Cyber Attack cyber

Output Messenger

Apr 1, 2024 2 min read
Output Messenger

The Türkiye-affiliated threat group Marbled Dust (also known as Sea Turtle/UNC1326) exploited a directory traversal vulnerability (CVE-2025-27920) in Output Messenger, a multi-platform enterprise chat application, to target Kurdish military-linked users in Iraq as part of a cyberespionage campaign active since April 2024. The attack chain involved typosquatted login portals and DNS hijacking to compromise Output Messenger’s Server Manager, followed by the deployment of a malicious VBS file in the Windows startup folder. This file abused the vulnerability to launch a legitimate-service-spoofing Golang backdoor, enabling C2 communications, host data exfiltration, and arbitrary command execution, leading to unauthorized data compromise.The breach suggests state-sponsored motives, with the threat actor expanding its capabilities to achieve operational objectives, likely for intelligence gathering or strategic disruption. The compromised military-linked communications pose risks of sensitive operational data exposure, potentially endangering regional security dynamics. The exploitation of a zero-day (or newly disclosed) vulnerability underscores the sophistication of the attack, with implications for geopolitical stability given the targeted demographic (Kurdish military personnel) and the actor’s affiliation (Türkiye).

Source: https://www.scworld.com/brief/output-messenger-zero-day-leveraged-in-ongoing-cyberespionage-campaign

TPRM report: https://www.rankiteo.com/company/17a-4

"id": "17a1182911113025",
"linkid": "17a-4",
"type": "Cyber Attack",
"date": "4/2024",
"severity": "100",
"impact": "8",
"explanation": "Attack that could bring to a war"
{'affected_entities': [{'customers_affected': 'Kurdish military-linked users '
                                              'in Iraq',
                        'industry': 'technology/communication software',
                        'name': 'Output Messenger',
                        'type': 'enterprise chat application provider'}],
 'attack_vector': ['typosquatted login portals',
                   'DNS hijacking',
                   'exploitation of CVE-2025-27920 (directory traversal)',
                   'malicious VBS file in Windows startup folder',
                   'Golang backdoor'],
 'data_breach': {'data_exfiltration': True,
                 'sensitivity_of_data': 'high (military-linked)',
                 'type_of_data_compromised': ['host data',
                                              'potentially military-linked '
                                              'communications']},
 'description': 'Trkiye-affiliated threat operation Marbled Dust (aka Sea '
                'Turtle, UNC1326) exploited a directory traversal '
                "vulnerability (CVE-2025-27920) in Output Messenger's Server "
                'Manager as part of a cyberespionage campaign targeting '
                'Kurdish military-linked users in Iraq since April 2024. The '
                'attack involved typosquatted login portals, DNS hijacking, '
                'and the deployment of a malicious VBS file in the Windows '
                'startup folder. This file abused the vulnerability to launch '
                'a Golang backdoor for C2 communications, host data '
                'exfiltration, and command execution.',
 'impact': {'data_compromised': ['host data',
                                 'potentially sensitive military-linked '
                                 'information'],
            'systems_affected': ['Output Messenger Server Manager',
                                 'Windows systems (via VBS file)',
                                 'command-and-control (C2) infrastructure']},
 'initial_access_broker': {'backdoors_established': ['Golang backdoor via '
                                                     'CVE-2025-27920'],
                           'entry_point': ['typosquatted login portals',
                                           'DNS hijacking'],
                           'high_value_targets': ['Kurdish military-linked '
                                                  'users in Iraq']},
 'investigation_status': 'reported by Microsoft Threat Intelligence (ongoing)',
 'motivation': 'cyberespionage (targeting Kurdish military-linked users)',
 'post_incident_analysis': {'root_causes': ['exploitation of unpatched '
                                            'directory traversal vulnerability '
                                            '(CVE-2025-27920)',
                                            'use of typosquatted domains/DNS '
                                            'hijacking for initial access']},
 'references': [{'source': 'The Cyber Express'},
                {'source': 'Microsoft Threat Intelligence'}],
 'response': {'third_party_assistance': ['Microsoft Threat Intelligence '
                                         '(reporting)']},
 'threat_actor': ['Marbled Dust', 'Sea Turtle', 'UNC1326'],
 'title': 'Marbled Dust Exploits CVE-2025-27920 in Output Messenger for '
          'Cyberespionage Against Kurdish Military-Linked Users',
 'type': ['cyberespionage', 'targeted attack'],
 'vulnerability_exploited': 'CVE-2025-27920 (directory traversal in Output '
                            'Messenger)'}
Published by
Jeremy C
Jeremy C
You might also like
Great! Next, complete checkout for full access to Rankiteo Blog.
Welcome back! You've successfully signed in.
You've successfully subscribed to Rankiteo Blog.
Success! Your account is fully activated, you now have access to all content.
Success! Your billing info has been updated.
Your billing was not updated.