Hackers Exploit Output Messenger Vulnerability to Launch Cyber Espionage Campaign
A zero-day vulnerability in the popular chat software Output Messenger has been exploited by hackers in a sophisticated espionage campaign targeting Kurdish military entities in Iraq. The group responsible, known as Marbled Dust, has been using the flaw since April 2024 to steal sensitive data and deploy malicious payloads across affected networks.
The Vulnerability: CVE-2025-27920
The directory traversal vulnerability (CVE-2025-27920) in Output Messenger allows authenticated users to upload malicious files to the software’s startup directory. This vulnerability poses a significant risk, as it gives attackers the ability to execute harmful payloads within affected systems.
Once Microsoft’s Threat Intelligence team discovered the flaw, the company notified Srimax, the developer of Output Messenger. Srimax quickly released patches to address the vulnerability and protect users from further exploitation.
Targeting Kurdish Military and Regional Interests
Marbled Dust, a Turkey-affiliated espionage group, has historically focused on entities that pose counter-interests to the Turkish government. Microsoft’s investigation reveals that this group has specifically targeted users tied to Kurdish military operations in Iraq, aligning with their known targeting patterns.
This latest attack highlights the increasing sophistication of the group’s methods and their evolving operational goals. According to Microsoft, the use of a zero-day exploit indicates that Marbled Dust’s actions have become more urgent or focused.
How the Attack Works
The attackers first gain authenticated access to Output Messenger’s Server Manager. After logging in, they exploit the directory traversal vulnerability to upload malicious files to the server’s startup folder. These files include OMServerService.vbs and OM.vbs, which work together to create a GoLang backdoor that communicates with a command-and-control server for further instructions.
Additionally, OMClientService.exe is installed on victim machines alongside the legitimate Output Messenger application. This malware also communicates with the command-and-control infrastructure, stealing victim information and carrying out commands sent by the attackers.
In at least one instance, the attackers used PuTTY (plink), a command-line tool, to exfiltrate data stored in RAR archives.
The Impact on Communications
Once the attackers have control of the Output Messenger server, they can access all communications within the affected network. This enables them to steal sensitive data, impersonate users, and compromise the integrity of the organization’s communication system.
Microsoft has tracked Marbled Dust under various aliases, including Sea Turtle and UNC1326, and has observed their activities targeting government entities, telecommunications, and IT sectors across Europe and the Middle East.
Steps to Protect Against the Threat
To defend against this attack, Microsoft recommends updating to Output Messenger version 2.0.63 for Windows clients and version 2.0.62 for servers. Additional security measures include:
- Enabling cloud-delivered protection in antivirus products.
- Implementing phishing-resistant authentication for critical applications.
- Deploying Microsoft Defender Vulnerability Management to identify vulnerabilities within an organization’s systems.
Microsoft continues to monitor the evolving threat and has provided detailed guidance to help security teams detect potential compromises.
