SmarterMail Authentication Bypass Enables Admin Takeover and Remote Code Execution
An authentication bypass vulnerability in SmarterTools SmarterMail, tracked as CVE-2026-23760, is being actively exploited in the wild to hijack administrator accounts and achieve remote code execution. The flaw resides in the unauthenticated force-reset-password API endpoint, which accepts attacker-controlled JSON input and allows the system administrator password to be reset without validating the existing password. By setting the IsSysAdmin parameter to true and supplying a known or guessed admin username, unauthenticated attackers can reset privileged credentials and obtain full administrative access. Evidence from WatchTowr and Huntress indicates that exploitation began within 48 hours of the January 15, 2026, patch release, strongly suggesting that attackers reverse-engineered the fix. SmarterMail is widely deployed among MSPs, SMBs, and hosting providers, increasing the operational risk. Following account takeover, attackers have leveraged built- in SmarterMail administrative features to execute operating system commands, resulting in SYSTEM-level remote code execution. Huntress observed automated exploitation chains in which attackers reset admin credentials, authenticated via the API, created malicious System Events, triggered them by adding and removing domains to execute reconnaissance commands, and then cleaned up to reduce forensic artifacts. Exploitation activity has been observed alongside continued abuse of CVE-2025-52691, a separate pre-authentication RCE flaw, indicating sustained targeting of SmarterMail environments. Organizations running SmarterMail versions prior to Build 9511 should assume exposure, immediately apply updates, rotate administrative credentials, and review logs for indicators, including suspicious force-reset-password requests, unexpected admin logins, and unauthorized System Event creation.
KONNI Uses AI-Generated PowerShell Backdoor in Developer-Focused Phishing Campaign
Check Point Research identified an active phishing campaign attributed to KONNI, a North Korea–aligned threat actor historically focused on South Korean diplomatic, government, and academic targets. In this operation, KONNI expands its targeting to software developers and engineering teams, particularly those involved in blockchain and cryptocurrency projects, with observed activity linked to victims in Japan, Australia, and India. The campaign delivers weaponized ZIP archives containing lure documents and malicious LNK files that execute a multi-stage infection chain built around PowerShell, batch scripts, and UAC bypass techniques. The lures are convincingly crafted as legitimate project documentation, suggesting an access-driven objective aimed at compromising development environments and downstream infrastructure rather than individual user data. A notable evolution in this campaign is the deployment of an AI-generated PowerShell backdoor, as evidenced by unusually polished documentation, a modular code structure, and instructional placeholder comments characteristic of LLM-generated scripts. The backdoor includes extensive anti-analysis checks, host fingerprinting, privilege escalation via fodhelper abuse, Defender exclusions, scheduled-task persistence, and C2 communication protected by a JavaScript-based challenge mechanism. In higher-privilege contexts, the malware deploys SimpleHelp, a legitimate RMM tool, indicating intent for long-term interactive access. While KONNI’s delivery and staging remain consistent with its historical tradecraft, the adoption of AI-assisted tooling and the shift toward developer and blockchain-adjacent targets highlight the group’s continued operational maturation and adaptation.
Osiris Ransomware Emerges with TTP Overlap Linked to Inc and Medusa Ecosystems
Security researchers identified a new ransomware family, Osiris, deployed in an attack against a major food service franchisee in Southeast Asia. Despite sharing a name with a legacy Locky variant from 2016, Osiris is a distinct and newly developed ransomware strain with no technical lineage to prior families. The operators behind Osiris remain unidentified, but multiple tactical overlaps suggest the involvement of experienced ransomware actors, potentially including former Inc ransomware affiliates. These overlaps include pre-encryption data exfiltration to Wasabi cloud storage, the reuse of Mimikatz under the filename “kaz[.]exe”, and extensive use of living-off-the-land and dual-use tooling. The campaign demonstrates disciplined pre-positioning, indicating a mature intrusion workflow rather than opportunistic deployment. The attack chain relied heavily on defense evasion and operational security techniques. Attackers leveraged BYOVD tactics using the Poortry (Abyssworker) kernel driver, masquerading as a legitimate Malwarebytes driver, to disable endpoint security controls. Poortry has previously been associated with Medusa ransomware campaigns, reinforcing the possibility of shared tooling or cross-pollination between ransomware ecosystems. Additional tools included Rclone for data theft, Netscan and Netexec for network reconnaissance, KillAV for security termination, and a customized RustDesk RMM implant disguised as “WinZip Remote Desktop” to maintain access. Osiris itself implements a hybrid ECC + AES-128-CTR encryption scheme, supports partial or full encryption modes, aggressively terminates backup and database services, deletes VSS snapshots, and drops a ransom note directing victims to a negotiation portal. While Osiris is newly observed, its tooling choices, infrastructure patterns, and execution discipline strongly suggest it is being wielded by seasoned operators rather than a novice ransomware group.
Top CVEs of the Week
Top CVEs of the Week – As part of our ongoing vulnerability monitoring, the following CVEs highlight recent security issues that could affect a range of systems, applications, and devices. These findings reflect the constantly evolving threat landscape and reinforce the importance of timely patching, secure configurations, and proactive security practices. Below is a summary of notable vulnerabilities, including their impact and any available remediation guidance.
