Marbled Dust Exploits Zero-Day in Output Messenger to Spy on Kurdish Military Networks

Listen to this Post

Featured Image
Since April 2024, a sophisticated cyber-espionage campaign has been unfolding in the shadows of the digital world. The threat actor known as Marbled Dust—also referred to by various aliases such as Sea Turtle, Teal Kurma, SILICON, and Cosmic Wolf—has been leveraging a zero-day vulnerability (CVE-2025-27920) in Output Messenger, a private chat application popular among enterprise teams. The attackers targeted military-linked Kurdish users in Iraq, exfiltrating sensitive data, deploying malicious payloads, and compromising internal communications.

Marbled Dust is no newcomer to the scene. The group has been active since at least 2017, mainly focusing on the Middle East and Europe. In earlier campaigns between 2017 and 2019, the group was notorious for DNS hijacking operations, often exploiting telecommunication systems, NGOs, ISPs, media outlets, and political organizations such as the PKK.

The recent exploitation of Output Messenger marks a dramatic escalation in tactics, pointing to increased technical proficiency and urgency. Let’s break down the key elements of the attack.

Inside the Operation: 30-Line Summary

CVE-2025-27920 is a directory traversal vulnerability in Output Messenger versions prior to 2.0.63.
Exploitation allows unauthorized access to files outside the application’s intended directory.
Attackers used Output Messenger’s file-sharing feature to upload malicious scripts into the startup folder.
The flaw enabled arbitrary code execution, allowing full access to internal communication and data.
Kurdish military-linked entities in Iraq were the primary targets.
Marbled Dust used Go-based backdoors, including a malicious file called OMServerService.exe.
They deployed a second-stage backdoor on client machines to execute commands remotely and gather system data.
Communications and exfiltrated data were transmitted to a C2 via api.wordinfos[.]com.
Evidence of file theft, host enumeration, and RAR exfiltration via plink SSH was observed.
Access was likely gained initially through credential theft, possibly by DNS hijacking or typo-squatting.
Once inside, the attackers could impersonate users, steal credentials, and disrupt operations.
Microsoft researchers confirmed this campaign through targeted telemetry and behavioral analysis.
The attack signifies a major shift in Marbled Dust’s capability, moving from passive DNS-level attacks to active server-side exploitation.
The architecture of Output Messenger was abused to gain unrestricted surveillance over internal communications.
The group shows increased focus on military, political, and telecom targets in sensitive regions.
This marks a transition in strategy, reflecting either evolved operational goals or a broader geopolitical agenda.
The exploitation of a zero-day suggests access to advanced tooling or external support.
No official patch was initially available when the vulnerability was first exploited.
Systems running outdated versions of Output Messenger remain at critical risk.
Attack vectors include start-up execution, SSH tunnels, and command injection.
Threat actors managed persistent access through scheduled tasks and hidden backdoors.
The campaign remains active, with new IP addresses and domains observed frequently.
Microsoft’s report calls this a “turning point” for Marbled Dust in terms of sophistication.
Users are advised to update Output Messenger and review server startup directories.
Organizations in the Middle East and Europe, especially those with Kurdish ties, should be on high alert.
Analysts also emphasize the need for network segmentation and application hardening.
There’s growing concern that this operation may serve as a blueprint for future APT attacks.
Defensive strategies should include credential hygiene, monitoring for unusual SSH activity, and inspection of scheduled tasks.
Microsoft has released updated IOCs (Indicators of Compromise) and recommends audit logging.
The ultimate goal appears to be strategic espionage, not ransomware or financial gain.
The backdoor deployment was stealthy, modular, and tailored to Output Messenger’s internal structure.
Marbled Dust continues to adapt—analysts expect follow-up attacks using similar methods.

What Undercode Say:

This operation is a textbook example of why zero-days are so dangerous, especially when exploited by nation-state or nation-state-aligned actors. Marbled Dust didn’t just stumble across an unpatched bug—they strategically identified a high-value communications app, performed detailed reconnaissance, and launched a precision strike. Output Messenger is niche but widely used in internal environments, making it an ideal Trojan horse for espionage.

What makes this attack particularly notable is the shift from DNS-level manipulation to direct exploitation of enterprise software. It’s a clear sign that Marbled Dust is evolving. By embedding malware into the startup folder and deploying modular backdoors, they achieved persistence, privilege escalation, and lateral movement without triggering many traditional alarms.

The use of plink SSH for data exfiltration is clever and minimalist, a hallmark of experienced threat actors. They avoided noisy C2 channels and opted for what blends naturally into administrative traffic. The exfiltration via RAR archives and silent command execution shows a deep understanding of how to stay under the radar in Windows environments.

Another critical insight is the dual-stage attack approach. The first foothold was likely gained via credential theft or typo-squatting—a low-cost, high-yield method. Once authenticated, they moved quickly to install persistent malware and exploit the system architecture. This combination of social engineering and technical prowess defines modern APT behavior.

We are also witnessing the emergence of custom malware, such as OMServerService.exe, tailored to the targeted application. This is no longer commodity malware or copy-pasted exploits. These are handcrafted attacks, signaling either state-sponsored activity or deep partnerships with exploit developers.

This breach

The geopolitical angle cannot be ignored. The targeting of Kurdish-aligned military users in Iraq indicates a clear political motive,

References:

Reported By: securityaffairs.com
Extra Source Hub:
https://www.instagram.com
Wikipedia
Undercode AI

Image Source:

Unsplash
Undercode AI DI v2

Join Our Cyber World:

💬 Whatsapp | 💬 Telegram