Warlock Ransomware Breaches SmarterTools via Unpatched SmarterMail

This summary covers the Warlock ransomware gang’s breach of SmarterTools on January 29, 2026, exploiting an unpatched SmarterMail server, including technical details on the attack chain involving CVE-2026-23760 and Velociraptor deployment.

Incident Overview

SmarterTools, a provider of email and web hosting solutions, suffered a significant security breach when the Warlock ransomware group, also tracked as Storm-2603, infiltrated its network. The compromise occurred through an internet-facing SmarterMail server that had not been updated to the latest version. This vulnerability allowed initial access, which attackers then leveraged to deploy ransomware payloads across the environment.

Technical Exploitation Details

Cybersecurity firm ReliaQuest analyzed the attack and identified the abuse of CVE-2026-23760, a critical vulnerability enabling authentication bypass on affected systems. Attackers exploited this flaw to gain unauthorized access to SmarterMail instances exposed online. Following the bypass, they staged the ransomware payload by downloading a malicious MSI installer named v4.msi from Supabase, a legitimate cloud backend service commonly used for database and storage operations.

Post-Exploitation Activities

The MSI installer facilitated the deployment of Velociraptor, an open-source endpoint detection and response (EDR) tool repurposed for offensive purposes. Velociraptor provided attackers with advanced capabilities for persistence, lateral movement, and data exfiltration. Its modular architecture allowed custom artifacts to be executed, enabling comprehensive reconnaissance of the SmarterTools network, including enumeration of Active Directory structures, credential harvesting via tools like Mimikatz equivalents, and identification of high-value targets for encryption.

Ransomware Deployment Mechanics

Warlock ransomware employs a double-extortion model, encrypting files with strong AES-256 and RSA-4096 algorithms before appending a .warlock extension. The payload includes anti-analysis techniques such as string obfuscation, dynamic API resolution, and checks for virtual machine environments to evade detection. Communication with command-and-control (C2) servers occurs over TCP port 443, masquerading as HTTPS traffic to blend with legitimate web activity. Exfiltrated data is hosted on dedicated leak sites, pressuring victims for ransom payments typically demanded in Monero cryptocurrency.

Attack Chain Reconstruction

The full attack chain begins with vulnerability scanning for exposed SmarterMail instances using tools like Shodan or Masscan. Upon identification, attackers send crafted requests exploiting CVE-2026-23760 to bypass authentication, often chaining it with weak credential spraying if partial auth is required. The MSI dropper then unpacks Velociraptor, which executes PowerShell scripts for privilege escalation, potentially abusing unpatched Windows vulnerabilities or misconfigurations like disabled UAC. Ransomware deployment follows network mapping, ensuring maximum impact before encryption locks critical systems.

Mitigation Recommendations

Organizations using SmarterMail must immediately apply patches for known vulnerabilities and segment email servers from internal networks using firewalls with strict ingress/egress rules. Implement endpoint detection rules for Velociraptor artifacts, monitor for anomalous MSI downloads from cloud services, and enforce principle of least privilege. Regular vulnerability scanning and timely patching remain critical defenses against ransomware groups like Warlock.

Microsoft Patches Six Actively Exploited Zero-Days in February 2026 Updates

Microsoft’s February 2026 Patch Tuesday addressed six zero-day vulnerabilities under active exploitation, urging immediate deployment to mitigate risks from nation-state actors and cybercriminals targeting Windows ecosystems.

Patch Tuesday Scope

The February 2026 security updates from Microsoft encompassed over 50 vulnerabilities across Windows, Office, and related components, with six classified as zero-days actively exploited in the wild. These flaws ranged from privilege escalation to remote code execution, affecting core operating system services and productivity applications.

Zero-Day Vulnerability Breakdown

Key among the zero-days was CVE-2026-21509, a Microsoft Office security feature bypass with a CVSS score of 7.8. This high-severity issue allowed unauthorized attackers to disable local security checks, enabling malicious document execution without user interaction. APT28, tracked as KTA007 or Fancy Bear, rapidly weaponized this flaw post-disclosure, incorporating it into spear-phishing campaigns targeting Ukrainian government entities via malicious RTF documents.

Exploitation by Threat Actors

Russian-aligned APT28 launched Operation Nessusloit, deploying RTF files that exploited CVE-2026-21509 to bypass Protected View and execute embedded payloads. Observed tactics included rapid zero-day adoption within 24 hours of patch release, evading antivirus through obfuscated macros and LOLBins like rundll32.exe. Additional zero-days involved kernel privilege escalations and sandbox escapes, exploited by various actors for initial access and persistence.

Technical Defense Layers

Exploitation of these zero-days typically chains with social engineering, delivering payloads via email attachments or drive-by downloads. Attackers leverage Windows API hooking bypasses and heap spraying for reliable code execution. Mitigation requires enabling Attack Surface Reduction (ASR) rules, deploying enhanced Office macro controls, and monitoring for anomalous process injections via Sysmon logging.

Dutch and EU Authorities Confirm Ivanti EPMM Zero-Day Exploitation

Critical zero-day flaws CVE-2026-1281 and CVE-2026-1340 in Ivanti Endpoint Manager Mobile (EPMM) were exploited in targeted attacks against Dutch, EU, and Finnish government systems, exposing employee data and highlighting risks to mobile device management infrastructure.

Breach Confirmations Across Europe

Dutch authorities reported compromises of the Data Protection Authority and Judicial Council systems via Ivanti EPMM flaws, leading to unauthorized access to employee names, business emails, and phone numbers. The European Commission detected an attack on its mobile device infrastructure on January 30, 2026, contained within nine hours, with potential exposure of staff contact details. Finland’s Valtori disclosed a breach affecting up to 50,000 government employees’ work data, patched on January 29 coinciding with Ivanti’s fixes.

Vulnerability Technical Analysis

CVE-2026-1281 and CVE-2026-1340, both rated CVSS 9.8, enable unauthenticated remote code execution (RCE) on EPMM appliances. These flaws reside in the web management interface, allowing attackers to craft HTTP requests bypassing authentication and injecting OS commands. Exploitation involves deserialization of untrusted input or buffer overflows, leading to shell access on the underlying Linux-based appliance.

Widespread Exploitation Patterns

Threat intelligence reveals over 600 unique IPs probing vulnerable instances, employing fingerprinting, reverse shells, and webshell deployments. Initial access brokers drop Java class loaders for persistence, signaling supply chain risks. Shadowserver identified 92 compromised systems amid a massive campaign, with over 3,700 exposed login interfaces globally, primarily in Germany and the U.S. Rapid7 noted peak activity on February 5 with 525 attempts, declining to 200 recently.

Post-Exploitation and Resilience

Compromised EPMM servers facilitate lateral movement to managed mobile devices, though no widespread device compromise was confirmed. Attackers establish C2 via DNS tunneling or HTTPS beacons, exfiltrating configuration data for further targeting. Ivanti provided IOCs and detection scripts, emphasizing rapid anomaly detection and containment to differentiate incidents from crises.

FBI Seizes RAMP Ransomware Forum

In late January 2026, the FBI seized the RAMP ransomware forum, a key Russian-language cybercrime hub, disrupting operations and potentially exposing user data to law enforcement.

Seizure Operation Details

The FBI took control of both Clearnet and Tor domains of RAMP, which positioned itself as the premier venue for ransomware discussions and negotiations. Seizure notices now display on the sites, marking a significant blow to the ransomware-as-a-service ecosystem.

Forum Significance and Impact

RAMP served as a marketplace for ransomware affiliates, leak sites, and tool sales, hosting threads on victim negotiations and exploit sharing. Its disruption severs communication channels, hindering coordination among groups like Warlock and LockBit variants. Authorities may access logs containing emails, IP addresses, and financial transactions, enabling downstream arrests.

Broader Ecosystem Effects

The takedown increases paranoia within cybercriminal communities, prompting migrations to alternative forums like XSS or Exploit.in. Historical precedents like RaidForums seizures demonstrate long-term deterrence through data analysis and international cooperation, though resilient actors quickly adapt via decentralized platforms.

KTA529 Compromises Notepad++ Infrastructure for CHRYSALIS Backdoor

Threat group KTA529, aka Lotus Blossom, infiltrated Notepad++ hosting infrastructure from June to December 2025, selectively redirecting updates to deploy the novel CHRYSALIS backdoor against targeted users.

Supply Chain Attack Mechanics

KTA529 gained access to Notepad++ servers, compromising update mechanisms to intercept traffic. Attackers selectively redirected downloads for specific victims to malicious payloads, maintaining stealth by serving legitimate updates to others. Persistence continued via stolen credentials to internal services until December 2, 2025.

CHRYSALIS Backdoor Capabilities

The undocumented CHRYSALIS backdoor establishes persistent C2 over DNS and HTTP, with modules for keylogging, screenshot capture, and file exfiltration. It employs process hollowing for injection into notepad++.exe and rootkit techniques to hide artifacts. Custom evasion includes user-agent spoofing and jittered beacons to defeat network detection.

Targeted Deployment Strategy

Hosting logs showed attackers querying for Notepad++.org, indicating reconnaissance for high-value targets. This water-holing approach exploits trusted software updates, a tactic refined by groups like Thrip for espionage against Southeast Asian entities.