Email Under Siege: Storm-2603 Exploits SmarterMail to Deploy Warlock Ransomware

A new report from ReliaQuest has uncovered a dangerous alliance between a China-based threat actor and a known ransomware strain. The group, identified as Storm-2603, has been caught actively exploiting a critical vulnerability in SmarterMail servers to deploy “Warlock” ransomware, marking a significant escalation in attacks against email infrastructure.

The campaign centers on CVE-2026-23760, a flaw that allows attackers to bypass authentication and seize control of the server. This activity represents the first time Storm-2603 has been linked to this specific exploit as an entry point for ransomware operations.

The attack is a masterclass in “living off the land.” Once Storm-2603 exploits the vulnerability to reset administrator passwords, they don’t just stop at access. They leverage a built-in feature of the software against itself.

“Storm-2603 chains this access with the software’s built-in ‘Volume Mount’ feature to gain full system control,” the report explains.

By manipulating this legitimate administrative tool, the attackers can execute commands with high privileges. This foothold allows them to deploy Velociraptor, a powerful digital forensics tool. In a twist of irony, the attackers use this tool—designed for incident response—to maintain persistence and “set the stage” for their ransomware payload.

The danger is compounded by a second vulnerability, CVE-2026-24423, which CISA recently warned is also under active exploitation. Defenders are now facing a two-front war.

“Defenders cannot simply patch the ‘critical’ RCE bug and ignore the authentication bypass,” ReliaQuest warns. “Both pathways can lead to full system compromise, and both are being actively tested by ransomware groups right now”.

The speed of these attacks is alarming. The report notes that “Storm-2603’s patch-to-exploit speed suggests organizations’ response window is measured in days”.

To combat this threat, immediate action is required.

• Upgrade: Administrators must upgrade SmarterMail instances to Build 9511 or later immediately.
• Isolate: The mail server should be segmented from the rest of the internal network to prevent lateral movement to critical assets like domain controllers.
• Block: Strict firewall rules should be implemented to “block all other outbound traffic, specifically to cloud hosting providers or unknown IP addresses, to sever potential C2 channels”.

As the report concludes, patching is critical, but it may not be enough if the enemy is already inside. “Because this attack abuses legitimate tools for persistence, patching alone may not remove an adversary who is already inside”.

Related Posts:

• “Enjoy Your Admin Access”: Critical SmarterMail RCE Exploited in the Wild
• CVE-2025-52691 (CVSS 10): Critical SmarterMail Flaw Opens Servers to Unauthenticated Attacks
• Storm-2603: Chinese APT Deploys Warlock & LockBit with AK47C2 Framework
• Warlock Ransomware: How a New Group Is Weaponizing Unpatched SharePoint Servers