Zero-Day Flaw in Output Messenger Exploited for Targeted Cyberespionage
A zero-day vulnerability in Output Messenger, a LAN-based messaging application, has been exploited in a targeted espionage campaign by a Türkiye-linked hacking group known as Marbled Dust. The campaign focused on users affiliated with the Kurdish military in Iraq.
According to Microsoft Threat Intelligence, the attackers leveraged a previously unknown vulnerability—CVE-2025-27920—to compromise systems running unpatched versions of Output Messenger Server Manager.
This directory traversal vulnerability allowed authenticated attackers to access files outside the designated directories, which included configuration files, user data, and potentially even application source code. Srimax, the developer of Output Messenger, released a patch in December 2024 with version 2.0.63, resolving the issue.
“Attackers could access files such as configuration files, sensitive user data, or even source code, and depending on the file contents, this could lead to further exploitation, including remote code execution,”
— Srimax Security Advisory
Infection Method and Post-Exploitation Activity
Microsoft’s analysis shows that after exploiting the unpatched systems, the Marbled Dust group used the access to install a custom malware payload named OMServerService.exe. This malware communicated with a command-and-control domain (api.wordinfos[.]com) and relayed details back to the attackers to aid further targeting.
Infected devices were used to exfiltrate sensitive files. In one observed case, the Output Messenger client connected to an IP previously linked to Marbled Dust, immediately after receiving instructions to gather and compress files into a .RAR archive for extraction.
Once inside a system, attackers gained access to all user communications, impersonated legitimate users, and infiltrated internal systems. These actions could lead to significant operational disruption, credential theft, and unauthorized lateral movement within an organization.
While the initial authentication method remains unconfirmed, Microsoft notes that Marbled Dust has a known history of using DNS hijacking and typosquatted domains to intercept and reuse login credentials.
“We assess that the threat actor leverages DNS hijacking or typo-squatted domains to intercept, log, and reuse credentials, as these are techniques leveraged by Marbled Dust in previously observed malicious activity,”
— Microsoft Threat Intelligence
Who Is Marbled Dust?
Marbled Dust, also tracked as Sea Turtle, SILICON, and UNC1326, is a Türkiye-linked cyberespionage group active across the Middle East and Europe. Their historical targets include:
- Telecommunications providers
- Internet service providers (ISPs)
- Government agencies
- Kurdish websites and political entities
The group is known for leveraging infrastructure-level weaknesses such as DNS registry access and unpatched internet-facing devices to conduct man-in-the-middle attacks and credential interception. Between 2021 and 2023, they were linked to multiple cyberespionage operations in the Netherlands and surrounding regions.
Microsoft noted a shift in operational tactics with this latest campaign:
“This new attack signals a notable shift in Marbled Dust’s capability while maintaining consistency in their overall approach. The successful use of a zero-day exploit suggests an increase in technical sophistication and could also suggest that Marbled Dust’s targeting priorities have escalated or that their operational goals have become more urgent.”
— Microsoft
Patch Status and Security Recommendations
The exploited vulnerability (CVE-2025-27920) was patched in December 2024, but Microsoft’s findings confirm that numerous systems remained unpatched at the time of the attack.
Enterprise IT and security teams using Output Messenger should immediately:
- Upgrade to Output Messenger version 2.0.63 or later
- Review access logs for unauthorized access
- Monitor for connections to suspicious domains or IPs
- Reevaluate the security of LAN communication tools used internally
- Ensure strong credential hygiene to protect against reused or stolen credentials
Given the scope of compromise—including potential access to internal messaging and impersonation—the incident underscores the operational risk of unpatched third-party communication tools in high-risk environments.
