Marbled Dust Exploits Zero-Day in Output Messenger for Cyber Espionage Targeting Kurdish Military
A Türkiye-linked threat actor, tracked as Marbled Dust (also known as Cosmic Wolf, Sea Turtle, and UNC1326), has been exploiting a zero-day vulnerability (CVE-2025-27920) in Output Messenger, an Indian enterprise communication platform, since April 2024. The campaign, uncovered by Microsoft Threat Intelligence, targeted Kurdish military entities in Iraq, aligning with the group’s historical focus on regional espionage.
The flaw—a directory traversal vulnerability in Output Messenger version 2.0.62—allowed attackers to remotely execute arbitrary files. The developer, Srimax, patched the issue in December 2024 with version 2.0.63, though its advisory did not acknowledge in-the-wild exploitation.
Microsoft assessed that Marbled Dust conducted reconnaissance to identify Output Messenger users before leveraging the zero-day. The attack chain began with authenticated access to the Output Messenger Server Manager, likely obtained via DNS hijacking or typosquatted domains. Once inside, the threat actor exploited CVE-2025-27920 to deploy malicious payloads, including:
- OM.vbs and OMServerService.vbs (dropped in the server startup folder)
- OMServerService.exe (a Golang backdoor placed in the server’s Users/public/videos directory)
The backdoor communicated with a hard-coded domain (api.wordinfos[.]com) for data exfiltration. On the client side, the installer executed both the legitimate OutputMessenger.exe and a second Golang backdoor (OMClientService.exe), which connected to a Marbled Dust command-and-control (C2) server. The backdoor performed a connectivity check before sending victim hostname data, with responses executed via Windows command prompt (cmd /c).
Microsoft also identified a second reflected XSS vulnerability (CVE-2025-27921) in the same version but found no evidence of its exploitation. The attack marks a shift in Marbled Dust’s sophistication, suggesting escalated targeting priorities or operational urgency while maintaining its established espionage focus. The group, active since at least 2017, has previously targeted telecoms, ISPs, IT service providers, and Kurdish entities in the Middle East, North Africa, and Europe.
Source: https://thehackernews.com/2025/05/turkiye-hackers-exploited-output.html
Output Messenger cybersecurity rating report: https://www.rankiteo.com/company/srimax
Srimax cybersecurity rating report: https://www.rankiteo.com/company/srimax-software-technology
"id": "SRISRI1767087399",
"linkid": "srimax, srimax-software-technology",
"type": "Vulnerability",
"date": "4/2024",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'customers_affected': 'Kurdish military entities in '
'Iraq, '
'telecommunication/media/IT-service '
'providers in the Middle East '
'and North Africa',
'industry': 'Technology/Software',
'location': 'India',
'name': 'Output Messenger (Srimax)',
'type': 'Enterprise Communication Platform'}],
'attack_vector': 'Zero-day Exploit (CVE-2025-27920)',
'data_breach': {'data_exfiltration': True,
'personally_identifiable_information': True,
'sensitivity_of_data': 'High (military-related, PII)',
'type_of_data_compromised': 'User credentials, communication '
'data, personally identifiable '
'information (PII)'},
'date_detected': '2024-04-01',
'date_resolved': '2024-12-01',
'description': 'A Türkiye-affiliated threat actor exploited a zero-day '
'security flaw in an Indian enterprise communication platform '
'called Output Messenger as part of a cyber espionage attack '
'campaign since April 2024. The exploits resulted in the '
'collection of related user data from targets in Iraq, '
'specifically associated with the Kurdish military.',
'impact': {'brand_reputation_impact': 'Potential reputational damage to '
'Output Messenger',
'data_compromised': 'User data, credentials, and sensitive '
'information',
'identity_theft_risk': 'High (PII exposure)',
'operational_impact': 'Data exfiltration, unauthorized access to '
'sensitive communications',
'systems_affected': 'Output Messenger Server Manager, Output '
'Messenger Client'},
'initial_access_broker': {'backdoors_established': 'Golang backdoors '
'(OMServerService.exe, '
'OMClientService.exe)',
'entry_point': 'DNS hijacking or typosquatted '
'domains to intercept credentials',
'high_value_targets': 'Kurdish military entities, '
'telecommunication/media/IT-service '
'providers',
'reconnaissance_period': 'Pre-attack reconnaissance '
'to identify Output '
'Messenger users'},
'investigation_status': 'Ongoing',
'lessons_learned': 'Zero-day exploits can be leveraged for targeted cyber '
'espionage; reconnaissance plays a critical role in threat '
'actor operations; timely patching is essential to '
'mitigate risks.',
'motivation': 'Cyber Espionage',
'post_incident_analysis': {'corrective_actions': ['Patch management for '
'zero-day vulnerabilities',
'Implementation of MFA',
'Enhanced network '
'monitoring for C2 traffic',
'User training on '
'credential security'],
'root_causes': ['Unpatched zero-day vulnerability '
'(CVE-2025-27920)',
'Lack of multi-factor '
'authentication (MFA)',
'Insufficient monitoring for '
'malicious C2 communications']},
'ransomware': {'data_exfiltration': True},
'recommendations': ['Apply the latest patch (v2.0.63) for Output Messenger',
'Monitor for connections to known malicious domains '
'(e.g., api.wordinfos[.]com)',
'Implement multi-factor authentication (MFA) for '
'sensitive systems',
'Conduct regular security audits and vulnerability '
'assessments',
'Educate users on phishing and credential interception '
'risks'],
'references': [{'source': 'Microsoft Threat Intelligence'},
{'source': 'Cisco Talos'}],
'response': {'containment_measures': 'Patch released (v2.0.63), removal of '
'malicious payloads (OM.vbs, '
'OMServerService.vbs, '
'OMServerService.exe)',
'enhanced_monitoring': 'Monitoring for connections to C2 domain '
'(api.wordinfos[.]com)',
'remediation_measures': 'Fix for CVE-2025-27920, enhanced '
'authentication mechanisms',
'third_party_assistance': 'Microsoft Threat Intelligence'},
'threat_actor': 'Marbled Dust (aka Cosmic Wolf, Sea Turtle, Teal Kurma, '
'UNC1326, Silicon)',
'title': 'Marbled Dust Exploits Zero-Day in Output Messenger for Cyber '
'Espionage',
'type': 'Cyber Espionage',
'vulnerability_exploited': 'CVE-2025-27920 (Directory Traversal), '
'CVE-2025-27921 (Reflected XSS - unused)'}