ACCORDING to ReliaQuest, a China-based threat actor group identified as Storm-2603 has been caught exploiting a critical SmarterMail vulnerability to deploy Warlock ransomware, representing a significant escalation against email infrastructure. The attack centres on CVE-2026-23760, a flaw that allows attackers to bypass authentication and seize control of the server, with Storm-2603 linking this entry point to ransomware operations for the first time.
The campaign is described as “living off the land”: after resetting administrator passwords, the group leverages SmarterMail’s built-in Volume Mount feature to gain full system control and deploy Velociraptor, a digital forensics tool used to maintain persistence. A second vulnerability, CVE-2026-24423, is also under active exploitation, creating a two-front threat defenders must address.
ReliaQuest warns that both pathways can lead to full system compromise and notes Storm-2603’s patch-to-exploit speed gives organisations only a short response window. Immediate actions include upgrading SmarterMail to Build 9511 or later, isolating the mail server, and applying strict firewall rules to sever potential C2 channels.