Marbled Dust leverages zero-day in Output Messenger for regional espionage

Since April 2024, the threat actor known as Marbled Dust, as identified by Microsoft Threat Intelligence, has been actively exploiting user accounts that have not implemented fixes for a zero-day vulnerability (CVE-2025-27920) within the Output Messenger, a multiplatform chat application. This exploitation has led to the collection of sensitive user data from targets located in Iraq, with Microsoft assessing with high confidence that these targets are linked to the Kurdish military, aligning with Marbled Dust’s previously established targeting patterns.

Microsoft Threat Intelligence has moderate confidence that Marbled Dust conducts thorough reconnaissance to ascertain whether potential targets are users of Output Messenger, selecting this attack vector based on their findings. Successful exploitation of the vulnerability enables the threat actor to deploy multiple malicious files and exfiltrate data from the compromised accounts.

Upon identifying the zero-day vulnerability in Output Messenger, Microsoft promptly notified Srimax, the application’s developer, who subsequently issued a software update. Additionally, a second vulnerability (CVE-2025-27921) was discovered, for which Srimax has also released a patch; however, Microsoft has yet to observe any exploitation of this second vulnerability. The collaboration of Srimax in addressing these vulnerabilities is duly acknowledged.

In this analysis, we delve into the methods employed by Marbled Dust to exploit the Output Messenger zero-day vulnerability within the context of their attack chain. We also provide guidance on mitigation and protection strategies, alongside detection details and hunting queries. Microsoft recommends that users upgrade to the latest version of Output Messenger to mitigate the risk posed by this vulnerability.

Who is Marbled Dust?

Marbled Dust is assessed by Microsoft Threat Intelligence to be an espionage threat actor affiliated with Türkiye. The group primarily targets entities in Europe and the Middle East, focusing on government institutions and organizations that may counter Turkish interests, as well as sectors related to telecommunications and information technology. Their activities have been observed to overlap with those tracked by other security vendors, including Sea Turtle and UNC1326.

In past campaigns, Marbled Dust has been noted for scanning targeted infrastructures for known vulnerabilities in internet-facing applications and exploiting these weaknesses to gain initial access to target systems. They have also utilized compromised DNS registries to alter DNS server configurations of government organizations, facilitating traffic interception and credential theft.

This recent attack marks a significant evolution in Marbled Dust’s capabilities while maintaining their established operational approach. The successful use of a zero-day exploit indicates a rise in their technical sophistication and may suggest an escalation in their targeting priorities or a shift in their operational urgency.

Output Messenger zero-day

The zero-day vulnerability exploited by Marbled Dust is a directory traversal vulnerability (CVE-2025-27920) within the Output Messenger Server Manager application. This flaw allows an authenticated user to upload malicious files into the server’s startup directory. Marbled Dust has leveraged this vulnerability to deposit the malicious file OMServerService.vbs into the startup folder.

The Output Messenger Server Manager application permits the server owner to enable an output drive, allowing users to upload and download files. Once activated, any authenticated user can upload files to the server, typically stored at C:Program FilesOutput Messenger ServerOfflineMessagesTemp1File. An authenticated user can exploit the vulnerability by modifying the request’s “name” value with a directory traversal string, such as name=”../../../../../../../../../../ProgramData/Microsoft/Windows/Start Menu/Programs/StartUp/OMServerService.vbs.

In the Output Messenger architecture, the client and server work in tandem to facilitate messaging, file sharing, and collaborative features. When a client is launched, it connects to the server, sending user credentials for validation. Messages are relayed through the server, and files can either be directly transferred or stored for later access.

Once Marbled Dust gains access to the Output Messenger server, they can exploit the system architecture to access communications of all users indiscriminately, steal sensitive data, and impersonate users, potentially leading to operational disruptions and widespread credential compromise.

Attack chain

The attack chain initiates with Marbled Dust gaining access to the Output Messenger Server Manager application as an authenticated user. While the exact method of authentication acquisition remains unclear, it is suspected that the threat actor employs DNS hijacking or typo-squatted domains to intercept and reuse credentials, techniques previously observed in their activities.

Using this foothold, Marbled Dust collects the victim’s Output Messenger credentials and exploits the CVE-2025-27920 vulnerability to drop malicious files, including OM.vbs and OMServerService.vbs, into the server’s startup folder, along with OMServerService.exe into the Users/public/videos directory.

Marbled Dust then utilizes OMServerService.vbs to invoke OM.vbs, which is passed as an argument to OMServerService.exe. At the time of reporting, OM.vbs was not available for analysis; however, OMServerService.exe has been identified as a GoLang backdoor disguised as a legitimate file. This programming language is particularly advantageous in this context due to its compatibility across various operating systems. In certain instances, OMServerService.exe has been observed connecting to a hardcoded domain, api.wordinfos[.]com, for data exfiltration.

On the client side, the installer extracts and executes both the legitimate OutputMessenger.exe and OMClientService.exe, another GoLang backdoor that establishes a connection to a Marbled Dust command-and-control (C2) domain. This backdoor first performs a connectivity check via a GET request to the C2 domain api.wordinfos[.]com. If successful, a second GET request is sent, containing hostname information to uniquely identify the victim. The response from the C2 is then executed using the command “cmd /c,” instructing the Windows command prompt to run a specific command and terminate.

In at least one documented case, a victim device with the Output Messenger client software was noted to connect to an IP address attributed to Marbled Dust, likely for data exfiltration, coinciding with commands issued by the threat actor to collect files of various extensions into a RAR file on the desktop. This connection to the Marbled Dust-associated IP address is often facilitated using plink, the command-line version of the PuTTY SSH client for Windows.

Mitigations

To mitigate the impact of this threat, Microsoft recommends the following strategies:

Strengthen operating environment configuration

• Ensure that Output Messenger is updated to a version that is not affected by the vulnerability.
• Activate cloud-delivered protection in Microsoft Defender Antivirus or equivalent antivirus solutions.
• Establish anomaly detection policies in Defender for Cloud Apps.
• Utilize a vulnerability management system, such as Microsoft Defender Vulnerability Management, to oversee vulnerabilities and remediation efforts across operating systems, software inventories, and network devices.
• Implement Entra ID Conditional Access authentication strength to require phishing-resistant authentication for critical applications.
• Encourage users to utilize Microsoft Edge and other browsers that support Microsoft Defender SmartScreen, which identifies and blocks malicious websites.
• Organizations can leverage Microsoft Defender External Attack Surface Management (EASM) to continuously discover and map their digital attack surface, providing insights into key risks.
• Microsoft Defender XDR customers should enable attack surface reduction rules to prevent common attack techniques.

Strengthen Microsoft Defender for Endpoint configuration

• Ensure tamper protection is enabled in Microsoft Defender for Endpoint.
• Activate network protection in Microsoft Defender for Endpoint.
• Enable web protection.
• Run Endpoint Detection and Response (EDR) in block mode to remediate malicious artifacts detected post-breach.
• Configure investigation and remediation in fully automated mode to allow immediate action on alerts, significantly reducing alert volume.

Microsoft Defender XDR detections

Microsoft Defender XDR customers can refer to the following alerts to identify potential threat activity:

• Marbled Dust activity group

Microsoft Defender for Endpoint

Alerts with the following title in the security center may indicate threat activity:

• Marbled Dust activity group

Microsoft Defender for Cloud

The following alerts may signal threat activity associated with this threat:

• Traffic detected from IP addresses recommended for blocking
• Communication with suspicious domains identified by threat intelligence

Microsoft Security Copilot

Security Copilot customers can utilize the standalone experience to create custom prompts or run pre-built promptbooks for automating incident response or investigation tasks related to this threat:

• Incident investigation
• Microsoft User analysis
• Threat actor profile
• Threat Intelligence 360 report based on MDTI article
• Vulnerability impact assessment

Some promptbooks may require access to plugins for Microsoft products such as Microsoft Defender XDR or Microsoft Sentinel.

Threat intelligence reports

Microsoft customers can access the following reports to stay informed about the threat actor, malicious activities, and techniques discussed in this analysis. These reports provide essential intelligence, protection information, and recommended actions to prevent, mitigate, or respond to associated threats in their environments.

Microsoft Defender Threat Intelligence

Microsoft Security Copilot customers can also leverage the integration in Microsoft Defender Threat Intelligence to gain further insights into this threat actor.

Hunting queries and component search

Microsoft Defender XDR component search

Customers can search for Output Messenger components in their environment through the Intel explorer components search function in the XDR portal:

Navigate to Intel Explorer, search for “output messenger,” and view the components on IP. Note that the results may not include the version of the Output Messenger component.

Microsoft Defender XDR advanced hunting queries

Customers can run the following queries to identify related activity in their networks:

OMServerService.vbs script

DeviceFileEvents
| where FileName == "OMServerService.vbs"
| where FolderPath has @"/ProgramData/Microsoft/Windows/Start Menu/Programs/StartUp/"
| project Timestamp, DeviceName, InitiatingProcessFileName, FolderPath, FileName, AdditionalFields

Marbled Dust C2

let domainList = dynamic(["api.wordinfos.com"]);
union
(
    DnsEvents
    | where QueryType hasany(domainList) or Name hasany(domainList)
    | project TimeGenerated, Domain = QueryType, SourceTable = "DnsEvents"
),
(
    IdentityQueryEvents
    | where QueryTarget has_any(domainList)
    | project Timestamp, Domain = QueryTarget, SourceTable = "IdentityQueryEvents"
),
(
    DeviceNetworkEvents
    | where RemoteUrl has_any(domainList)
    | project Timestamp, Domain = RemoteUrl, SourceTable = "DeviceNetworkEvents"
),
(
    DeviceNetworkInfo
    | extend DnsAddresses = parsejson(DnsAddresses), ConnectedNetworks = parsejson(ConnectedNetworks)
    | mv-expand DnsAddresses, ConnectedNetworks
    | where DnsAddresses hasany(domainList) or ConnectedNetworks.Name hasany(domainList)
    | project Timestamp, Domain = coalesce(DnsAddresses, ConnectedNetworks.Name), SourceTable = "DeviceNetworkInfo"
),
(
    VMConnection
    | extend RemoteDnsQuestions = parsejson(RemoteDnsQuestions), RemoteDnsCanonicalNames = parsejson(RemoteDnsCanonicalNames)
    | mv-expand RemoteDnsQuestions, RemoteDnsCanonicalNames
    | where RemoteDnsQuestions hasany(domainList) or RemoteDnsCanonicalNames hasany(domainList)
    | project TimeGenerated, Domain = coalesce(RemoteDnsQuestions, RemoteDnsCanonicalNames), SourceTable = "VMConnection"
),
(
    W3CIISLog
    | where csHost hasany(domainList) or csReferer hasany(domainList)
    | project TimeGenerated, Domain = coalesce(csHost, csReferer), SourceTable = "W3CIISLog"
),
(
    EmailUrlInfo
    | where UrlDomain has_any(domainList)
    | project Timestamp, Domain = UrlDomain, SourceTable = "EmailUrlInfo"
),
(
    UrlClickEvents
    | where Url has_any(domainList)
    | project Timestamp, Domain = Url, SourceTable = "UrlClickEvents"
)
| order by TimeGenerated desc

Executable file or launch script (requires Microsoft Defender XDR)

DeviceFileEvents
| where FileName == "OM.vbs" or FileName == "OMServerService.exe"
| where FolderPath has @"c:userspublicvideos"
| project Timestamp, DeviceName, InitiatingProcessFileName, FolderPath, FileName, AdditionalFields

Marbled Dust VBS script file hashes (requires Microsoft Defender XDR)

let fileHashes = dynamic(["1df959e4d2f48c4066fddcb5b3fd00b0b25ae44f350f5f35a86571abb2852e39", 
"2b7b65d6f8815dbe18cabaa20c01be655d8475fc429388a4541eff193596ae63"]);
union
(
   DeviceFileEvents
   | where SHA256 in (fileHashes)
   | project Timestamp, FileHash = SHA256, SourceTable = "DeviceFileEvents"
),
(
   DeviceEvents
   | where SHA256 in (fileHashes)
   | project Timestamp, FileHash = SHA256, SourceTable = "DeviceEvents"
),
(
   DeviceImageLoadEvents
   | where SHA256 in (fileHashes)
   | project Timestamp, FileHash = SHA256, SourceTable = "DeviceImageLoadEvents"
),
(
   DeviceProcessEvents
   | where SHA256 in (fileHashes)
   | project Timestamp, FileHash = SHA256, SourceTable = "DeviceProcessEvents"
)
| order by Timestamp desc

Indicators of compromise

Indicator	Type	Description	First seen	Last seen
hxxps://api.wordinfos[.]com	Domain	C2	4/5/2024	5/12/2025

Learn more

For the latest insights and research from the Microsoft Threat Intelligence community, visit the Microsoft Threat Intelligence Blog: https://aka.ms/threatintelblog.

To stay updated on new publications and engage in discussions, follow us on LinkedIn at https://www.linkedin.com/showcase/microsoft-threat-intelligence, and on X (formerly Twitter) at https://x.com/MsftSecIntel.

For stories and insights from the Microsoft Threat Intelligence community regarding the evolving threat landscape, tune into the Microsoft Threat Intelligence podcast: https://thecyberwire.com/podcasts/microsoft-threat-intelligence.