Storm-2603 Exploits CVE-2026-23760 to Stage Warlock Ransomware

ReliaQuest observed active exploitation of SmarterMail CVE-2026-23760 attributed to Storm-2603: attackers bypassed authentication via the password-reset API, abused the application’s Volume Mount feature to gain OS execution, and staged Warlock ransomware by installing Velociraptor for persistent C2; the report includes IOCs, observed infrastructure, and recommended mitigations (upgrade to Build 9511+, isolate mail servers, restrict outbound traffic).