Ransomware operators abuse legitimate remote administration tools and exploit SmarterMail flaws for initial access and persistence
Ransomware activity is increasingly blending into normal IT operations by combining exploitation of internet-facing software with the use of legitimate remote access and monitoring tools. Huntress reported multiple intrusions tied to the Crazy ransomware gang where attackers deployed Net Monitor for Employees Professional and the SimpleHelp remote support client to maintain persistence, evade detection, and stage for ransomware deployment. The actors installed the monitoring agent via msiexec.exe directly from the vendor site, then used it for interactive control (desktop viewing, file transfer, command execution); they also added redundant access by installing SimpleHelp via PowerShell and disguising binaries with benign-looking names (e.g., vshost.exe) and paths such as C:\ProgramData\OneDriveSvc\OneDriveSvc.exe.
In parallel, ransomware groups have been observed actively exploiting recently patched SmarterTools SmarterMail vulnerabilities that enable unauthenticated compromise of mail servers. SC Media reported that CISA added CVE-2026-24423 to the KEV catalog after it was linked to ransomware campaigns; the flaw enables unauthenticated RCE via SmarterMail’s ConnectToHub API by delivering a malicious OS command from a remote server. A second issue, CVE-2026-23760, allows authentication bypass through the password reset API (force-reset-password) by not validating the old password; ReliaQuest attributed active exploitation of this weakness to a China-based actor tracked as Storm-2603, which reportedly chained the bypass with SmarterMail’s Volume Mount feature to reach RCE, activity assessed as staging consistent with Warlock ransomware operations (even when ransomware was not yet deployed).
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
8 events from the most recent confirmed update back to the earliest known activity.
Huntress links multiple intrusions to the same Crazy ransomware operator
Huntress assessed that the same operator likely conducted the observed incidents based on a reused filename and overlapping command-and-control infrastructure. Only one of the investigated incidents ultimately resulted in Crazy ransomware deployment.
Crazy ransomware actor attempts defense evasion and account manipulation
Huntress observed the actor trying to enable the local Windows Administrator account and disable Microsoft Defender by stopping and deleting related services. These actions were part of preparing victim environments for ransomware deployment and possible cryptocurrency theft.
Crazy ransomware actor deploys remote admin tools for stealthy persistence
In the observed intrusions, the attacker installed Net Monitor for Employees Professional and the SimpleHelp remote access client, disguising some binaries and paths to resemble legitimate software. The tools provided interactive control, file transfer, and command execution while blending in with normal administration.
Crazy ransomware operator breaches networks using stolen SSL VPN credentials
Huntress reported multiple intrusions attributed to a member of the Crazy ransomware gang that began with compromised SSL VPN credentials. The actor used the access to establish footholds in corporate environments and prepare follow-on malicious activity.
CISA adds CVE-2026-24423 to the KEV catalog after active exploitation
CISA added SmarterMail vulnerability CVE-2026-24423 to its Known Exploited Vulnerabilities catalog after observing it being actively exploited in ransomware campaigns. The flaw allows OS command execution from a remote server through the ConnectToHub API.
Attackers scan SmarterMail ConnectToHub API for CVE-2026-24423 exploitation
ReliaQuest also observed suspicious ConnectToHub API calls indicating scanning or attempted exploitation of CVE-2026-24423, potentially by a different threat actor than Storm-2603. The activity suggested broader interest in the newly patched SmarterMail vulnerabilities.
Storm-2603 exploits SmarterMail flaw and stages for Warlock ransomware
ReliaQuest observed a China-based ransomware actor tracked as Storm-2603 exploiting CVE-2026-23760, abusing SmarterMail's Volume Mount feature to escalate to remote code execution, and installing Velociraptor via an MSI hosted on Supabase. The activity was assessed as consistent with staging for Warlock ransomware deployment.
SmarterTools patches two critical SmarterMail vulnerabilities
SmarterTools recently patched two critical SmarterMail flaws: CVE-2026-23760, an authentication bypass in the password reset endpoint, and CVE-2026-24423, which can enable unauthenticated remote code execution via the ConnectToHub API. Defenders were advised to upgrade to SmarterMail Build 9511.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
2 references tracked. Mallory keeps watching after this page renders.
See the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Attackers Abuse RMM Tools and Bomgar RCE to Breach MSPs and Deploy Ransomware
Threat actors increasingly abused legitimate remote monitoring and management (RMM) software for initial access, persistence, credential theft, and defense evasion, with Huntress reporting that RMM abuse accounted for 24% of incidents it observed and surged 277% over the prior year. Campaigns used signed tools including **Action1**, **ScreenConnect**, **HeartbeatRM**, **AnyDesk**, **Atera**, and **SimpleHelp**, often chaining multiple products together to fragment telemetry and complicate containment. Delivery methods included phishing lures themed around the Social Security Administration and invitations, GitHub-hosted payloads, Cloudflare-protected sites, Windows-only filtering, and mobile-only credential harvesting pages; Huntress also observed low-maturity operators using LLM-generated scripts, VPS infrastructure, proxy tooling, combo lists, and utilities designed to hide RMM software from uninstall lists. Huntress also linked a sustained rise in compromises involving **Bomgar** instances to exploitation of **`CVE-2026-1731`**, a critical remote code execution flaw in BeyondTrust products, with attackers targeting outdated deployments to access victim networks and pivot into downstream customer environments. Reported incidents hit MSPs and software providers, including a ransomware attack affecting three downstream companies and another MSP breach that forced the isolation of 78 businesses while attackers moved into four customer environments. In affected networks, intruders created privileged accounts, added users to **Domain Admins**, ran reconnaissance with **NetScan** and **`nltest.exe`**, deployed suspicious drivers such as **PoisonX.sys** and **HRSword.exe**, and in several cases launched **LockBit** or a likely leaked-builder variant, underscoring the need to patch BeyondTrust systems, tightly govern trial and remote-access tooling, and monitor for unauthorized RMM activity.
Apr 30, 2026
SmarterTools Breach via Unpatched SmarterMail Server Leading to Warlock Ransomware Attempt
**SmarterTools** confirmed it was breached after attackers exploited an unpatched instance of its *SmarterMail* email server inside the company’s environment. COO Derek Curtis said the intrusion occurred on **January 29, 2026**, when an employee-created VM running SmarterMail was not being updated; attackers used it as an entry point, then moved laterally across roughly **30 SmarterMail servers/VMs** spanning the office network and a datacenter used for quality-control labs. The incident disrupted the company’s **Portal** support center, but SmarterTools said segmentation limited broader impact and that security tooling blocked the ransomware encryption attempt. Reporting attributes the activity to the **Warlock ransomware** operation (also linked in some tracking to **Gold Salem**). SmarterTools did not publicly name the exploited flaw, but coverage points to **CVE-2026-24423**—a *SmarterMail* **authentication bypass** that can enable **admin password resets**—as the most likely initial vector; it was disclosed by **watchTowr Labs**, patched on **January 15**, and later added to **CISA KEV** with an “**Exploited in ransomware attacks**” designation. SmarterTools stated that only a subset of **Windows** systems appeared impacted (with **Linux** servers unaffected), and that business applications/account data were not compromised; post-incident actions included removing Windows from networks, discontinuing **Active Directory**, restoring some systems from recent backups, and rotating passwords.
Mar 21, 2026
Ransomware and initial-access tradecraft evolves with new evasion and extortion techniques
Reporting and research published in mid-January 2026 highlights continued **high ransomware activity** and rapid evolution in initial-access and evasion tradecraft. A Symantec/Carbon Black Threat Hunter Team study cited by *Help Net Security* reports ransomware actors claimed **4,737 attacks in 2025**, with only brief slowdowns after major disruptions; the abrupt April 2025 shutdown of **RansomHub** was followed by affiliates quickly shifting to other operations, while **LockBit** failed to recover after late-2024 law-enforcement action. The same reporting notes a broader shift toward **extortion models that don’t rely on encryption**, emphasizing data theft and coercion as groups diversify pressure tactics. Multiple technical reports describe how attackers are improving delivery and resilience. *BleepingComputer* says **Gootloader** now uses heavily malformed ZIP files—concatenating **500–1,000** ZIP archives and manipulating ZIP structures (e.g., truncated `EOCD`)—to crash or defeat common analysis tools while still extracting via Windows’ default utility, supporting its role as an initial-access vector often preceding ransomware. *The Register* reports **DeadLock** ransomware uses **Polygon smart contracts** to frequently rotate proxy infrastructure for victim communications (via an HTML wrapper pointing victims to the *Session* messenger), complicating blocking and takedown efforts; Group-IB notes DeadLock also departs from typical double-extortion by lacking a public data-leak site and instead threatening underground data sales. Separately, Microsoft-observed phishing described by *KnowBe4* shows threat actors exploiting **email routing/spoofing misconfigurations** to make phishing appear internal (often leveraging **Tycoon2FA**), while ReliaQuest’s trend report and a separate write-up on **CastleLoader** describe human-driven initial access (spearphishing/drive-by) and social-engineering lures such as **ClickFix** being used to stage loaders and follow-on payloads—underscoring that access-broker and loader ecosystems continue to feed ransomware and broader intrusion activity.
Mar 21, 2026