Overview
- SmarterTools says attackers entered on January 29 via an employee-created SmarterMail VM that was not updated, then moved through Active Directory and compromised about 12 Windows servers, while Linux hosts and business applications were not affected.
- ReliaQuest links the activity to Warlock (Storm-2603) and reports the primary vector as CVE-2026-23760, even as CISA lists CVE-2026-24423 as actively exploited and some reporting still disputes the exact flaw used.
- The intruders deployed tools such as Velociraptor, SimpleHelp and vulnerable WinRAR builds, created new AD users, and typically waited 6–7 days before attempting encryption.
- SmarterTools isolated systems, shut down servers and internet access, removed Active Directory, reset passwords, restored from backups, and says SentinelOne blocked final ransomware encryption attempts.
- The company notes some customer impact, with hosted SmarterTrack users described as the most affected, and urges administrators to upgrade SmarterMail to the latest patched builds, including 9526.