In a recent revelation, Microsoft disclosed that Turkish espionage operatives have been exploiting a zero-day vulnerability in the Output Messenger app to gather intelligence on the Kurdish military in Iraq. This sophisticated operation, attributed to a group known as Marbled Dust, reportedly commenced in April 2024 and has raised concerns about the evolving tactics of cyber threat actors.
Details of the Exploit
The vulnerability in question, identified as CVE-2025-27920, is a directory traversal flaw present in version 2.0.62 of Output Messenger. Despite a patch released by the app’s developer, Srimax, in December, many users have yet to implement the necessary updates, leaving them vulnerable to these intrusions.
According to Microsoft’s threat intelligence team, the Marbled Dust group has leveraged this flaw to gain unauthorized access to sensitive user data, including configuration files and potentially even source code. Srimax acknowledged the issue in a security advisory, noting that such access could lead to further exploitation, including remote code execution.
Marbled Dust’s Evolving Tactics
Marbled Dust, also known as Sea Turtle, has a history of targeting government entities and organizations that oppose Turkish interests. Their previous campaigns involved scanning infrastructure for known vulnerabilities in internet-facing applications and devices, often employing compromised DNS registries to intercept traffic and harvest credentials.
Microsoft’s analysis indicates that the use of the zero-day vulnerability in Output Messenger marks a significant shift in Marbled Dust’s operational methods. This change may reflect an increase in technical sophistication or a heightened urgency in their targeting priorities.
In these recent attacks, the operatives managed to authenticate themselves as users of the Output Messenger Server Manager, which allowed them to execute their malicious activities. While the exact method of gaining authentication remains unclear, Microsoft suspects that DNS hijacking or typo-squatted domains may have played a role in intercepting and reusing credentials.
Malware Deployment and Impact
Once inside the system, Marbled Dust utilized the stolen credentials to deploy malicious files, including OM.vbs and OMServerService.vbs, into the Output Messenger server’s startup folder. Additionally, they introduced another executable, OMServerService.exe, into the server’s Users/public/videos directory. This backdoor, disguised as a legitimate file, is written in Go and has been observed connecting to a hardcoded domain for data exfiltration.
The attack also extends to Windows clients, where the installer extracts both the legitimate OutputMessenger.exe and the backdoor, OMClientService.exe. This backdoor establishes a connection to a Marbled Dust command-and-control domain, facilitating data exfiltration and command execution.
In light of these developments, both Srimax and Microsoft are urging users to upgrade to Output Messenger version V2.0.63 to mitigate the risk of exploitation from this vulnerability.
