Hackers have broken into at least one organization using Windows vulnerabilities published online by a disgruntled security researcher over the last two weeks, according to a cybersecurity firm.

On Friday, cybersecurity company Huntress said in a series of posts on X that its researchers have seen hackers taking advantage of three Windows security flaws, dubbed BlueHammer, UnDefend, and RedSun. 

It’s unclear who the target of this attack is, and who the hackers are.

BlueHammer is the only bug among the three vulnerabilities being exploited that Microsoft has patched so far. A fix for BlueHammer was rolled out earlier this week. 

It appears that the hackers are exploiting the bugs by using exploit code that the security researcher published online. 

Earlier this month, a researcher who goes by Chaotic Eclipse published on their blog what they said was code to exploit an unpatched vulnerability in Windows. The researcher alluded to some conflict with Microsoft as the motivation behind publishing the code. 

“I was not bluffing Microsoft and I’m doing it again,” they wrote. “Huge thanks to MSRC leadership for making this possible,” they added, referring to Microsoft’s Security Response Center, the company’s team that investigates cyberattacks and handles reports of vulnerabilities.

Days later, Chaotic Eclipse published UnDefend, and then earlier this week published RedSun. The researcher published code to exploit all three vulnerabilities on their GitHub page. 

All three vulnerabilities affect the Microsoft-made antivirus Windows Defender, allowing a hacker to gain high-level or administrator access to an affected Windows computer.

TechCunch could not reach Chaotic Eclipse for comment.

In response to a series of specific questions, Microsoft’s communications director Ben Hope said in a statement that the company supports “coordinated vulnerability disclosure, a widely adopted industry practice that helps ensure issues are carefully investigated and addressed before public disclosure, supporting both customer protection and the security research community.”

This is a case of what the cybersecurity industry calls “full disclosure.” When researchers find a flaw, they can report it to the affected software maker to help them fix it. At that point, usually the company acknowledges receipt, and if the vulnerability is legitimate, the company works to patch it. Often, the company and researchers agree on a timeline that establishes when the researcher can publicly explain their findings. 

Sometimes, for a variety of reasons, that communication breaks down and researchers publicly disclose details of the bug. In some cases, in part to prove the existence or severity of a flaw, researchers go a step further and publish “proof-of concept” code capable of abusing that bug.

When that happens, cybercriminals, government hackers, and others can then take the code and use it for their attacks, which prompts cybersecurity defenders to rush to deal with the fallout. 

“With these being so easily available now, and already weaponized for easy use, for better or for worse I think that ultimately puts us in another tug-of-war match between defenders and cybercriminals,” John Hammond, one of the researchers at Huntress who has been tracking the case, told TechCrunch. 

“Scenarios like these cause us to race with our adversaries; defenders frantically try to protect against ill-intended actors who rapidly take advantage of these exploits… especially now as it is just ready-made attacker tooling,” said Hammond.