Last week, SmarterTools verified that an unpatched SmarterMail instance was used by the Warlock (also known as Storm-2603) ransomware gang to compromise its network This article explores continued ransomware operators. . According to Derek Curtis, the company's chief commercial officer, the incident occurred on January 29, 2026, when a mail server that had not been updated to the most recent version was compromised.

Curtis clarified, "We had about 30 servers/VMs with SmarterMail installed throughout our network prior to the breach." "Unfortunately, we were not aware that one virtual machine (VM) that an employee had set up was not being updated.

The breach resulted from the compromise of that mail server.However, SmarterTools stressed that no business applications or account data were impacted or compromised, and that the breach did not impact its website, shopping cart, My Account portal, or a number of other services. The fact that the attackers are going for the former suggests that it probably enables the malicious activity to fit in with normal administrative procedures, which helps them evade detection. "Operators may lessen the efficacy of detections tuned especially for known RCE patterns by abusing legitimate features (drive mounting and password resets) rather than depending only on one "noisy" exploit primitive," Feminella continued.

"Ransomware operators quickly analyze vendor fixes and create functional tradecraft shortly after release, which is consistent with this pace of weaponization." It is recommended that users of SmarterMail isolate mail servers to prevent lateral movement attempts used to distribute ransomware and update to the most recent version (Build 9526) immediately for the best protection.