Warlock Gang Breached SmarterTools Through Its Own Email Server Software

Overview

A China-linked ransomware group called Warlock breached SmarterTools, the company behind the SmarterMail email server platform, by exploiting critical vulnerabilities in the vendor’s own product. The breach, which occurred on January 29, 2026, started from a single unpatched SmarterMail virtual machine that an employee had set up without the company’s knowledge. From that one overlooked server, the attackers moved laterally through the Windows portion of SmarterTools’ network, compromising 12 servers before endpoint detection tools blocked the final encryption payload.

SmarterTools COO Derek Curtis disclosed the breach in a public blog post detailing the timeline, scope, and indicators of compromise. The disclosure came alongside CISA’s decision to add CVE-2026-24423, an unauthenticated remote code execution flaw in SmarterMail’s ConnectToHub API, to its Known Exploited Vulnerabilities catalog on February 5, citing active exploitation in ransomware campaigns. Halcyon linked the Warlock Gang to a Chinese nation-state actor tracked as Storm-2603 in October 2025, and ReliaQuest published a report this week confirming that attribution with moderate-to-high confidence.

SmarterMail is used by roughly 15 million users across 120 countries, primarily deployed by managed service providers, small and medium-sized businesses, and hosting companies offering email services. The Warlock Group did not stop at SmarterTools itself. Curtis confirmed the group has been observed running the same playbook against SmarterMail customer environments, meaning the blast radius extends well beyond the vendor’s own network.

Technical Details

The Vulnerabilities

Two critical flaws in SmarterMail made this campaign possible, both carrying CVSS scores of 9.3:

CVE-2026-23760 is an authentication bypass vulnerability that allows an unauthenticated attacker to force a password reset on a system administrator account, granting full administrative access to the SmarterMail instance. This was the primary vector used against SmarterTools’ own network. ReliaQuest noted that Storm-2603 likely favored this vulnerability over CVE-2026-24423 because the password-reset approach blends more easily into legitimate administrative activity, making it harder to detect.

CVE-2026-24423 is an unauthenticated remote code execution vulnerability in the ConnectToHub API method. An attacker can point a SmarterMail instance to a malicious HTTP server under their control, and that server can deliver arbitrary operating system commands for execution. Security researchers at watchTowr, CODE WHITE, and VulnCheck independently discovered and responsibly disclosed this flaw.

Both vulnerabilities were patched in SmarterMail Build 9511 on January 15, 2026. SmarterTools was breached two weeks later through a VM still running an older, unpatched build.

Initial Access and Lateral Movement

SmarterTools had approximately 30 servers and virtual machines running SmarterMail across their internal network. One VM, set up by an employee, was not being maintained or updated. The attackers exploited CVE-2026-23760 against this single server to gain administrative access, then pivoted through Active Directory to reach other Windows systems on the network.

ReliaQuest’s analysis adds another detail: Storm-2603 chains initial access with SmarterMail’s built-in “Volume Mount” feature to escalate from email server compromise to full system control. This technique turns a SmarterMail administrative session into a foothold on the underlying operating system.

Dwell Time and Ransomware Staging

The Warlock Group follows a consistent operational pattern. After gaining initial access, they install tools and wait approximately six to seven days before taking further action. This dwell period explains a frustrating dynamic that SmarterTools observed among its customers: some organizations were breached despite applying the January 15 patch because the initial compromise had already occurred before the update, but the attackers had not yet triggered the next phase of their operation.

When the group does move to the next stage, the pattern is predictable. They target Active Directory servers, create new user accounts, distribute files across Windows machines, and execute ransomware payloads. In SmarterTools’ case, SentinelOne endpoint protection detected the encryption attempt and blocked it. The company isolated affected systems and restored from backups that were six hours old.

Tools and Tradecraft

SmarterTools documented the following tooling across its own environment and compromised customer systems:

• Velociraptor: A legitimate open-source digital forensics and incident response tool, repurposed by Storm-2603 for persistent remote access. Cisco Talos has previously reported on this group’s abuse of Velociraptor.
• SimpleHelp: A legitimate remote access tool used for maintaining access to compromised systems.
• WinRAR: Specifically older, vulnerable versions, likely used for staging and archiving exfiltrated data.
• JWRapper: An execution framework observed in multiple incidents.
• Web shells: Random .aspx files deployed on compromised servers.
• PowerShell scripts: Short, randomly named files (e.g., e0f8rM_0.ps1).
• Persistence mechanisms: Startup items and scheduled tasks pointed to malicious binaries including run.exe, run.dll, and main.exe.

The group primarily stages files in Public folders, AppData, ProgramData, and SmarterTools/SmarterMail installation directories.

Impact

The vendor-breach angle makes this incident particularly uncomfortable. SmarterTools was compromised through a vulnerability in the product it sells, and the same vulnerability chain was used to hit its customers. It is not common for a software vendor to get breached through its own product, but it underscores a reality that security teams already know: if you sell or run software, you need to patch it everywhere it exists in your environment, including the forgotten lab VMs and test servers that nobody is actively maintaining.

SmarterMail serves as a self-hosted alternative to Microsoft Exchange for organizations that want to keep their email infrastructure on-premises. Its customer base of 15 million users across 120 countries includes exactly the kind of organizations that often lack dedicated security teams: MSPs managing dozens of client environments, SMBs running a single mail server, and hosting providers whose customers depend on shared infrastructure.

CISA’s addition of CVE-2026-24423 to the KEV catalog, with explicit mention of ransomware exploitation, sets a hard deadline for federal agencies. Those operating under BOD 22-01 must apply patches or mitigations by February 26, 2026, or stop using the product entirely.

Recommended Actions

1. Update SmarterMail to Build 9526 or later immediately. Build 9511 (January 15) addressed CVE-2026-24423 and CVE-2026-23760. Build 9526 (January 30) includes additional hardening and fixes for issues found during SmarterTools’ internal security audit. Do not assume the January 15 patch is sufficient; apply the latest available build.

2. Assume compromise if you were running a vulnerable build before January 15. The Warlock Group’s six-to-seven-day dwell time means an organization patched on January 15 could still harbor a dormant compromise from January 8 or earlier. Investigate before declaring yourself clean.

3. Hunt for the specific tradecraft indicators. Look for Velociraptor, SimpleHelp, or JWRapper installed on systems. Check for randomly named .aspx files in web-accessible directories, new local administrator accounts you did not create, suspicious scheduled tasks, and unfamiliar startup items. Review the SmarterTools blog post for the full indicator list.

4. Audit Active Directory for unauthorized changes. The Warlock Group’s consistent playbook involves creating new domain users and distributing files via AD. Check for recently created accounts, group membership changes, and any modifications to Group Policy Objects that occurred after the estimated compromise date.

5. Inventory every SmarterMail instance in your environment. SmarterTools’ own breach happened because they were unaware of one VM running SmarterMail. Conduct an asset sweep for SmarterMail processes, services, or listening ports across your network. Shadow IT deployments of email servers are exactly the kind of blindspot attackers rely on.

MITRE ATT&CK Mapping

Technique ID	Name
T1190	Exploit Public-Facing Application
T1078	Valid Accounts
T1219	Remote Access Software
T1136.001	Create Account: Local Account
T1053.005	Scheduled Task/Job: Scheduled Task
T1547.001	Boot or Logon Autostart Execution: Registry Run Keys
T1570	Lateral Tool Transfer
T1071.001	Application Layer Protocol: Web Protocols
T1486	Data Encrypted for Impact
T1059.001	Command and Scripting Interpreter: PowerShell
T1505.003	Server Software Component: Web Shell

Indicators of Compromise

Vulnerabilities Exploited:

CVE	Description	CVSS
CVE-2026-23760	Authentication bypass via administrator password reset	9.3
CVE-2026-24423	Unauthenticated RCE via ConnectToHub API	9.3

Tools Observed:

Tool	Legitimate Purpose	Abuse Context
Velociraptor	DFIR	Persistent remote access
SimpleHelp	Remote support	Maintaining access
WinRAR (vulnerable versions)	File archival	Data staging
JWRapper	Java wrapper	Execution framework

File System Indicators:

• Unexpected files in: Public folders, %AppData%, %ProgramData%, SmarterTools\SmarterMail directories
• Randomly named executables: run.exe, run.dll, main.exe
• Random .aspx web shells
• Short random PowerShell scripts (e.g., e0f8rM_0.ps1)

Persistence Indicators:

• Unauthorized local administrator accounts
• New or modified scheduled tasks
• Suspicious startup items

Timeline

Date	Event
January 15, 2026	SmarterMail Build 9511 released, patching CVE-2026-24423 and CVE-2026-23760
January 22, 2026	Build 9526 released with additional security hardening
January 29, 2026	Warlock Group breaches SmarterTools via unpatched VM
February 4, 2026	SmarterTools COO Derek Curtis publishes breach disclosure
February 5, 2026	CISA adds CVE-2026-24423 to KEV catalog, citing ransomware exploitation
February 7, 2026	ReliaQuest confirms Storm-2603 attribution with moderate-to-high confidence

How Codex Can Help

If your organization runs SmarterMail and you need to determine whether the Warlock Group reached your environment, or if this incident has highlighted gaps in how you manage self-hosted email infrastructure, reach out. Our team can help with:

• Compromise assessment targeting the specific Storm-2603/Warlock tradecraft documented here, including forensic analysis of SmarterMail servers, Active Directory, and Windows endpoints that may have been staged for ransomware deployment during the pre-patch window.
• Asset discovery to identify every SmarterMail instance in your environment, including forgotten VMs, lab servers, and shadow IT deployments that may be running unpatched builds.
• Ransomware readiness review evaluating your detection coverage against the Warlock Group’s specific toolchain (Velociraptor abuse, AD-based lateral movement, delayed encryption staging) and your ability to recover from a successful encryption event.
• Incident response if your investigation surfaces evidence of compromise, including containment, credential rotation, and clean recovery of affected systems.

Getting breached through your own product is a scenario every software company dreads. For the organizations running that product, the lesson is the same one it always is: patch everything, including the servers you forgot you had.