From WinRE to SYSTEM: Hunting the YellowKey and MiniPlasma Attack Chain

LevelBlue SpiderLabs analyzes a series of public zero-day disclosures from an actor calling itself Chaotic/Nightmare Eclipse, focusing on YellowKey — a WinRE TxF transaction-replay PoC (CVE-2026-45585) that enables a SYSTEM command shell and full access to BitLocker-protected volumes on TPM-only Windows systems with ~60 seconds physical access — and MiniPlasma, a local privilege escalation targeting the Cloud Files filter driver; the report details file-structure exploit mechanics, staging vectors (USB/ESP), detection and hunting opportunities, YARA rules, mitigation recommendations (remove autofstx.exe from WinRE BootExecute, consider TPM+PIN), and PoC-specific IOCs.