Output Messenger Flaw Exploited in Espionage Attacks
A Türkiye-backed cyberespionage group, known as Marbled Dust, exploited a zero-day vulnerability in Output Messenger, specifically targeting users linked to the Kurdish military in Iraq. The flaw, identified as CVE-2025-27920, is a directory traversal vulnerability in the LAN messaging application. Microsoft Threat Intelligence analysts reported that this vulnerability could allow authenticated attackers to access sensitive files outside the intended directory or deploy malicious payloads on the server's startup folder.
"Attackers could access files such as configuration files, sensitive user data, or even source code, and depending on the file contents, this could lead to further exploitation, including remote code execution," stated Srimax, the app's developer, in a security advisory released when the bug was patched with Output Messenger V2.0.63.
The hacking group, also tracked as Sea Turtle and UNC1326, specifically targeted users who had not updated their systems. By compromising the Output Messenger Server Manager application, Marbled Dust hackers could steal sensitive data, access user communications, impersonate users, and disrupt operations.
Microsoft assessed that Marbled Dust likely used DNS hijacking or typo-squatted domains to intercept and reuse credentials. After gaining access, the attackers deployed a backdoor (OMServerService.exe) onto victims' devices, which checked connectivity against an attacker-controlled command-and-control domain (api.wordinfos[.]com) and provided further information to identify each victim.
In one instance, the Output Messenger client on a victim's device connected to an IP address linked to the Marbled Dust group for data exfiltration shortly after the malware was instructed to collect files and archive them. Known for targeting Europe and the Middle East, Marbled Dust focuses on telecommunications and IT companies, along with government organizations opposing the Turkish government.
To breach networks, the group scans for vulnerabilities in internet-facing devices and exploits access to compromised DNS registries to alter DNS server configurations of government organizations, enabling them to intercept traffic and steal credentials in man-in-the-middle attacks.
"This new attack signals a notable shift in Marbled Dust's capability while maintaining consistency in their overall approach," Microsoft added. The use of a zero-day exploit indicates an increase in technical sophistication and escalation in targeting priorities.
Last year, Marbled Dust was also linked to multiple espionage campaigns targeting organizations in the Netherlands, primarily in the telecommunications sector. For organizations using Output Messenger, it is crucial to implement robust cybersecurity monitoring and ensure timely updates to mitigate risks from such vulnerabilities.
Trends in Zero-Day Exploitation
The Google Threat Intelligence Group (GTIG) tracked 75 zero-day vulnerabilities exploited in the wild in 2024, a decrease from 98 in 2023 but an increase from 63 in 2022. The report indicates a shift towards targeting enterprise technologies, particularly security and networking products, while still showing interest in end-user platforms.
Notable findings include that 44% of the zero-day vulnerabilities targeted enterprise products, up from 37% in 2023. Zero-day vulnerabilities in security software and appliances were particularly significant, comprising over 60% of all enterprise technology exploitation. This trend emphasizes the need for organizations to enhance their cybersecurity measures, particularly for enterprise-focused products.
The report highlights that government-backed groups are responsible for over 50% of attributed zero-day exploitation, with a notable presence from the People's Republic of China and North Korean actors. The increased focus on enterprise technologies suggests that threat actors are looking for high-value targets that can provide extensive access and fewer detection opportunities.
Organizations are encouraged to leverage cybersecurity monitoring solutions to remain vigilant against emerging threats and implement strategic content opportunities to address these vulnerabilities. GrackerAI provides an AI-powered platform for transforming security news into actionable insights, helping organizations to stay ahead of potential threats.
Response and Remediation Strategies
Upon the discovery of the zero-day vulnerability in Output Messenger, Srimax acted quickly to release patches for CVE-2025-27920 and a related vulnerability (CVE-2025-27921). Microsoft recommends that organizations using Output Messenger immediately upgrade to the latest version to mitigate risks.
Key recommendations include:
- Network Monitoring: Flag and review traffic to domains and IP addresses associated with Marbled Dust infrastructure, particularly api.wordinfos[.]com.
- Malicious File Search: Actively search for known malicious file hashes and script names such as OMServerService.vbs, OMServerService.exe, and OMClientService.exe in endpoint and network logs.
- Credential Reset: Assume that credentials handled by compromised Output Messenger instances are at risk; arrange for organization-wide password resets.
Additionally, organizations can utilize advanced detection and response tools to monitor network flows and maintain visibility across endpoints. GrackerAI’s tools assist in automating the generation of insights from industry developments, allowing marketing teams to create timely, relevant content for cybersecurity professionals.
To explore our services or learn more about how GrackerAI can enhance your cybersecurity marketing efforts, visit GrackerAI.
Latest Cybersecurity Trends & Breaking News
