", "*\AppData\Local\Microsoft\OneDrive*", "*\Microsoft\Windows Defender\platform\*\MpCmdRun.exe", "*\AppData\Local\Temp\mpam-*.exe", "*\Windows Defender Advanced Threat Protection\MsSense.exe", "*\Windows Defender Advanced Threat Protection\SenseIR.exe", "*\AzureConnectedMachineAgent\*\gc_*.exe", "*\Microsoft Azure AD Sync\Bin\miiserver.exe"]
-file IN ["vs_setup_bootstrapper.exe", "DismHost.exe","*_PSScriptPolicyTest*.ps1"]
After gaining execution as SYSTEM through the Windows Error Reporting (WER) infrastructure, the malicious wermgr.exe creates a named pipe called \RoguePlanet. The creation of this pipe can serve as a direct indicator of compromise (IOC) and can be detected using the following query:
norm_id=WindowsSysmon event_id=17
pipe="\RoguePlanet"
The above query is highly IOC-driven and relies on the attacker using the specific pipe name. A more resilient approach is to look for suspicious named pipe creation events occurring under the LOCAL SYSTEM security context (S-1-5-18) when the originating process is associated with a non-SYSTEM user account. Such activity may indicate privilege escalation or process impersonation behavior similar to RoguePlanet.
norm_id=WindowsSysmon event_id=17
(-(source_image IN ["C:\Windows\*","C:\Program Files\*"] OR user IN ["System","ADSync*","NETWORK SERVICE"]) (user_id="S-1-5-18" OR system_security_user_id="S-1-5-18"))
RoguePlanet plants a copy of its own executable as wermgr.exe and gets it run as SYSTEM via the built-in \Microsoft\Windows\Windows Error Reporting\QueueReporting scheduled task.
Once the QueueReporting task runs the planted wermgr.exe as SYSTEM, it launches conhost.exe as SYSTEM. The legitimate wermgr.exe never starts conhost.exe, so this pair running as SYSTEM is a strong sign the exploit worked.
label="Process" label=Create
"parent_process"="*\wermgr.exe*" "process"="*conhost.exe" (integrity_label="*SYSTEM*" or integrity_level=SYSTEM)
The SYSTEM console then opens a command prompt.
label="Process" label=Create -user="*$"
parent_process="*conhost.exe" "process"="*cmd.exe" (integrity_label="*SYSTEM*" OR integrity_level=SYSTEM)
Pivoting on the process GUID opens the full process tree in Guardsix, which lays out RoguePlanet's activity in a single view.