Turkey-Aligned Hackers Targeted Iraq-Based Kurds with Zero-Day Exploit

A cyber threat actor believed to align with Turkish government interests has been observed exploiting user accounts that have not applied fixes to a vulnerability (CVE-2025-27920) in Output Messenger, a multiplatform chat solution.

The campaign was detected by Microsoft Threat Intelligence and has been ongoing since at least April 2024.

The threat actor, tracked as Marbled Dust by Microsoft, is believed to be a cyber-espionage group whose interests align with Turkey.

In a May 12 report sharing its findings, Microsoft Threat Intelligence assessed “with high confidence” that the targets of the campaign are associated with the Kurdish military operating in Iraq.

From Exploited Zero-Day to Patched Vulnerability

CVE-2025-27920 is a directory traversal attack resulting from improper file path handling, identified in Output Messenger version 2.0.62 and affecting all versions before 2.0.63.

By using ../ sequences in parameters, attackers can access sensitive files outside the intended directory, potentially leading to configuration leakage or arbitrary file access.

According to an advisory published in December 2024 by Srimax, the Indian-based company developing Output Messenger, the flaw was discovered by Microsoft and subsequently patched in version 2.0.63.

However, the vulnerability entry in CVE.org was reported by MITRE on May 5, 2025, and information about the vulnerability status is incomplete.

Enrichment data for this vulnerability is also missing, including the severity score (CVSS).

“Microsoft also identified a second vulnerability in Output Messenger (CVE-2025-27921) for which Srimax has also released a patch; however, Microsoft has not observed exploitation of this second vulnerability,” the Microsoft Threat Intelligence report added.

Marbled Dust’s Attack Chain

In this malicious campaign, Marbled Dust begins by gaining access to the Output Messenger Server Manager application as an authenticated user, likely through DNS hijacking or typo-squatted domains that allow the threat actor to intercept and reuse credentials.

The threat actor then leverages the compromised account to obtain the user’s Output Messenger credentials and subsequently exploits the CVE-2025-27920 vulnerability.

According to the report, the threat actor started exploiting this vulnerability as far back as in April 2024, months before it was detected, reported and fixed in an Output Messenger patch update.

Marbled Dust has also continued exploiting it on unpatched instances after Srimax’s fix was released.

Exploitation of CVE-2025-27920 allows Marbled Dust to drop a series of malicious files (OM.vbs, OMServerService.vbs, and OMServerService.exe) into specific directories on the Output Messenger server.

OMServerService.vbs calls OM.vbs, passing it to OMServerService.exe, a Golang backdoor. Then, OMServerService.exe connects to a hardcoded domain (api.wordinfos[.]com) for data exfiltration.

On the client side, the malware extracts and executes OutputMessenger.exe and OMClientService.exe, another Golang backdoor. OMClientService.exe checks connectivity to the command-and-control (C2) domain (api.wordinfos[.]com), sends hostname information and executes the C2’s response using “cmd /c”.

The malware has been observed connecting to a Marbled Dust-attributed IP address, likely for data exfiltration, using plink (PuTTY SSH client) to collect files and create a RAR file on the desktop.

Marble Dust’s Previous Activity

These exploits have resulted in a collection of related user data from targets in Iraq. This targeting is consistent with previously observed Marbled Dust targeting priorities.

Marble Dust has been active since at least 2019, targeting entities in Europe and the Middle East, particularly government institutions and organizations in the telecommunications and information technology sectors.

The group’s activity overlaps with Sea Turtle, COSMIC WOLF, SILICON, Teal Kurma and UNC1326.

In previous campaigns, Marbled Dust was observed scanning targeted infrastructure for known vulnerabilities in internet-facing appliances or applications and exploiting these vulnerabilities as a means of gaining initial access to target infrastructure providers.

The group was also observed using access to compromised DNS registries and/or registrars to reset the DNS server configurations of government organizations in various countries, thereby intercepting traffic and enabling them to log and reuse stolen credentials.

“This new attack signals a notable shift in Marbled Dust’s capability while maintaining consistency in their overall approach,” said the Microsoft researchers.

“The successful use of a zero-day exploit suggests an increase in technical sophistication and could also suggest that Marbled Dust’s targeting priorities have escalated or that their operational goals have become more urgent.”