{"id":231063,"date":"2026-02-11T01:30:53","date_gmt":"2026-02-11T07:30:53","guid":{"rendered":"https:\/\/lifeboat.com\/blog\/2026\/02\/warlock-ransomware-breaches-smartertools-through-unpatched-smartermail-server"},"modified":"2026-02-11T01:30:53","modified_gmt":"2026-02-11T07:30:53","slug":"warlock-ransomware-breaches-smartertools-through-unpatched-smartermail-server","status":"publish","type":"post","link":"https:\/\/lifeboat.com\/blog\/2026\/02\/warlock-ransomware-breaches-smartertools-through-unpatched-smartermail-server","title":{"rendered":"Warlock Ransomware Breaches SmarterTools Through Unpatched SmarterMail Server"},"content":{"rendered":"<p><a class=\"aligncenter blog-photo\" href=\"https:\/\/lifeboat.com\/blog.images\/warlock-ransomware-breaches-smartertools-through-unpatched-smartermail-server.jpg\"><\/a><\/p>\n<p>The fact that the attackers are pursuing the former method is an indication that it likely allows the malicious activity to blend in with typical administrative workflows, helping them avoid detection.<\/p>\n<p>\u201cBy abusing legitimate features (password resets and drive mounting) instead of relying solely on a single \u2018noisy\u2019 exploit primitive, operators may reduce the effectiveness of detections tuned specifically for known RCE patterns,\u201d Feminella added. \u201cThis pace of weaponization is consistent with ransomware operators rapidly analyzing vendor fixes and developing working tradecraft shortly after release.\u201d<\/p>\n<p>When reached for comment about the Warlock ransomware activity targeting SmarterTools, ReliaQuest told The Hacker News that it observed the attackers exploiting CVE-2026\u201323760 on unpatched systems running versions prior to Build 9,511 shortly after the patch was released.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>The fact that the attackers are pursuing the former method is an indication that it likely allows the malicious activity to blend in with typical administrative workflows, helping them avoid detection. \u201cBy abusing legitimate features (password resets and drive mounting) instead of relying solely on a single \u2018noisy\u2019 exploit primitive, operators may reduce the effectiveness [\u2026]<\/p>\n","protected":false},"author":427,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[34],"tags":[],"class_list":["post-231063","post","type-post","status-publish","format-standard","hentry","category-cybercrime-malcode"],"_links":{"self":[{"href":"https:\/\/lifeboat.com\/blog\/wp-json\/wp\/v2\/posts\/231063","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/lifeboat.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/lifeboat.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/lifeboat.com\/blog\/wp-json\/wp\/v2\/users\/427"}],"replies":[{"embeddable":true,"href":"https:\/\/lifeboat.com\/blog\/wp-json\/wp\/v2\/comments?post=231063"}],"version-history":[{"count":0,"href":"https:\/\/lifeboat.com\/blog\/wp-json\/wp\/v2\/posts\/231063\/revisions"}],"wp:attachment":[{"href":"https:\/\/lifeboat.com\/blog\/wp-json\/wp\/v2\/media?parent=231063"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/lifeboat.com\/blog\/wp-json\/wp\/v2\/categories?post=231063"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/lifeboat.com\/blog\/wp-json\/wp\/v2\/tags?post=231063"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}