Exploitation of Output Messenger Vulnerability as Zero-Day in Advanced Espionage Campaigns

A Türkiye-backed cyber-espionage group has effectively exploited a zero-day vulnerability in Output Messenger, targeting users connected to the Kurdish military in Iraq. This vulnerability, identified as CVE-2025-27920, pertains to a directory traversal issue within the LAN messaging application, enabling authenticated attackers to access sensitive files beyond the designated directory or upload malicious payloads to the server’s startup folder.

The flaw was addressed in December through an advisory from Srimax, the application’s developer, which outlined the potential risks associated with the exploit. The updated release, Output Messenger V2.0.63, mitigated the vulnerability, but the Microsoft Threat Intelligence team noted that many impacted users had not yet implemented the security patches.

The hacking group, referred to as Sea Turtle, SILICON, and UNC1326, orchestrated attacks by gaining access to the Output Messenger Server Manager application. Subsequently, they deployed malware and executed a series of operations that enabled them to exfiltrate sensitive data, impersonate users, and disrupt operations.

While the exact methods of authentication compromise remain unclear, evidence suggests that the attackers utilized DNS hijacking or typo-squatted domains to capture and reuse victim credentials. Following the breach, the attackers introduced a backdoor, labeled OMServerService.exe, on compromised devices. This backdoor established a connection to a command-and-control domain, api.wordinfos[.]com, facilitating information retrieval to help identify victims.

Evidence provided by Microsoft indicates that in a particular instance, the Output Messenger client connected to an IP address associated with the Marbled Dust group shortly after the malware was instructed to gather and archive files, suggesting attempts at data exfiltration.

The Marbled Dust group has a history of directing its attacks towards organizations in Europe and the Middle East, particularly in sectors such as telecommunications and IT, as well as against entities opposing the Turkish government. They are actively scanning for vulnerabilities in internet-facing services of infrastructure providers and exploiting compromised DNS configurations to facilitate man-in-the-middle attacks.

This recent attack marks a significant evolution in the capabilities of Marbled Dust while maintaining consistency in their operational strategy. The use of a zero-day vulnerability highlights an escalation in technical expertise, indicating that the group’s targeting may have shifted to prioritize more urgent operational goals.

In the previous year, Marbled Dust was associated with various espionage campaigns against entities in the Netherlands, predominantly targeting telecommunications firms, Internet Service Providers (ISPs), and Kurdish-related online platforms from 2021 through 2023.