LegacyHive: Nightmare Eclipse drops another unpatched Windows privilege escalation zero-day hours after Patch Tuesday      TuxBot v3 Evolution: LLM-built IoT botnet targets 17 CPU architectures, active DDoS-for-hire infrastructure confirmed      LegacyHive: Nightmare Eclipse drops another unpatched Windows privilege escalation zero-day hours after Patch Tuesday      TuxBot v3 Evolution: LLM-built IoT botnet targets 17 CPU architectures, active DDoS-for-hire infrastructure confirmed     
CyberSipTM
Intelligence without the noise
Issue No. 88
July 17, 2026
2 items · past 24h
<4 min read
Today's picture

Nightmare Eclipse dropped another unpatched Windows zero-day hours after Microsoft's record Patch Tuesday, this one a privilege escalation in the Windows User Profile Service that works on fully updated systems and has no CVE, no patch, and no confirmed timeline for a fix. Unit 42 disclosed TuxBot v3 Evolution, a previously unknown IoT botnet framework built with large language model assistance, targeting 17 CPU architectures with a Telnet brute-force module carrying 1,496 credential pairs and active DDoS-for-hire infrastructure that researchers confirmed was operational as recently as April 2026.

Today's intelligence
2 items
01 HighLegacyHiveNo Patch
Nightmare Eclipse drops an unpatched Windows privilege escalation zero-day hours after Patch Tuesday, working on fully updated systems
LegacyHive exploits a flaw in the Windows User Profile Service to mount another user's registry hive, including an administrator's. A deliberately stripped public proof-of-concept is already confirmed working. No CVE, no patch, no fix timeline from Microsoft.
NameLegacyHive
CVENot yet assigned
AffectsAll supported
Windows desktop
and server, fully
patched July 2026
ExploitationNot confirmed
in the wild
The researcher known as Nightmare Eclipse, also going by Chaotic Eclipse, published proof-of-concept code for LegacyHive on GitHub hours after Microsoft's July 15 Patch Tuesday release. The vulnerability is in the Windows User Profile Service, also called ProfSvc, which creates, loads, and manages user profiles during sign-in. Windows loads a portion of a new user's profile before that user signs in for the first time. LegacyHive abuses the path the User Profile Service uses when loading a registry hive during that process, allowing a standard user to redirect the operation toward another account's UsrClass.dat file. This lets an attacker mount and read another user's classes registry hive, including an administrator's. If the hive can be modified, the attacker can configure the registry to run malicious code when the administrator signs in or performs a routine action, causing that code to execute inside the administrator's session. The public proof-of-concept was deliberately stripped before release. As published, it requires a standard user account, an additional set of credentials, and a third username belonging to an administrator target. Nightmare Eclipse stated that the original exploit does not require extra credentials and is not limited to the UsrClass.dat hive. Independent researchers including Kevin Beaumont confirmed the stripped proof-of-concept works on systems running the July 2026 patches. Microsoft told SecurityWeek it is aware of the reported vulnerability and actively investigating. No CVE has been assigned. No patch is available. The release follows a documented pattern: Nightmare Eclipse has released nine Windows zero-days since April 2026 as part of a public dispute with Microsoft over its bug bounty program and account suspension.
Three prior Nightmare Eclipse zero-days, BlueHammer, RedSun, and UnDefend, were exploited in live attacks before Microsoft patched them, and all three subsequently appeared in CISA's Known Exploited Vulnerabilities catalog. LegacyHive follows the same disclosure pattern. The stripped proof-of-concept reduces the immediate exploitation risk, but the researcher stated plainly that the original is more capable. A skilled attacker who can identify the type of registry hive loading flaw described has a clear path to building a working exploit from the published technical details.
Nightmare Eclipse's nine public disclosures since April have averaged roughly three weeks between publication and Microsoft patch. BlueHammer, RedSun, and UnDefend were all exploited during that window. This brief has tracked the pattern across Issues 82, 86, and now 88. The researcher has stated intent to continue, and the cadence has not slowed. The practical defensive posture while LegacyHive is unpatched is to restrict who holds local standard-user accounts on multi-user systems, enable behavioral monitoring on User Profile Service activity, and watch for unexpected access to user classes registry hives.
  • Monitor User Profile Service activity for unexpected hive loads and suspicious registry access under user classes roots. Endpoint detection rules that flag ProfSvc loading hives outside expected sequences are the most direct interim control.
  • Restrict the creation of local standard-user accounts on multi-user Windows systems. The published proof-of-concept requires a second set of credentials. Reducing the number of accounts that can be used as stepping stones limits the published attack's reach while the flaw is unpatched.
  • Apply application allowlisting to reduce the impact of any privilege escalation. An attacker who reaches administrator-level execution on an allowlisted system has fewer options for persistence and payload execution than on an unrestricted endpoint.
Nine zero-days in three months from one researcher with a documented grievance, three of them exploited before a patch arrived. LegacyHive is the ninth. Microsoft is investigating. There is no patch yet. The gap between these two facts is where defenders need to operate right now.
02 HighTuxBot v3IoT Botnet
Unit 42 uncovers TuxBot v3 Evolution: an IoT botnet built with LLM assistance, targeting 17 CPU architectures with active DDoS-for-hire infrastructure
The LLM left its safety disclaimer in the shipped code. Its chain-of-thought reasoning is still in the source comments. The bugs those artifacts point to are real, and Unit 42 says a handful of targeted prompts would fix all of them.
NameTuxBot v3 Evolution
DisclosedJuly 16, 2026
Architectures17: ARM, MIPS,
x86_64, RISC-V,
PowerPC, others
Active sinceC2 active from
at least March 2026
Palo Alto Networks Unit 42 published research on TuxBot v3 Evolution, a previously undocumented modular IoT botnet framework. Researchers recovered the full source code, compiled binaries across 17 CPU architectures, Docker-based test infrastructure, and 254 automated DDoS benchmark reports from internal telemetry. The botnet uses a C-based agent that cross-compiles for ARM, MIPS, x86_64, PowerPC, RISC-V, and twelve other architectures, a Go-based command-and-control server with a DDoS-for-hire administrative panel, and a Telnet brute-force module loaded with 1,496 credential pairs covering common default and vendor-specific logins. Additional access paths include SSH scanning, HTTP probing, and Android Debug Bridge scanning against poorly secured routers, cameras, DVRs, and embedded systems. Its lineage traces to Mirai, AISURU, and the open-source MHDDoS DDoS toolkit. The source code contains clear evidence of LLM assistance: the AI safety disclaimer was left verbatim in the shipped binary, and the LLM's chain-of-thought reasoning appears as comments throughout the codebase. One comment reads "// I created them so I should know?" and another "// Wait, where is the command?" These artifacts also point to specific implementation bugs including a broken XOR string table, a nonfunctional exploit virtual machine, and a fake Argon2id routine that actually performs repeated SHA-256 hashing. Unit 42 assessed the botnet as roughly 70% functional as recovered, with core infection, brute-forcing, persistence, primary C2 communications, and UDP, TCP, and DNS flooding all working correctly. The C2 server at 209.182.237[.]133 was confirmed active, and six new compiled samples appeared in Unit 42 telemetry in April 2026, indicating the operator continued development after the recovered artifacts were created. Unit 42 noted that its own researchers fixed the identified defects using a handful of targeted LLM prompts, and that the operator, who holds the complete source code, could do the same.
TuxBot v3 demonstrates that LLM-assisted malware development is now operational rather than theoretical. The resulting code has defects because the developer did not review what the LLM produced, but 70% functional across 17 architectures with active infrastructure is not a failed experiment. The bugs are fixable, the source is in the operator's hands, and Unit 42 confirmed the fixes are straightforward. IoT devices running on unmonitored default credentials remain the target. The credential list of 1,496 pairs is built from documented default and vendor-specific logins, which are still common across deployed routers, cameras, and embedded systems.
The LLM safety disclaimer that shipped in the botnet binary is the most useful diagnostic detail in Unit 42's report, not because it is amusing but because of what it reveals about the development process. The developer asked an LLM to write botnet code, accepted the output without reading it carefully enough to notice the disclaimer, compiled it, and shipped it. That is not a sophisticated operation. It is an unsophisticated operation with a more capable tool. The implication for defenders is that the barrier to producing functional multi-architecture malware infrastructure has dropped significantly below the level of skill required to write it from scratch. TuxBot v3's bugs did not prevent it from running operational DDoS campaigns. They just made it 30% less functional than it could have been.
  • Change default credentials on every internet-facing IoT device in your environment. TuxBot's 1,496-credential brute-force module targets the credentials that ship from the manufacturer. Any device still running factory defaults is in scope.
  • Block or monitor inbound Telnet (port 23), SSH from unexpected external sources (port 22), and ADB (port 5555) on network segments where IoT devices are deployed. TuxBot uses all three as infection paths.
  • Block the known TuxBot infrastructure at the network boundary: dropper at 185.10.68[.]127 and C2 at 209.182.237[.]133. Both are confirmed active and appear in Unit 42's published indicators of compromise.
An IoT botnet author used an LLM to write the code, forgot to remove the safety disclaimer, and still produced a working DDoS-for-hire platform targeting 17 CPU architectures. The bugs are fixable. The defaults it targets are not changing on their own. The low skill floor plus the large installed base of IoT devices running factory credentials is a durable problem.
Cross-source standouts
01
LegacyHive and TuxBot both reflect the same shift: tools are lowering the skill floor without requiring mastery of what they produce
Nightmare Eclipse is demonstrably skilled. Nine Windows zero-days in three months, three exploited before patches shipped, all in high-value Windows components, is not the output of someone who does not understand what they are doing. LegacyHive is an expert product. TuxBot is the opposite: an operator who used an LLM to write malware, did not review the output carefully enough to notice an AI safety disclaimer in the compiled binary, and still produced a working botnet running active DDoS campaigns across 17 CPU architectures. Both stories are about tools that reduce what you need to know to produce a dangerous output, from different ends of the skill spectrum. What LegacyHive and TuxBot share is that the gap between a defender's understanding of the threat and the attacker's actual capability to cause harm keeps widening, regardless of whether the attacker is an expert using deep knowledge or an amateur using an LLM without reading what it generated.
02
The Nightmare Eclipse pattern has now produced nine zero-days and three confirmed exploited flaws in three months. The ninth is unpatched.
This brief first documented the Nightmare Eclipse pattern in Issue 82 when RoguePlanet was patched after 23 days as a live zero-day. Issue 86 noted that the July 15 Patch Tuesday closed two Nightmare Eclipse flaws and that LegacyHive was published the same day. The pattern now has a defined shape: disclosure timed to Patch Tuesday denies Microsoft the ability to integrate a fix into the monthly cycle, the researcher publishes stripped proof-of-concept code to demonstrate validity while slowing opportunistic exploitation, and previous flaws from the same series show that motivated actors can build on the published technical basis to produce working attacks. The prior three exploited flaws, BlueHammer, RedSun, and UnDefend, were each added to CISA KEV after evidence of real-world use. LegacyHive is different in one respect: the published code was more deliberately limited than the previous releases, which the researcher attributed to intent rather than inability. Whether that changes the eventual exploitation timeline is not yet clear.
Still watching
Days 2–5
Zoom CVE-2026-53412 (Issue 87 · CVSS 9.8 account takeover) — no exploitation confirmed yet. Push Zoom Workplace for Windows 7.0.0 through MDM now. Do not rely on users to self-update on a CVSS 9.8 flaw.
Day 2
SonicWall SMA1000 CVE-2026-15409 and CVE-2026-15410 (Issue 86 · CISA KEV) — unauthenticated RCE and SSRF confirmed exploited on enterprise VPN gateway. Federal deadline is August 5. Patch now rather than in three weeks.
Day 3
SharePoint three-CVE active exploitation campaign (Issues 86 and 87 · CISA alert) — CVE-2026-45659, CVE-2026-32201, CVE-2026-56164 all actively exploited, Storm-2603 ransomware named. Apply July patches, enable AMSI full mode, remove from internet exposure where feasible.
Day 2
CitrixBleed 2 CVE-2025-5777 (Issue 85 · DragonForce) — seven-step ransomware playbook confirmed. Patch NetScaler and terminate all active sessions. Log review for binary-data login failures is the compromise indicator. Patching alone is not remediation.
Day 4