SmarterMail initial-access ransomware campaign with delayed encryption
Campaign
Summary
Hide ▲
Show ▼
A SmarterMail ransomware campaign is using newly disclosed email-server flaws for initial access and delaying encryption, raising the risk that exposed mail systems become footholds into internal networks. The operation matters because the same weaknesses are being weaponized quickly across Internet-facing servers, shrinking the window for defenders. Underground sharing of PoC exploits and stolen credentials is accelerating exploitation, and some activity is being tied to the Warlock ransomware group. CISA later confirmed active ransomware exploitation by adding CVE-2026-24423 to the KEV catalog.
Cases
Related Happenings
Trellix hit by network compromise
Incident
First: 02.05.2026 09:41
Last: 02.05.2026 09:41
Sources 1
About this happening:
**Trellix** confirmed a **breach** that gave attackers **unauthorized access** to a **portion of its source code**, creating potential security and intellectual-property risk. The...
Trellix hit by network compromise
IncidentAbout this happening: **Trellix** confirmed a **breach** that gave attackers **unauthorized access** to a **portion of its source code**, creating potential security and intellectual-property risk. The...
Latest development: 08.05.2026 16:23
RansomHouse claimed responsibility for the Trellix source code repository breach, posted screenshots from Trellix's appliance management system as proof, and said the intrusion occurred on April 17 and resulted in data encryption.
Storm-1175 high-velocity zero-day and N-day intrusion campaign
Campaign
First: 07.04.2026 09:35
Last: 07.04.2026 09:35
Sources 1
About this happening:
**Storm-1175** is running a **high-velocity intrusion campaign** that chains **zero-day** and **N-day vulnerabilities** to gain initial access to exposed systems, raising the risk...
Storm-1175 high-velocity zero-day and N-day intrusion campaign
CampaignAbout this happening: **Storm-1175** is running a **high-velocity intrusion campaign** that chains **zero-day** and **N-day vulnerabilities** to gain initial access to exposed systems, raising the risk...
Pay2Key ransomware campaign accelerated by US-Iran tensions
Campaign
First: 26.03.2026 12:45
Last: 26.03.2026 12:45
Sources 1
About this happening:
Pay2Key's ransomware operation appears to have accelerated amid **recent US-Iran tensions**, indicating an active campaign with broader victimization risk. The group has been acti...
Pay2Key ransomware campaign accelerated by US-Iran tensions
CampaignAbout this happening: Pay2Key's ransomware operation appears to have accelerated amid **recent US-Iran tensions**, indicating an active campaign with broader victimization risk. The group has been acti...
Pay2Key ransomware activity with enhanced evasion and anti-forensics
Malware Activity
First: 26.03.2026 12:45
Last: 26.03.2026 12:45
Sources 1
About this happening:
**Pay2Key** has re-emerged as a **ransomware** threat with enhanced **evasion, execution and anti-forensics** capabilities, increasing the difficulty of detection and response. Th...
Pay2Key ransomware activity with enhanced evasion and anti-forensics
Malware ActivityAbout this happening: **Pay2Key** has re-emerged as a **ransomware** threat with enhanced **evasion, execution and anti-forensics** capabilities, increasing the difficulty of detection and response. Th...
Latest development: 31.03.2026 16:31
Iran has revived Pay2Key by recruiting affiliates from Russian cybercriminal forums and positioning the ransomware operation as a punitive arm of the Iranian state against high-impact US targets. KELA says the activity blends ransomware, pseudo-ransomware, and destructive wiper-like behavior, and that Iran-backed APT Agrius is also using Apostle malware, retrofitted from a data wiper into a ransomware variant, to obscure geopolitical motives.
Beast ransomware group’s RaaS model and shared TTPs exposed through an open server
Threat Actor Meta
First: 20.03.2026 18:31
Last: 20.03.2026 18:31
Sources 1
About this happening:
An exposed **Beast ransomware group** server now shows its **RaaS operating model** and reusable toolset, complicating attribution across ransomware crews. The recovered materials...
Beast ransomware group’s RaaS model and shared TTPs exposed through an open server
Threat Actor MetaAbout this happening: An exposed **Beast ransomware group** server now shows its **RaaS operating model** and reusable toolset, complicating attribution across ransomware crews. The recovered materials...
Timeline
-
18.02.2026 18:27 2 articles · 3mo ago
SmarterMail initial-access ransomware campaign with delayed encryption
Initial DisclosureInitial access activity began as underground channels quickly shared **PoC exploits**, stolen admin credentials, and offensive tools for **CVE-2026-24423** and **CVE-2026-23760**. The first phase centered on probing exposed **SmarterMail** servers before ransomware operators staged follow-on access and payload deployment.
Show sources
- Telegram channels expose rapid weaponization of SmarterMail flaws — www.bleepingcomputer.com — 18.02.2026 18:27
- Telegram channels expose rapid weaponization of SmarterMail flaws — www.bleepingcomputer.com — 18.02.2026 18:27