A Türkiye-affiliated cyber-espionage group, known as Marbled Dust, has been exploiting a zero-day vulnerability in the enterprise messaging platform Output Messenger to deploy Golang-based backdoors on servers associated with Kurdish military entities in Iraq. This campaign, active since April 2024, underscores the evolving tactics of state-linked threat actors targeting niche enterprise tools.(The Hacker News, The Cyber Express)
CVE-2025-27920: The Exploited Vulnerability
The vulnerability in question, CVE-2025-27920, is a directory traversal flaw in Output Messenger’s Server Manager component. It allows authenticated users to upload malicious files to the server’s startup directory, facilitating unauthorized code execution. Marbled Dust leveraged this flaw to deploy malicious scripts and executables, establishing persistent access to targeted systems. (The Cyber Express, Cyber Security News, Microsoft)
Attack Chain Overview
- Initial Access: Marbled Dust likely obtained valid credentials through methods such as DNS hijacking or typosquatted domains, tactics they’ve employed in previous operations. (Cyber Security News)
- Payload Deployment: Using the directory traversal vulnerability, the attackers uploaded malicious files, including
OMServerService.vbsandOM.vbs, to the server’s startup folder. These scripts executedOMServerService.exe, a Golang-based backdoor. (Cyber Security News, The Cyber Express) - Command and Control (C2): The backdoor communicated with a hardcoded C2 server at
api.wordinfos[.]com, enabling the attackers to execute commands, exfiltrate data, and maintain control over the compromised systems. (Daily CyberSecurity) - Client-Side Infection: On compromised client machines, a secondary backdoor,
OMClientService.exe, was installed alongside the legitimate Output Messenger application, further extending the attackers’ reach within the network. (Cyber Security News)
Attribution and Targets
Microsoft’s Threat Intelligence team attributes this campaign to Marbled Dust, a group with a history of targeting entities opposing Turkish government interests. The group’s activities align with those tracked under names like Sea Turtle and UNC1326. In this instance, the primary targets were Kurdish military-linked users in Iraq, consistent with Marbled Dust’s previous focus areas. (CyberInsider, The Cyber Express)
Mitigation and Recommendations
In response to the discovery, Srimax, the developer of Output Messenger, released patches addressing both CVE-2025-27920 and a related vulnerability, CVE-2025-27921. Organizations using Output Messenger are strongly advised to:(GBHackers)
- Update to the latest versions:
- Client: Version 2.0.63
- Server: Version 2.0.62(CyberInsider, The Hacker News)
- Audit systems for unusual files in startup directories and unexpected outbound connections, particularly to
api.wordinfos[.]com. - Implement phishing-resistant multi-factor authentication (MFA) and monitor for signs of credential compromise.
This incident highlights the importance of securing less prominent enterprise applications, as threat actors increasingly exploit overlooked vulnerabilities to achieve their objectives.(The Cyber Express)
Leave a Reply