Microsoft Threat Intelligence has linked a regional cyber-espionage campaign exploiting a zero-day vulnerability in Output Messenger to the TΓΌrkiye-affiliated threat actor Marbled Dust. This campaign, first observed in April 2024, specifically targeted entities in Iraq, including individuals tied to the Kurdish military, and leverages a sophisticated attack chain built around a zero-day directory traversal flaw (CVE-2025-27920).
βMicrosoft Threat Intelligence assesses with high confidence that the targets of the attack are associated with the Kurdish military operating in Iraq,β the report states.
The exploited vulnerability resides in the Output Messenger Server Manager, a feature-rich collaboration platform. The flaw is a directory traversal vulnerability that allows authenticated users to upload malicious files into the serverβs startup directory.
The attackers dropped files named OMServerService.vbs and OM.vbs to execute a disguised GoLang-based backdoor (OMServerService.exe) capable of connecting to a hardcoded command-and-control server at api.wordinfos[.]com.
βMarbled Dust exploited this vulnerability to save the malicious file OMServerService.vbs to the startup folder,β Microsoft researchers noted.
Once installed, the backdoor enables full surveillance and command execution on the victim server, allowing the threat actors to steal user communications, impersonate accounts, and pivot further into organizational infrastructure.
On the victimβs system, the installer package silently extracts a second Go-based backdoor (OMClientService.exe), which:
Performs connectivity checks to the same C2 domain.Sends system fingerprinting data.Executes commands from the C2 server via Windows command shell (cmd /c).The attackers used Plink, a PuTTY SSH client for Windows, to establish outbound tunnels for data exfiltration.
Microsoft attributes the operation to Marbled Dust, a TΓΌrkiye-affiliated espionage group known for targeting government entities and telecom infrastructure across the Middle East and Europe. The group overlaps with threat clusters Sea Turtle and UNC1326.
βThis new attack signals a notable shift in Marbled Dustβs capabilityβ¦ suggesting that Marbled Dustβs targeting priorities have escalated,β Microsoft warned.
Previously, Marbled Dust was linked to DNS hijacking operations and credential theft via registrar compromises. The use of a zero-day in a niche messaging platform marks a significant step up in sophistication.
Microsoft has coordinated with Srimax, the developer of Output Messenger, to address the vulnerabilities. Two CVEs were identified:
CVE-2025-27920 β Actively exploited directory traversal flaw.CVE-2025-27921 β Not yet seen in attacks, but also patched.Users are urged to update to the latest secure versions:
Client: Output Messenger v2.0.63Server: Output Messenger Server v2.0.62