A Türkiye-affiliated threat actor exploited a zero-day security flaw in an Indian enterprise communication platform called Output Messenger as part of a cyber espionage attack campaign since April 2024.
“These exploits have resulted in a collection of related user data from targets in Iraq,” the Microsoft Threat Intelligence team said. “The targets of the attack are associated with the Kurdish military operating in Iraq, consistent with previously observed Marbled Dust targeting priorities.”
The activity has been attributed to a threat group it tracks as Marbled Dust (formerly Silicon), which is also known as Cosmic Wolf, Sea Turtle, Teal Kurma, and UNC1326. The hacking crew is believed to have been active since at least 2017, although it wasn’t until two years later that Cisco Talos documented attacks targeting public and private entities in the Middle East and North Africa.
Early last year, it was also identified as targeting telecommunication, media, internet service providers (ISPs), information technology (IT)-service providers, and Kurdish websites in the Netherlands.
Microsoft has assessed with moderate confidence that the threat actor has conducted some sort of reconnaissance beforehand to determine if its targets are Output Messenger users and then leverage the zero-day to distribute malicious payloads and exfiltrate data from targets.
The vulnerability in question is CVE-2025-27920, a directory traversal vulnerability affecting version 2.0.62 that allows remote attackers to access or execute arbitrary files. The issue has been addressed by its developer Srimax as of late December 2024 with version 2.0.63. The company, however, makes no mention of the flaw being exploited in the wild in its advisory.
The attack chain starts with the threat actor gaining access to the Output Messenger Server Manager application as an authenticated user. It’s believed that Marbled Dust uses techniques like DNS hijacking or typosquatted domains to intercept the credentials required for authentication.
The access is then abused to collect the user’s Output Messenger credentials and exploit CVE-2025-27920 to drop payloads like “OM.vbs” and “OMServerService.vbs” to the server startup folder and “OMServerService.exe” to the server’s “Users/public/videos” directory.
In the next phase, the threat actor uses “OMServerService.vbs” to invoke “OM.vbs” and “OMServerService.exe,” the latter of which is a Golang backdoor that contacts a hard-coded domain (“api.wordinfos[.]com”) for data exfiltration.
“On the client side, the installer extracts and executes both the legitimate file OutputMessenger.exe and OMClientService.exe, another Golang backdoor that connects to a Marbled Dust command-and-control (C2) domain,” Microsoft noted.
“This backdoor first performs a connectivity check via a GET request to the C2 domain api.wordinfos[.]com. If successful, a second GET request is sent to the same C2 containing hostname information to uniquely identify the victim. The response from the C2 is then directly executed using the command ‘cmd /c’ which instructs the Windows command prompt to run a specific command and then terminate.”
At one case involved a victim device with Output Messenger client software installed connecting to an IP address previously identified as used by Marbled Dust for likely data exfiltration.
The tech giant also noted that it discovered a second flaw, reflected cross-site scripting (XSS) vulnerability in the same version (CVE-2025-27921), although it said it found no evidence of it being weaponized in real-world attacks.
“This new attack signals a notable shift in Marbled Dust’s capability while maintaining consistency in their overall approach,” Microsoft said. “The successful use of a zero-day exploit suggests an increase in technical sophistication and could also suggest that Marbled Dust’s targeting priorities have escalated or that their operational goals have become more urgent.”
