A Türkiye threat actor group known as Marbled Dust has been exploiting a zero-day vulnerability in Output Messenger, an Indian enterprise communication tool, as part of a covert cyber espionage campaign since April 2024. The attacks have primarily targeted individuals linked to Kurdish military operations in Iraq, according to a new report from Microsoft Threat Intelligence.
The exploited flaw — CVE-2025-27920 — is a directory traversal vulnerability in Output Messenger version 2.0.62. It allows authenticated attackers to access or execute files on the system remotely. Although the vulnerability was quietly patched in December 2024 with version 2.0.63, the developer Srimax made no mention of the bug being exploited in active attacks, despite evidence to the contrary.
Microsoft believes the threat actor conducted reconnaissance to identify organizations using Output Messenger, then exploited the flaw to drop backdoors and exfiltrate sensitive data. Victims of this campaign were observed in Iraq, with network evidence linking the activity to IP addresses and domains previously attributed to the Marbled Dust threat group.
A Closer Look at the Exploit Chain
Once the attackers gain access to the Output Messenger Server Manager interface — often by hijacking credentials through DNS hijacking or typosquatted domains — they abuse their access to exploit CVE-2025-27920 and deploy custom malware components:
- OM.vbs and OMServerService.vbs: Dropped into the server’s startup folder to persist and invoke the malware payloads.
- OMServerService.exe: A Golang-based backdoor placed in the “Users/Public/Videos” directory that connects to the malicious domain
api.wordinfos[.]com.
The payloads are designed to collect credentials, monitor server activity, and maintain persistent access to compromised infrastructure.
On the client side, the installer drops two files:
- The legitimate OutputMessenger.exe application.
- A second Golang backdoor OMClientService.exe, which connects to the same C2 domain.
Once executed, the malware checks connectivity to the C2, then sends system identifiers like hostname data. The response from the server is executed directly using Windows cmd /c commands, allowing arbitrary code execution on the compromised host.
Tactical Evolution of Marbled Dust
Marbled Dust, also tracked as Sea Turtle, Cosmic Wolf, and UNC1326, has been active since at least 2017, with a track record of cyberattacks across the Middle East and North Africa. Their previous campaigns have targeted telecoms, ISPs, media outlets, and Kurdish websites, often relying on credential theft and DNS manipulation.
What sets this new campaign apart is the use of a zero-day vulnerability — a notable leap in technical sophistication for the group. Microsoft says the shift suggests either a broadened operational priority or an increase in urgency and resourcing, marking a concerning evolution in Marbled Dust’s tactics.
Microsoft also discovered a second vulnerability — a reflected XSS flaw (CVE-2025-27921) — in the same version of Output Messenger. However, there’s no evidence so far that this bug has been used in real-world attacks.
Implications for Enterprises and Messaging Platforms
This campaign underscores the growing trend of exploiting enterprise communication platforms to conduct espionage, especially in politically sensitive regions. It also raises questions about supply chain security and the speed of disclosure from software vendors. Srimax’s decision to patch the flaw without public acknowledgment of its exploitation may have delayed detection and mitigation efforts in targeted regions.
Organizations using Output Messenger should immediately:
- Upgrade to version 2.0.63 or later
- Audit for unauthorized server access
- Monitor outbound connections to suspicious domains like
api.wordinfos[.]com - Review logs for unusual file execution or credential access attempts
As Marbled Dust continues to evolve, this case serves as a stark reminder of the risks tied to zero-day exploitation and the importance of timely patch management and threat intelligence sharing across industries and governments.
