The forgotten VM that opened the door to Storm-2603: critical lessons behind the SmartTools gap

Last week, SmartTools confirmed what had already begun to suspect several response teams: an unupdated mail server served as a gateway for the team of ransomware known as Warlock or Storm-2603. The incident, which the company placed on January 29, 2026, exploded a SmartMail instance that had not received the most recent patches and allowed the attackers to move within the network.

According to the official releases of SmartTools itself, the initial vector was not a sophisticated chain of unknown exploits, but the existence of a virtual machine forgotten by internal updating processes. This single team, made up of an employee, was left out of the patch cycle and provided the access that group operators needed to scale privileges and deploy malicious tools in the environment. You can read the company's explanation on its community portal Here..

The technical scope of the attack describes a tactic already seen in recent campaigns: the intruders do not act immediately to encryption and claim rescue, but they remain silent enough to ensure persistence and prepare the stage. SmartTools indicates that the attackers waited several days before taking control of the Active Directory server, creating accounts and deploying additional payloads such as Velociraptor and an encryption component. This latency period explains why some customers detected malicious activity after applying patches: the initial intrusion had occurred before the update and only charges were activated at a later stage.

The consequences were not trivial. The company confirmed that a dozen Windows servers in the office network and a secondary data centre used for quality control tests were affected. In addition, the operation hit hosted customers using SmartTrack; SmartTools noted that the problem was not a bug in SmartTrack as a product, but that those hosted platforms were more accessible from the compromised network after initial access. SmartTools details its evaluation and recommendations in another note of the Community portal available here.

From a technical perspective, there are two vulnerabilities in SmartMail that have received attention for their active exploitation. One allows to avoid authentication and restore the administrator's password by sending a manipulated HTTP request; the other attacks the ConnectToHub API to get remote execution without authentication. Both failures offer different paths but with the same objective: to get control of the system. SmartTools corrected these faults in a later version and recommends updating to the latest, which you can see in your version notes Here..

The intelligence reports that have followed the incident provide relevant details on the chain of exploitation. ReliaQuest, for example, described how the campaign linked to Storm-2603 abused the vulnerability of password restoration to install a malicious MSI installer housed in Supabase, which in turn deployed Velociraptor to maintain access and prepare encryption. You can read your technical analysis on your blog Here.. In addition, the US Agency for Infrastructure and Cybersecurity. The United States (CISA) has already noted the active exploitation of one of these vulnerabilities, which underlines the urgency of global mitigation; its catalogue of exploited vulnerabilities offers context on how these failures are prioritized by risk and real exploitation ( KEV catalog - CISA).

Beyond the name of malware and CVE, there is a very clear operational lesson: attackers are tuning their methodology to "mix" with legitimate administrative traffic. Instead of relying only on noisy alarms-shooting exploits, the campaign links an authentication failure with legitimate software functions, such as volume assembly, to run code and remain unnoticed. This tactic reduces the effectiveness of many detections that seek classic patterns of CERs and requires more holistic defenses including telemetry of administrative activity and detection of tools of persistence.

If you manage SmartMail, the first mandatory measure is to update the version recommended by the supplier as soon as possible. Updating is not a symbolic gesture: it closes vectors that are being actively weaponized. At the same time, it is essential to segregate mail servers from other critical assets, limit Internet exposure and apply network controls that prevent lateral movement in case of engagement. The monitoring of Active Directory and the search for persistent devices - for example services, scheduled tasks or unusual binary tasks such as Velociraptor - are steps that must be part of a rapid response.

Finally, it is not appropriate to sleep on the laurels by reassuring releases: although SmartTools has indicated that its web, the shopping gateway, the account portal and certain services were not compromised, the reality of the incident shows how a single forgotten VM can affect connected systems and customers. The best defense continues to be a combination of hygiene (patches, segmentation, offline backup), frank monitoring of intrusion signals and response plans to contain and eradicate actors that have already achieved access. For those who want to deepen how these vulnerabilities are being exploited and what to look for in compromised environments, ReliaQuest analyses and notices from suppliers and agencies like CISA are recommended readings.

If you need to, I can help you translate these recommendations into a practical checklist for technical equipment or develop a customer communication that explains the steps to be taken after the update.