Output Messenger Flaw Exploited as Zero-Day in Espionage Attacks

A Türkiye-backed cyberespionage group has exploited a zero-day vulnerability in the LAN messaging application, Output Messenger, to launch targeted attacks against users linked to the Kurdish military in Iraq. Microsoft Threat Intelligence analysts have identified this attack as part of a larger campaign by the Marbled Dust hacking group, also tracked as Sea Turtle, SILICON, and UNC1326.

The security flaw, known as CVE-2025-27920, is a directory traversal vulnerability that allows authenticated attackers to access sensitive files outside the intended directory or deploy malicious payloads on the server's startup folder. This means that attackers could access configuration files, sensitive user data, or even source code, potentially leading to further exploitation, including remote code execution.

How Did Marbled Dust Hackers Exploit the Flaw?

Microsoft revealed that the hackers targeted users who hadn't updated their systems to infect them with malware after gaining access to the Output Messenger Server Manager application. Once they compromised the server, the Marbled Dust hackers could steal sensitive data, access all user communications, impersonate users, gain access to internal systems, and cause operational disruptions.

The attackers used DNS hijacking or typo-squatted domains to intercept and reuse credentials. They then deployed a backdoor called OMServerService.exe onto the victims' devices, which checked connectivity against an attacker-controlled command-and-control domain (api.wordinfos[.]com) and provided the threat actors with additional information to identify each victim.

In one instance, the Output Messenger client on a victim's device connected to an IP address linked to the Marbled Dust threat group, likely for data exfiltration, shortly after the attacker instructed the malware to collect files and archive them as a RAR archive.

A Threat Group with a History of Espionage Attacks

Marbled Dust is known for targeting Europe and the Middle East, focusing on telecommunications and IT companies, as well as government institutions and organizations opposing the Turkish government. They're scanning for vulnerabilities in internet-facing devices to breach networks of infrastructure providers.

In addition to exploiting zero-day vulnerabilities, Marbled Dust also uses compromised DNS registries to change government organizations' DNS server configurations, which allows them to intercept traffic and steal credentials in man-in-the-middle attacks.

A Notable Shift in Marbled Dust's Capability

"This new attack signals a notable shift in Marbled Dust's capability while maintaining consistency in their overall approach," Microsoft added. "The successful use of a zero-day exploit suggests an increase in technical sophistication and could also suggest that Marbled Dust's targeting priorities have escalated or that their operational goals have become more urgent."

Last year, Marbled Dust was also linked to multiple espionage campaigns targeting organizations in the Netherlands, mainly targeting telecommunications companies, internet service providers (ISPs), and Kurdish websites between 2021 and 2023.