SmarterTools has confirmed that the Warlock ransomware gang breached its network after compromising an internal email system, though the company says business applications and customer account data were not impacted.
According to Chief Commercial Officer Derek Curtis, the intrusion occurred on January 29 and originated from a single SmarterMail virtual machine (VM) that had been set up by an employee and was not receiving updates. The vulnerable VM was one of roughly 30 SmarterMail servers deployed across the company’s network, but it had gone unnoticed by administrators and remained unpatched.
Attackers exploited CVE-2026-23760, an authentication bypass vulnerability in SmarterMail versions prior to Build 9518 that allows threat actors to reset administrator passwords and gain full system privileges.
From the compromised VM, the attackers moved laterally using Active Directory and Windows-based tools, ultimately breaching 12 Windows servers on SmarterTools’ office network and a secondary data center used for testing, quality control, and hosting. Linux servers, which make up most of the company’s infrastructure, were not affected.
SmarterTools said the attackers waited about a week after gaining initial access before attempting to deploy ransomware. The final stage was blocked by security products, which prevented encryption, isolated affected systems, and allowed data to be restored from recent backups.
The company attributed the attack to the Warlock ransomware group, noting that similar activity has also targeted customer environments. Tools observed during the intrusion included Velociraptor, SimpleHelp, and vulnerable versions of WinRAR, along with scheduled tasks and startup items for persistence.
Security firm ReliaQuest released a separate report linking the activity with moderate-to-high confidence to a China-based threat actor, tracked as Storm-2603. The attackers have exploited CVE-2026-23760 as an initial access vector to deploy Warlock ransomware on internet-facing systems. ReliaQuest said this appears to be the first observed case tying the China-based actor to the vulnerability.
Earlier this month, US CISA also warned that ransomware actors are exploiting a second SmarterMail flaw, CVE-2026-24423, which ReliaQuest observed being probed alongside the Storm-2603 activity. The attempts originated from another infrastructure, so it’s currently unclear, whether Storm-2603 is rotating IP addresses or another group is trying to take advantage of the flaw.