Turkey-Based Cyber Actors Exploit Output Messenger Zero-Day Vulnerability to Deploy Golang Backdoors on Kurdish Infrastructure

A Türkiye-affiliated threat actor has leveraged a zero-day security vulnerability in an Indian enterprise communication platform, Output Messenger, in a cyber espionage campaign that began in April 2024.

Microsoft’s Threat Intelligence team reported that these exploits have facilitated the collection of sensitive user data from targets in Iraq. The focus of these attacks appears to align with the Kurdish military operating in Iraq, consistent with the established targeting patterns associated with the threat group known as Marbled Dust.

Marbled Dust, also recognized by other names including Cosmic Wolf, Sea Turtle, Teal Kurma, and UNC1326, is believed to have been operational since at least 2017. Initial documentation of their activities emerged around 2019, detailing similar attacks on both public and private entities across the Middle East and North Africa. More recently, this group has been linked to attacks on telecommunication and media organizations, internet service providers (ISPs), IT-service providers, and Kurdish websites located in the Netherlands.

Microsoft assesses with moderate confidence that prior reconnaissance was conducted by the threat actor to ascertain whether potential targets were utilizing Output Messenger. Following this, they exploited the zero-day vulnerability to distribute malicious payloads and exfiltrate data from the identified targets.

The vulnerability, designated as CVE-2025-27920, is a directory traversal flaw affecting Output Messenger version 2.0.62, which allows remote attackers to access or execute arbitrary files. This vulnerability was addressed by its developer, Srimax, with the release of version 2.0.63 in late December 2024. Notably, the advisory regarding this update did not indicate that the flaw had been exploited in the wild prior to the patch.

The attack begins when the threat actor gains authenticated access to the Output Messenger Server Manager application. Marbled Dust appears to employ techniques such as DNS hijacking or the use of typosquatted domains to intercept credentials required for authentication.

Once access is achieved, the attacker collects the user’s Output Messenger credentials and exploits CVE-2025-27920 to deploy malicious payloads such as “OM.vbs” and “OMServerService.vbs” in the server startup folder, and “OMServerService.exe” in the “Users/public/videos” directory.

Subsequent to deploying the backdoor, the attacker utilizes “OMServerService.vbs” to execute “OM.vbs” and “OMServerService.exe.” The latter serves as a Golang-based backdoor that communicates with a hard-coded domain for the purpose of data exfiltration.

The backdoor’s activity includes initiating a connectivity check to a command-and-control (C2) domain. If successful, it performs a secondary request containing hostname information to uniquely identify the victim, executing responses from the C2 directly via command prompts.

In one documented case, a device with Output Messenger client software was noted to connect to an IP address previously associated with Marbled Dust for potential data exfiltration.

Additionally, Microsoft identified a second vulnerability in the same version (CVE-2025-27921), characterized as a reflected cross-site scripting (XSS) vulnerability. However, there is no evidence suggesting that this flaw has been weaponized in live attacks.

This operation indicates a significant shift in the capabilities of Marbled Dust, while maintaining consistency in their overarching approach. The successful application of a zero-day exploit implies an elevation in technical sophistication, suggesting either an escalation in targeting priorities or a heightened urgency in their operational objectives.