HQ/EMEAFind out how we can help your business
A Turkey-backed cyberespionage group took advantage of a zero-day vulnerability to target Output Messenger users affiliated with the Kurdish military in Iraq.
Analysts from Microsoft Threat Intelligence discovered the attacks and pinpointed the flaw, CVE- 2025- 27920, in the LAN messaging application.
This directory traversal vulnerability permits authenticated attackers to access files outside the allowed directory or place harmful payloads in the server’s startup folder.
According to the creator of Output Messenger, attackers could gain access to configuration files, sensitive user information, or source code.
Depending on the nature of the data, this access could lead to additional exploitation, such as remote code execution (RCE).
Threat actors heavily target the Output Messenger flaw.
Microsoft reported that the hacking group specifically targeted unpatched systems, utilising access to the Output Messenger Server Manager application to infect victims with malware.
Once they compromised the server, the Marbled Dust group could exfiltrate sensitive information, access entire user communications, impersonate users, infiltrate internal systems, and disrupt operations.
Microsoft observed that, while the precise method of authentication employed by the attackers is not yet known, they likely used DNS hijacking or typosquatted domains to intercept and reuse credentials, strategies seen in their previous campaigns.
After establishing access, the attackers installed a backdoor named Omserverservice. exe, which communicated with a command-and-control domain to transmit victim data.
In one instance, a breached Output Messenger client connected to an IP address linked to Marbled Dust shortly after getting instructions to gather and archive files for exfiltration.
Known for targeting organisations throughout Europe and the Middle East, Marbled Dust has concentrated on telecommunications, IT companies, and anti-Türkiye government entities.
Their techniques include exploiting online device vulnerabilities, manipulating DNS registries to redirect traffic, and stealing credentials through Man-in-the-Middle (MitM) attacks.
Microsoft concluded that this recent campaign signifies a significant advancement in Marbled Dust’s technical skills and might suggest a change in their targeting focus or a heightened urgency in their operations.
Therefore, organisations that employ the flawed software should patch it immediately to avoid falling victim to similar exploitation.
