Marbled Dust Exploits Zero-Day in Output Messenger to Spy on Kurdish Targets: Inside a Sophisticated Regional Espionage Campaign

In April 2024, a covert cyber-espionage campaign shook the Middle Eastern cybersecurity landscape. Microsoft Threat Intelligence uncovered a zero-day exploit in the widely used chat platform Output Messenger (CVE-2025-27920), which was actively leveraged by a Türkiye-affiliated advanced persistent threat (APT) group known as Marbled Dust. The attackers utilized this vulnerability to penetrate communication systems used by Kurdish military personnel in Iraq, engaging in data theft and surveillance.

This latest operation marks a strategic and technical evolution for Marbled Dust, illustrating not just a continuity in its espionage motives but also a significant leap in sophistication. This article delves into the technical details of the zero-day exploit, profiles the threat actor, maps the attack chain, and provides strategic guidance for cybersecurity professionals to mitigate similar threats.

Inside the Marbled Dust Campaign: Technical Breakdown and Threat Actor Profile

Who is Marbled Dust?

Microsoft Threat Intelligence identifies Marbled Dust as a threat actor affiliated with Türkiye, with a history of espionage campaigns against government, telecommunications, and IT infrastructure primarily across Europe and the Middle East. The group’s operations have previously aligned with state interests, targeting entities considered counter to Turkish geopolitical objectives.

Security firms also refer to Marbled Dust as Sea Turtle and UNC1326. Past campaigns include DNS hijacking attacks used to redirect and intercept internet traffic, enabling credential harvesting and widespread surveillance. The use of a zero-day exploit in this latest campaign marks a sharp escalation in capability.

The Zero-Day: CVE-2025-27920 in Output Messenger

Output Messenger, developed by Srimax, is a multi-platform messaging application used by enterprises for internal communication. The vulnerability (CVE-2025-27920) discovered in April 2024 is a directory traversal vulnerability in the Output Messenger Server Manager application.

This flaw allows an authenticated user to upload arbitrary files into sensitive directories on the server, including the Windows startup folder, enabling persistence and code execution at boot.

The attack works as follows:

• The attacker authenticates to the Output Messenger server.
• They upload a malicious Visual Basic script (VBS), altering the upload path using a directory traversal string.
• Files like OMServerService.vbs are placed in the Startup folder at: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\

Once placed, the malicious script automatically runs with system privileges upon system reboot or user login.

Attack Chain: From Initial Access to Espionage

The campaign begins with initial reconnaissance. Marbled Dust appears to select targets already using Output Messenger—most notably personnel affiliated with the Kurdish military in Iraq.

Although the method for obtaining initial Output Messenger credentials remains unknown, it’s suspected that the group used:

• DNS hijacking, and
• Typosquatted domains

to intercept and reuse login data.

Step-by-Step Attack Flow:

1. Access: Marbled Dust logs in as an authenticated user.
2. Exploitation: Uses CVE-2025-27920 to drop malicious files (OM.vbs, OMServerService.vbs) into the Startup folder and OMServerService.exe into the public Videos directory.
3. Payload Execution:
   • OMServerService.vbs triggers OM.vbs, which calls OMServerService.exe.
   • This .exe is a GoLang-based backdoor capable of OS-independent execution.
4. Command & Control (C2):
   • The backdoor connects to: api.wordinfos[.]com
   • Sends system and hostname info to uniquely identify infected machines.
   • Receives commands for execution using cmd /c.
5. Client Infection:
   • Malicious installer executes both legitimate OutputMessenger.exe and a second backdoor, OMClientService.exe.
   • This also connects to Marbled Dust’s infrastructure for further exploitation and data exfiltration.
6. Data Theft:
   • Victims’ data, including files with various extensions, are collected.
   • Data is compressed into a RAR archive and exfiltrated.
   • In at least one case, Plink (a command-line SSH tool) was used for secure data transmission.

CVE-2025-27921: Another Vulnerability

While the main focus was CVE-2025-27920, Microsoft also identified a second vulnerability, CVE-2025-27921, in the same application. Although no exploitation has been observed so far, the vendor Srimax issued a patch for both vulnerabilities promptly upon disclosure by Microsoft.

Microsoft has acknowledged Srimax’s cooperation and swift response, which is critical in mitigating widespread impact.

Implications of the Campaign

Regional Focus:

This campaign underscores a regional cyberwarfare narrative. By targeting Kurdish military entities, Marbled Dust is seen as extending Türkiye’s cyber influence and surveillance capabilities in conflict-sensitive zones.

Increased Sophistication:

The use of a zero-day, custom GoLang backdoors, and multi-stage attack chains signals a higher level of operational maturity and access to advanced resources.

Threat to Enterprise Software:

The campaign is a stark reminder that even internal enterprise messaging tools often considered low-risk can become vectors for high-impact espionage.

10 Recommendations to Mitigate Similar Threats

1. Patch Immediately
   Ensure all systems running Output Messenger are updated to the latest version that addresses CVE-2025-27920 and CVE-2025-27921.
2. Restrict Access to Messaging Servers
   Harden authentication and access control to prevent unauthorized login to internal communication platforms.
3. Use Multi-Factor Authentication (MFA)
   Enforce MFA for all internal applications, particularly chat and collaboration tools.
4. Network Segmentation
   Isolate critical systems and communications platforms to reduce lateral movement.
5. Monitor for Unusual Traffic
   Watch for unexpected outbound connections to domains like api.wordinfos[.]com or known Marbled Dust IPs.
6. Audit and Harden Upload Features
   Disable unnecessary file upload functions and monitor for directory traversal strings in upload paths.
7. Deploy Application Whitelisting
   Prevent execution of unauthorized scripts and executables such as .vbs and .exe files in startup directories.
8. Use Threat Hunting Queries
   Leverage Microsoft and third-party threat hunting rules to detect malicious behavior specific to this attack chain.
9. Conduct Employee Awareness Training
   Educate users on risks related to typosquatted domains and phishing tactics to prevent credential theft.
10. Engage in Threat Intelligence Sharing
    Participate in intelligence-sharing communities to stay informed on evolving tactics from groups like Marbled Dust.

Conclusion

The Marbled Dust campaign exploiting a zero-day in Output Messenger is a critical case study in modern cyber-espionage. It reveals how regional conflicts are increasingly playing out in cyberspace, with highly specialized threat actors targeting communication infrastructures to gain strategic advantage.

Cybersecurity professionals must prioritize patching, proactive threat hunting, and zero-trust principles to stay ahead of such adversaries. While Srimax’s cooperation and Microsoft’s rapid disclosure helped limit the impact, the campaign serves as a reminder that no software regardless of its purpose is immune to exploitation.

The intersection of geopolitics and cybersecurity is only growing sharper. In this landscape, vigilance, preparation, and collaboration are not optional they are essential.